topic Re: Dual Isp - Two webserver in General Topics

Dual Isp - Two webserver

mariocutroneo — Fri, 20 Mar 2020 15:06:15 GMT

Hi all,

i have a problem, maybe stupid for all of you, but i can't understand how to configure my pan-220.

I had only one isp and all it's ok (internet, webserver, 2 vlans, etc).

Now i have another ISP and, if is possibile, i need to publish a web server with this connection (without failover. only publish a webserver with another ip)

Anybody can help me???

Thank you and sorry for my bad english!

Re: Dual Isp - Two webserver

SutareMayur — Fri, 20 Mar 2020 16:57:46 GMT

@mariocutroneoYes it is possible.

Terminate new ISP on one of the empty interface of firewall. Do the configuration like IP, ZONE etc. Then use public IP of new ISP to publish your webserver. Kindly configure source, destination zones in Security and NAT policies.

Hope it helps!

Mayur

Re: Dual Isp - Two webserver

mariocutroneo — Fri, 20 Mar 2020 19:35:53 GMT

Thanks.. But i don't understand if i need a second virtuale router for this interface.

Thank you

Re: Dual Isp - Two webserver

SutareMayur — Fri, 20 Mar 2020 20:42:42 GMT

@mariocutroneo

No, no need of second Virtual Router.

Just one question, are you going to use this link only for hosting internal server or for passing internet traffic too?

Mayur

Re: Dual Isp - Two webserver

mariocutroneo — Sat, 21 Mar 2020 10:26:38 GMT

it's not working.

this is my config:

eth1/3 -> ISP2
eth1/8 -> ISP1
eth1/4 - office LAN
vlan.1 -> office lan

zones

inside vlan
outside-isp1
outside -isp2

virtual router:

only one with all interfaces/vlan assigned

security:

outside-isp2 to inside vlan allow my service

nat:

outside-isp2 to outside-isp2 -> destination address the ip of ISP2 - >destionation translation -> the address of my webserver

if i switch the config changing isp2 to isp1 is working.

What 's wrong?

yes if is possibile, i'd like to pass internet traffic too.

thank you very much!

Re: Dual Isp - Two webserver

SutareMayur — Sat, 21 Mar 2020 13:05:03 GMT

@mariocutroneoWhat are you seeing in traffic logs? I think, NAT is not happening in your case. NAT statement seems to be wrong. Please put statement as given below.

NATt:

outside-isp2 to 'inside' -> destination address the ip of ISP2 - >destionation translation -> the address of my webserver

Security Policy is Ok.

Also if you still not able to access. Please see traffic logs and see if traffic coming from correct interface and NAT is happening properly. If it is still not working, then try by adding one static route for the ISP2 public IP (which is used for hosting web-server) towards ISP2 interface and IP address.

If you want to pass internet traffic through ISP2 link, you can add PBF for specific source IP/subnets to route internet traffic from ISP2 link. So this PBF rule will override your default route present in VR.

NOTE - As ISP2 is new link, can you please make sure you are able to ping next hop from Palo Alto interface. You can try to ping it from cli by taking source interface as IP address of interface eth1/3 (ISP2) and destination would be NEXT HOP or gateway of this link.

Hope it helps you!

Mayur

Re: Dual Isp - Two webserver

mariocutroneo — Sat, 21 Mar 2020 19:00:03 GMT

No nothing...

in logs i see that the packet is allow and the increment of hits count for nat -> outsideIsp2 to outsideIspd2

i also added the static route in my virtual router, but nothing change.

yes, i can ping from cli...

😞

Re: Dual Isp - Two webserver

SutareMayur — Mon, 23 Mar 2020 08:18:30 GMT

@mariocutroneo,

Can you please paste traffic log snap here?

Mayur

Re: Dual Isp - Two webserver

reaper — Mon, 23 Mar 2020 12:38:10 GMT

adding a second VR will make this a lot easier though

else you also want to set up Policy Based Forwarding so you can take advantage of 'symmetric return' (as else your return packets may go out of the other ISP and cause all kinds of problems

the second VR will prevent that