cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NAT or policy based routing in multiple ISP case

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
migration
migration
L0 Member
‎08-16-2010 12:21 PM
‎08-16-2010 12:21 PM

NAT or policy based routing in multiple ISP case

Hi,

I have a three internet access from different ISP. So I have 3 untrust(ethernet1/1, ethernet1/2, ethernet1/3)   interface and on trust(ethernet1/4) interface. All of  them are in same virtual router. The default route will be on  ethernet1/1 interface (0.0.0.0/0 -> default gateway of ethernet 1/1)

I would like to use ethernet1/1 interface for some of internal IPs called X, so I made a source NAT. All traffic coming from these IP group will be use ethernet1/1 for internet access.(trust -> untrust,  from X  to any  -> source nat on ethernet1/1)

The rest of the internal IPs will go to internet from ethernet1/2. To achive this which method is more suitable. NAT or PBF?

I would like to forward the traffic to ethernet1/3 to access my internal server on a remote branch office.

I am planning to write a PBF for this route. If I write a PBF, do I have to create a NAT rule too? or does PBF also handle NAT functionality?

Finally, Do I have to create additional route then default route in virtual router ?

Thanks.

Tags (3)
0 Likes
Reply
kbrazil
kbrazil
L4 Transporter
‎08-16-2010 02:26 PM
‎08-16-2010 02:26 PM

Re: NAT or policy based routing in multiple ISP case

Hi Ismail,

I believe you are on the right track with the PBF and NAT.  PBF does not take care of NAT so you will have to do that separately.  The final configuration will depend on how you want the ISP redundancy to work (if any).  In any case you will have a combination of default route, PBF rules, and NAT rules.

Cheers,

Kelly

Reply
migration
migration
L0 Member
‎08-18-2010 04:02 AM
‎08-18-2010 04:02 AM

Re: NAT or policy based routing in multiple ISP case

Thanks for your feedback.

0 Likes
Reply
migration
migration
L0 Member
‎08-29-2010 08:32 AM
‎08-29-2010 08:32 AM

Re: NAT or policy based routing in multiple ISP case

Hi Kelly,

You said that "PBF does not take care of NAT so you will have to do that separately"

But I have some doubts about this issue. Let me explain with an example.

Let's that I have to ISP connection. If I want to forward only all youtube requests to second ISP via ethernet1/3.

The rest of the traffic will go over first ISP. I can write a PBF rule for youtube. Because PBF support rule for applications.

But, how can I write a NAT for only youtube application? There is no way to specify application in NAT rules.

If I create a service based NAT rule, It can be only HTTP service, In this case all HTTP traffic will go over second ISP?

I guess, PBF does not require extra NAT rules?

Thanks.

0 Likes
Reply
jpa
jpa
L4 Transporter
‎08-30-2010 09:54 AM
‎08-30-2010 09:54 AM

Re: NAT or policy based routing in multiple ISP case

Ismail

You can write the NAT rule to match the destination interface- i..e any traffic going out via e1/3 which in your case is the youtube traffic.

That will be one way to tie the NAT rule with PBF rule.

Thank you

jerish

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks