I'm seeing the following.
- two existing Internet lines, put in zones "I-1" and "I-2"
- there are two L3 interfaces, one in I-1 with address PA-1, one in I-2 with address PA-2
- the default route goes to a router reachable in I-2
- there's a PBF policy to forward everything to a router in I-1
There are two destination NATs:
- from zone I-1 to address PA-1, tcp port 25, dnat to some internal address A
- from zone I-2 to address PA-2, tcp port 25, dnat to some internal address A
This does not work. In the monitor, we see no traffic arriving from I-1 to PA-1:25.
After modifying this config to put both Internet lines into one single zone, it suddenly works.
It seems that zone lookup in several stages only looks at the routing table. Not considering PBF, it deduces the wrong src/dst zone, causing packets mismatching the session.
This seems wrong, when true. Is it, and is it?
Please check the NAT destination policy - if changing the zone allows traffic to suddenly work, was there a policy for the first zone?
Securtiy Policy is checked first, but implemented after NAT
As for the PBF - that is for outbound traffic so your dNAT should not be affected by PBF.
Hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!