Destination NAT is not working when PBF for dual ISP is enabled

Reply
L1 Bithead

Destination NAT is not working when PBF for dual ISP is enabled

Hi All,

 

I followed the guide at this URL to setup the Dual ISP for outbound access.

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/policy/use-case-pbf-for-outbound-acc...

 

I have set the http/https services to use ISP 2 and other traffic to use ISP 1. It is working find and the redundancy also working fine.

 

However, I have 2 web services that hosting using ISP 1. I have setup the destination NAT and required policy but it is not working when the 2 ISP link is up. If i disconnect the ISP 2, the destination NAT is working fine.

 

I also tried to setup the PBF rule for Symmetric Return using ISP 1 using the following guide.

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-Symmetric-Return/ta-p/5...

 

The log details when the Dual ISP + Symmetric PBF is define. It just showed incomplete and aged-out. From Client wireshark, it keep resending the TCP transmission.

hosting not ok when isp 1 up OK.png

The result when disable the PBF for Symmetric returna and disconnect ISP 2.

hosting ok when isp 1 down OK.png

 

Is there any other thing I need to do in order to allow dual ISP and destination NAT to work? Appreciate if someone can give me a hint on this.

L7 Applicator

Re: Destination NAT is not working when PBF for dual ISP is enabled

I think you will need to modify your PBF filter rule for the web server to work.  What might be happening is the http/https traffic from the server in reply to the inbound dNAT is being picked up and sent to ISP 2.

 

Add to that filter a negate ip address source for the internal address of your web server so that it is not covered by the forwarding filter.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L1 Bithead

Re: Destination NAT is not working when PBF for dual ISP is enabled

I figure out the problem.

 

When i added the PBR for this destination NAT, i did not specific the next hope. The Interface and Server VLAN are different. That why.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!