Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

Reply
Highlighted
L1 Bithead

Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

Dear Collegues,

 

Need your help & clarify some douts.

 

G1/1 - xxxxx/30 (ISP 1)

G1/2 - xxxxx/30 (ISP 2)

G1/3 - xxxxx/24 (LAN)

 

Both the ISP have also provided xxxxxx/29 range of usable IPs

 

Have Configured Dula ISP Redundancy with single virtual router by enabling ECMP and link monitor for static route

Have configured source NAT to access internet from local LAN  ( G1/1 & G1/2) 

Have also configured PBF for specific zone/network to access internet from specific ISP ( G1/1 & G1/2) 

 

Configured Destination NAT from public IP xxxxx/29 to local server (red). for both ISP it's configured

 

When both ISP are connected

able to access local server (red) from internet on only from ISP1

 

But when i disconnect ISP1 from firewall then am able to access local server from internet through ISP2

 

can any one plz help.

 

 

 

 

Tags (3)
L7 Applicator

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

@sharathshashidhar,

Regardless of configuration you will not be able to have simultanious connections from ISP1 and ISP2 to the same internal resource. Your weighted routes and PBF with monitoring policies don't really allow for that. 

L1 Bithead

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

You mean destination NAT will not work for both the ISP  if PBF is configured ??

 

How can i achive Destination NAT from both ISP (ISP1 & IPS2)  to local server.

 

L7 Applicator

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

@sharathshashidhar,

Can you share how you have configured the NATs in question. Your NAT policies are evaluated the same as the security policies, so the first NAT policy that matches the traffic is going to be the policy that gets used. 

 

Best case scenario you are able to advertize one IP range across both ISPs, but unless you actually own the IP range then the ISP is unlikely to agree to this. There are other ways to accomplish what you are trying to do but the easiest way to configure this is actually to just have dual IPs on your server in question and setup completely seperate NAT policies for both IPs to allow access. 

L7 Applicator

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

@sharathshashidhar

The ways decribed by @BPry are (in my opinion) not the the easiest, these are the only ways to achieve what you want to do.

  1. The /29 is your IP range and this range is available over both ISP connections --> one NAT policy is needed and the server will be available over both connections
  2. You have 2 /29 IP ranges --> you need to configure 2 NAT policies - one for ISP1 IP range and one for ISP2 IP range. In the FQDN used to access the server you also have to add both IP's
L1 Bithead

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

image.png

Is this configuration Correct 

 

One Question,  Can ECMP & PBF both work side by side. 

 

L7 Applicator

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

@sharathshashidhar

Does this config now work or did you create this after this topics discussion?

Looks actually pretty good, I think

L1 Bithead

Re: Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

Sorry for the late responce, i was on leave.

 

Yes, I had started this topic discussion after the configuring the firewall.

 

Recently had spoken to PA support tech about this issue.

Since this issue was happeining intermittent will post my findings when it happens.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!