Multiple ISPs with inbound connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Multiple ISPs with inbound connections

L0 Member

I recently bought a PA-500 to replace an aging SonicWall. We have two ISPs, one DSL and one cable. We have static IPs on both. It appears from the documentation that this should work, but implementing it has been painful, to say the least.

Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on that interface as soon as possible. We have a few services inbound on DSL:

- smtp from our outsourced spam filter (it will all come in from a single IP)

- http and https for OWA

- rsync from our web hosting company for online order fulfillment

- a couple of VNC connections on non-standard ports, which should be port-forwarded to the standard ports on those machines

I can go into great detail about what I have and have not done to this point, but was wondering if anybody else has done the same, and where (if anywhere?) is this configuration documented? I've been dealing with various flavors of firewalls for over 10 years, and I've put in over 40 hours on what should be less than a 2 hour problem.

I've also seen some really strange things, like

- When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the gateway's MAC address is correct in the ARP table).

- When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port or its application type), but still does not get NATted correctly.

Questions? Comments? Snide remarks?

1 accepted solution

Accepted Solutions

L4 Transporter

In 5.0 there is a feature being added called return to sender which will take care of most of your config.

In the meantime most of it can be done.

>>Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on >>that interface as soon as possible. We have a few services inbound on DSL.

This will actually need to be done with two VR. PBF does not apply to traffic that is src or dst to the pan. It will only apply to traffic that through the pan. If you have a PBF rule to route traffic through cable and a default route to route traffic out DSL all request to GP will route back out the cable line.

>>We have a few services inbound on DSL.

What may be happening here is the syn comes in on the DSL and PBF matched the syn/ack and routes it back out the cable line. If DNATS are required on the DSL line you will need to split the VRs, or put a negate rule above the PBF so it will use the VR route out the DSL line. This in turn will route ALL traffic out the DSL for those machines.

>When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the >outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the

Which mac is incorrect the DST mac after it leave PAN or the SRC?

>When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port >or its application type), but still does not get NATted correctly.

First packet will allow traffic not based on application so if the service field is ANY or the same port as vnc this would match for the 3 way and change once the application is identified.

Dominic

View solution in original post

3 REPLIES 3

L4 Transporter

There's nothing in your post that isn't possible in the PAN with Policy Based Forwarding, NAT, and Security policies.

Have you reached out to your SE yet?

What's an SE? Sales Engineer? Trying to get ahold of them now, too.

I thought it sounded like this should all be possible, but usually there are knowledgebase articles, howto's, or forum posts for fairly common scenarios. Multiple ISPs may have been uncommon 5 years ago, but that setup is quickly approaching "normal" for the small-business market.

L4 Transporter

In 5.0 there is a feature being added called return to sender which will take care of most of your config.

In the meantime most of it can be done.

>>Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on >>that interface as soon as possible. We have a few services inbound on DSL.

This will actually need to be done with two VR. PBF does not apply to traffic that is src or dst to the pan. It will only apply to traffic that through the pan. If you have a PBF rule to route traffic through cable and a default route to route traffic out DSL all request to GP will route back out the cable line.

>>We have a few services inbound on DSL.

What may be happening here is the syn comes in on the DSL and PBF matched the syn/ack and routes it back out the cable line. If DNATS are required on the DSL line you will need to split the VRs, or put a negate rule above the PBF so it will use the VR route out the DSL line. This in turn will route ALL traffic out the DSL for those machines.

>When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the >outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the

Which mac is incorrect the DST mac after it leave PAN or the SRC?

>When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port >or its application type), but still does not get NATted correctly.

First packet will allow traffic not based on application so if the service field is ANY or the same port as vnc this would match for the 3 way and change once the application is identified.

Dominic

  • 1 accepted solution
  • 2264 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!