topic Re: Natting Internal Hosts to a differente ISP`s in General Topics

Natting Internal Hosts to a differente ISP`s

Thiago — Mon, 19 Mar 2012 19:40:13 GMT

I'm trying to find documentation and/or any help to see if PAN firewalls are capable of NATing Two external ISP`s to a differents hosts IP.

My scenario:

My default gateway is 187.x.x.x

When i try to make a NAT with the seconde ISP 189.x.x.x , i don`t know but don`t work.

When i send a netstat at my HOST on NAT , the server don`t receive the SYN to start the handshake.

ISP1 187.x.x.x

----------> Internal hosts 10.55.x.x

ISP2 189.x.x.x

Best Regards.

Re: Natting Internal Hosts to a differente ISP`s

mikand — Mon, 19 Mar 2012 21:09:58 GMT

You need to setup PBR (Policy Based Routing) sometimes called PBF (Policy Based Forwarding) to force for example specific clients to use specific uplink.

Otherwise it should work with two different metrics since PAN current doesnt support ECMP (Equal Cost MultiPath routing).

The above is for SNAT (Source NAT).

For DNAT (Destiantion NAT) its just as always, you need to specify which host on the inside should get the traffic (watch out so PBR/PBF doesnt make the returntraffic go assymetric, like client sends traffic to ISP1IP:80 but get answers from ISP2IP:80 which of course will be dropped at the clientside).

Re: Natting Internal Hosts to a differente ISP`s

Thiago — Tue, 20 Mar 2012 14:20:12 GMT

Ok , thank u for your fast answer.

Just to understand about DNAT , when i look at my server with a NETSTAT i can`t see any SYN connection.

THis happen because when my server try to response to the SYN , it goes assymetric ?

Best Regards.

Re: Natting Internal Hosts to a differente ISP`s

mikand — Tue, 20 Mar 2012 17:55:47 GMT

Personally I would use tcpdump either on the server or by using a spanport on the switch which this server is connected to in order to find out what is actually being transmitted to the server (and how this packet looks like) and whats being returned.

And then do the same on a spanport on the internetrouter to find out how the packets looks like when leaving PAN.

For Netstat I think it will only display "Established" for sessions who completely went through the 3-way handshake. Otherwise it will display Waiting or similar.

Re: Natting Internal Hosts to a differente ISP`s

friento — Tue, 20 Mar 2012 18:04:24 GMT

make sure that your internet router is sending traffic to your firewall.

Re: Natting Internal Hosts to a differente ISP`s

Thiago — Tue, 20 Mar 2012 19:35:22 GMT

Friento ,

When i acess the PALO ALTO GUI from the second ISP , i can acess normally the GUI , So i think the Internet router are working good.

Tks!