https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12449#M9105 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Basically the scenario is that we have one exchange server behind the firewall, external users are accessing this server usning a host name mapped by a service provider to two different Public IP's using DNS round robin,</P><P></P><P>Is it possible to configure two NATing rules for the same single host (the server). This way what ever IP the host name is hitting it will be successful,</P><P></P><P>But how can I overcome the issue for outgoing traffic, can I use PBR to send traffic using one link and in case it fails it will failover to the other link.</P><P></P><P>So at the end Incoming Traffic will be round robined and outgoing traffic will use one link and only failover when necessary.</P><P></P><P>Regards</P></BODY></HTML> Sun, 27 May 2012 09:38:04 GMT rsaber 2012-05-27T09:38:04Z https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12449#M9105 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Basically the scenario is that we have one exchange server behind the firewall, external users are accessing this server usning a host name mapped by a service provider to two different Public IP's using DNS round robin,</P><P></P><P>Is it possible to configure two NATing rules for the same single host (the server). This way what ever IP the host name is hitting it will be successful,</P><P></P><P>But how can I overcome the issue for outgoing traffic, can I use PBR to send traffic using one link and in case it fails it will failover to the other link.</P><P></P><P>So at the end Incoming Traffic will be round robined and outgoing traffic will use one link and only failover when necessary.</P><P></P><P>Regards</P></BODY></HTML> Sun, 27 May 2012 09:38:04 GMT https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12449#M9105 rsaber 2012-05-27T09:38:04Z https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12450#M9106 <HTML><HEAD></HEAD><BODY><P>I think you should be fine if you setup just two DNAT rules.</P><P></P><P>(example)</P><P>untrust -&gt; trust</P><P>0.0.0.0 -&gt; &lt;firstip&gt;</P><P>forward: &lt;exchangeip&gt;</P><P></P><P>untrust -&gt; trust</P><P>0.0.0.0 -&gt; &lt;secondip&gt;</P><P>forward: &lt;exchangeip&gt;</P><P></P><P>Im not sure if PA will then see this as a single flow and do the SNAT for you (I mean if client speaks to &lt;firstip&gt;, will the reply which &lt;exchangeip&gt; sends back to the PA device automatically use &lt;firstip&gt; as source when sending the reply back to client?).</P><P></P><P>For the flows which the &lt;exchangeip&gt; initiates on its own I dont think you would need a SNAT rule for that (unless your exchangeserver use a private ip and you need to speak to internet).</P></BODY></HTML> Sun, 27 May 2012 10:33:14 GMT https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12450#M9106 mikand 2012-05-27T10:33:14Z https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12451#M9107 <HTML><HEAD></HEAD><BODY><P>Thanks,</P><P></P><P>But the issue in the PA routing table it will have the 1st ISP as a destination, so even if I recieve traffic from the second it will be sent through the first and be dropped.</P><P></P><P>I found a similar problem here:</P><P><A class="active_link" href="https://live.paloaltonetworks.com/message/13974#13974">https://live.paloaltonetworks.com/message/13974#13974</A></P><P></P><P>As I understood PA will add a feature called Symmetric Return which will send the traffic back to the same ISP it came from.</P></BODY></HTML> Sun, 27 May 2012 15:42:46 GMT https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12451#M9107 rsaber 2012-05-27T15:42:46Z https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12452#M9108 <HTML><HEAD></HEAD><BODY><P>Oh yeah that part, hmpf...</P><P></P><P>Yeah wait for symmetric return to arrive and it will fix these problems <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P></BODY></HTML> Sun, 27 May 2012 19:14:58 GMT https://live.paloaltonetworks.com/t5/general-topics/exchange-load-balancing/m-p/12452#M9108 mikand 2012-05-27T19:14:58Z