https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32290#M23672 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a three internet access from different ISP. So I have 3 untrust(ethernet1/1, ethernet1/2, ethernet1/3)&nbsp;&nbsp; interface and on trust(ethernet1/4) interface. All of&nbsp; them are in same virtual router. The default route will be on&nbsp; ethernet1/1 interface (0.0.0.0/0 -&gt; default gateway of ethernet 1/1)</P><P></P><P>I would like to use ethernet1/1 interface for some of internal IPs called X, so I made a source NAT. All traffic coming from these IP group will be use ethernet1/1 for internet access.(trust -&gt; untrust,&nbsp; from X&nbsp; to any&nbsp; -&gt; source nat on ethernet1/1)</P><P></P><P>The rest of the internal IPs will go to internet from ethernet1/2. To achive this which method is more suitable. NAT or PBF?</P><P></P><P>I would like to forward the traffic to ethernet1/3 to access my internal server on a remote branch office.</P><P>I am planning to write a PBF for this route. If I write a PBF, do I have to create a NAT rule too? or does PBF also handle NAT functionality?</P><P></P><P>Finally, Do I have to create additional route then default route in virtual router ?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 16 Aug 2010 19:21:03 GMT migration 2010-08-16T19:21:03Z https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32290#M23672 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I have a three internet access from different ISP. So I have 3 untrust(ethernet1/1, ethernet1/2, ethernet1/3)&nbsp;&nbsp; interface and on trust(ethernet1/4) interface. All of&nbsp; them are in same virtual router. The default route will be on&nbsp; ethernet1/1 interface (0.0.0.0/0 -&gt; default gateway of ethernet 1/1)</P><P></P><P>I would like to use ethernet1/1 interface for some of internal IPs called X, so I made a source NAT. All traffic coming from these IP group will be use ethernet1/1 for internet access.(trust -&gt; untrust,&nbsp; from X&nbsp; to any&nbsp; -&gt; source nat on ethernet1/1)</P><P></P><P>The rest of the internal IPs will go to internet from ethernet1/2. To achive this which method is more suitable. NAT or PBF?</P><P></P><P>I would like to forward the traffic to ethernet1/3 to access my internal server on a remote branch office.</P><P>I am planning to write a PBF for this route. If I write a PBF, do I have to create a NAT rule too? or does PBF also handle NAT functionality?</P><P></P><P>Finally, Do I have to create additional route then default route in virtual router ?</P><P></P><P>Thanks.</P></BODY></HTML> Mon, 16 Aug 2010 19:21:03 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32290#M23672 migration 2010-08-16T19:21:03Z https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32291#M23673 <HTML><HEAD></HEAD><BODY><P>Hi Ismail,</P><P></P><P>I believe you are on the right track with the PBF and NAT.&nbsp; PBF does not take care of NAT so you will have to do that separately.&nbsp; The final configuration will depend on how you want the ISP redundancy to work (if any).&nbsp; In any case you will have a combination of default route, PBF rules, and NAT rules.</P><P></P><P>Cheers,</P><P></P><P>Kelly</P></BODY></HTML> Mon, 16 Aug 2010 21:26:07 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32291#M23673 kbrazil 2010-08-16T21:26:07Z https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32292#M23674 <HTML><HEAD></HEAD><BODY><P>Thanks for your feedback.</P></BODY></HTML> Wed, 18 Aug 2010 11:02:12 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32292#M23674 migration 2010-08-18T11:02:12Z https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32293#M23675 <HTML><HEAD></HEAD><BODY><P>Hi Kelly,</P><P></P><P>You said that "PBF does not take care of NAT so you will have to do that separately"</P><P>But I have some doubts about this issue. Let me explain with an example.</P><P></P><P>Let's that I have to ISP connection. If I want to forward only all youtube requests to second ISP via ethernet1/3.</P><P>The rest of the traffic will go over first ISP. I can write a PBF rule for youtube. Because PBF support rule for applications.</P><P></P><P>But, how can I write a NAT for only youtube application? There is no way to specify application in NAT rules.</P><P>If I create a service based NAT rule, It can be only HTTP service, In this case all HTTP traffic will go over second ISP?</P><P></P><P>I guess, PBF does not require extra NAT rules?</P><P></P><P>Thanks.</P></BODY></HTML> Sun, 29 Aug 2010 15:32:02 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32293#M23675 migration 2010-08-29T15:32:02Z https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32294#M23676 <HTML><HEAD></HEAD><BODY><P>Ismail</P><P>You can write the NAT rule to match the destination interface- i..e any traffic going out via e1/3 which in your case is the youtube traffic.</P><P>That will be one way to tie the NAT rule with PBF rule.</P><P></P><P>Thank you</P><P>jerish</P></BODY></HTML> Mon, 30 Aug 2010 16:54:13 GMT https://live.paloaltonetworks.com/t5/general-topics/nat-or-policy-based-routing-in-multiple-isp-case/m-p/32294#M23676 jpa 2010-08-30T16:54:13Z