https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206906#M60686 <P>Thanks reaper. Outbound is ok.</P><P>Thinking in inboud:</P><P>&nbsp;</P><P>We have these NAT rules:</P><P>ISP1 is 1.1.1.1:</P><P>&nbsp;</P><P>&nbsp;</P><P>So, there is any way to clone all these NAT rules changing ISP 2.2.2.2, and if ISP 1.1.1.1 goes down, the inbound sessions take ISP 2???? any NAT track or way to configure public services with both ISPs?</P><P>&nbsp;</P> Thu, 22 Mar 2018 15:48:48 GMT soporteseguridad 2018-03-22T15:48:48Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206889#M60677 <P>Hi,</P><P>&nbsp;</P><P>I need to create a dual ISP scenario. This FW has 2 interface with differents ISP. (ppoe)</P><P>eth1/2 (1.1.1.1/32)</P><P>eth1/3 (2.2.2.2/32)</P><P>&nbsp;</P><P>We&nbsp;would like to balance both ISPs and in the case one of this ISP goes down, all traffic takes the ISP up in that moment. So i was checking,&nbsp;</P><P>&nbsp;</P><P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-the-Firewall/ta-p/110339</A></P><P>&nbsp;</P><P>Also i would like to force some trust range to take interface 1/2 (using PBF), an in the case this interfaces 1/2 goes down, to take int1/3</P><P>&nbsp;</P><P>on the another hand, there are several services on internet for this public IP. So how ca we public the NAT in both ISP interface??? clonning all the NATs using the new ISP IPs??? thats enough i think</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 22 Mar 2018 14:00:46 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206889#M60677 soporteseguridad 2018-03-22T14:00:46Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206897#M60680 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/9102">@soporteseguridad</a></P> <P>&nbsp;</P> <P>outbound you would be ok with ECMP and using PBF policies to force certain traffic onto a specific interface</P> <P>outbound NAT would simply be regular outbound hide-NAT with a destination interface set and source NAT to the proper ISP subnet (clone and change destination interface + source translation)</P> <P>Inbound NAT will only work for the ISP that routes the public IP so this can only be configured once for the appropriate ISP (so no cloning here)</P> Thu, 22 Mar 2018 14:08:49 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206897#M60680 reaper 2018-03-22T14:08:49Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206906#M60686 <P>Thanks reaper. Outbound is ok.</P><P>Thinking in inboud:</P><P>&nbsp;</P><P>We have these NAT rules:</P><P>ISP1 is 1.1.1.1:</P><P>&nbsp;</P><P>&nbsp;</P><P>So, there is any way to clone all these NAT rules changing ISP 2.2.2.2, and if ISP 1.1.1.1 goes down, the inbound sessions take ISP 2???? any NAT track or way to configure public services with both ISPs?</P><P>&nbsp;</P> Thu, 22 Mar 2018 15:48:48 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206906#M60686 soporteseguridad 2018-03-22T15:48:48Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206909#M60688 <P>Forget inbound, we would have DNS problem, and create abother zone for ISP2.......to many config fo this end customer.....&nbsp;</P><P>thanks a lot reaper</P> Thu, 22 Mar 2018 15:03:37 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206909#M60688 soporteseguridad 2018-03-22T15:03:37Z https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206912#M60690 <P>Hello,</P><P>The only way to get inbound redirection to work would be to use an external load balancer. That way the LB would know which way is the best path and route to it while the public DNS record points to the LB IP's.</P><P>&nbsp;</P><P>Hope that helps.</P> Thu, 22 Mar 2018 15:14:16 GMT https://live.paloaltonetworks.com/t5/general-topics/dual-isp-scenario/m-p/206912#M60690 OtakarKlier 2018-03-22T15:14:16Z