Natting Internal Hosts to a differente ISP`s

Reply
L3 Networker

Natting Internal Hosts to a differente ISP`s

I'm trying to find documentation and/or any help to see if PAN firewalls are capable of NATing Two external ISP`s to a differents hosts IP.

My scenario:

My default gateway is 187.x.x.x

When i try to make a NAT with the seconde ISP 189.x.x.x , i don`t know but don`t work.

When i send a netstat at my HOST on NAT , the server don`t receive the SYN to start the handshake.

ISP1 187.x.x.x

                               ----------> Internal hosts 10.55.x.x

ISP2 189.x.x.x


Best Regards.

L6 Presenter

Re: Natting Internal Hosts to a differente ISP`s

You need to setup PBR (Policy Based Routing) sometimes called PBF (Policy Based Forwarding) to force for example specific clients to use specific uplink.

Otherwise it should work with two different metrics since PAN current doesnt support ECMP (Equal Cost MultiPath routing).

The above is for SNAT (Source NAT).

For DNAT (Destiantion NAT) its just as always, you need to specify which host on the inside should get the traffic (watch out so PBR/PBF doesnt make the returntraffic go assymetric, like client sends traffic to ISP1IP:80 but get answers from ISP2IP:80 which of course will be dropped at the clientside).

L3 Networker

Re: Natting Internal Hosts to a differente ISP`s

Ok , thank u for your fast answer.

Just to understand about DNAT , when i look at my server with a NETSTAT i can`t see any SYN connection.

THis happen because when my server try to response to the SYN  , it goes assymetric ?

Best Regards.

L6 Presenter

Re: Natting Internal Hosts to a differente ISP`s

Personally I would use tcpdump either on the server or by using a spanport on the switch which this server is connected to in order to find out what is actually being transmitted to the server (and how this packet looks like) and whats being returned.

And then do the same on a spanport on the internetrouter to find out how the packets looks like when leaving PAN.

For Netstat I think it will only display "Established" for sessions who completely went through the 3-way handshake. Otherwise it will display Waiting or similar.

Highlighted
L3 Networker

Re: Natting Internal Hosts to a differente ISP`s

make sure that your internet router is sending traffic to your firewall.

L3 Networker

Re: Natting Internal Hosts to a differente ISP`s

Friento ,

When i acess the PALO ALTO GUI from the second ISP , i can acess normally the GUI , So i think the Internet router are working good.


Tks!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!