03-20-2020 08:06 AM
Hi all,
i have a problem, maybe stupid for all of you, but i can't understand how to configure my pan-220.
I had only one isp and all it's ok (internet, webserver, 2 vlans, etc).
Now i have another ISP and, if is possibile, i need to publish a web server with this connection (without failover. only publish a webserver with another ip)
Anybody can help me???
Thank you and sorry for my bad english!
03-20-2020 09:56 AM - edited 03-20-2020 09:57 AM
@mariocutroneoYes it is possible.
Terminate new ISP on one of the empty interface of firewall. Do the configuration like IP, ZONE etc. Then use public IP of new ISP to publish your webserver. Kindly configure source, destination zones in Security and NAT policies.
Hope it helps!
Mayur
03-20-2020 12:35 PM
Thanks.. But i don't understand if i need a second virtuale router for this interface.
Thank you
03-20-2020 01:42 PM
No, no need of second Virtual Router.
Just one question, are you going to use this link only for hosting internal server or for passing internet traffic too?
Mayur
03-21-2020 03:26 AM
it's not working.
this is my config:
zones
virtual router:
security:
nat:
if i switch the config changing isp2 to isp1 is working.
What 's wrong?
yes if is possibile, i'd like to pass internet traffic too.
thank you very much!
03-21-2020 06:05 AM
@mariocutroneoWhat are you seeing in traffic logs? I think, NAT is not happening in your case. NAT statement seems to be wrong. Please put statement as given below.
NATt:
Security Policy is Ok.
Also if you still not able to access. Please see traffic logs and see if traffic coming from correct interface and NAT is happening properly. If it is still not working, then try by adding one static route for the ISP2 public IP (which is used for hosting web-server) towards ISP2 interface and IP address.
If you want to pass internet traffic through ISP2 link, you can add PBF for specific source IP/subnets to route internet traffic from ISP2 link. So this PBF rule will override your default route present in VR.
NOTE - As ISP2 is new link, can you please make sure you are able to ping next hop from Palo Alto interface. You can try to ping it from cli by taking source interface as IP address of interface eth1/3 (ISP2) and destination would be NEXT HOP or gateway of this link.
Hope it helps you!
Mayur
03-21-2020 12:00 PM
No nothing...
in logs i see that the packet is allow and the increment of hits count for nat -> outsideIsp2 to outsideIspd2
i also added the static route in my virtual router, but nothing change.
yes, i can ping from cli...
😞
03-23-2020 05:38 AM
adding a second VR will make this a lot easier though
else you also want to set up Policy Based Forwarding so you can take advantage of 'symmetric return' (as else your return packets may go out of the other ISP and cause all kinds of problems
the second VR will prevent that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
