PA-200 - Passing traffic through multiple ISP links

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-200 - Passing traffic through multiple ISP links

L1 Bithead

 

 

 

 

I have a Palo Alto PA-200 and the setup I'm trying to configure is as below.

 

 

 

Internal Network1.jpg

 

 

  • I'm using "Fiber1" and "Fiber2" for Internet purpose. These 2 links are connected to firewall via a trunk port.
  • The ADSL links and the "LankaCom" link in the right are using for mail purpose only. These 3 links are also connected to the firewall via a trunk port
  • Sub-Interfaces are created in firewall as 1/1.60, 1/1.61 and 3/3.62, 3/3.63, 3/3/64.
  • I have managed to configure the Fiber links successfully and I'm accessing the Internet through them.
  • But I can't get to work the ADSL links for mail access.
  • I have only created 2 Zones as of now (Trust & Untrust) and trying to pass the traffic using them.
  • Do I have to configure another zone to transfer mail traffic to ADSL side.?
  • Is it possibe to configure this scenario in PA-200.?
6 REPLIES 6

Cyber Elite
Cyber Elite

Can you explain what you mean by mail acess.

Are you receiving mail or users are using mail client to pull mail in from mail server?

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L3 Networker

Create additional zone for ADSL links and the "LankaCom" (interfaces 3/3.62, 3/3.63, 3/3/64) and DMZ. And allow specific traffic you need. Make sure your routing  table correct 

L1 Bithead

Can you show us the routing table? I am assumping each DSL has it's own IP and interface. How are you telling the traffic what interface to go to? Are you using policy based routing? or doing static routes?

There are 2 mail servers in DMZ zone. One server for Admin staff and one for general staff. Only the ADSL links and the LankaCom link has the public IP's. LankaCom link is used for mail transfering to both servers. In case lankaCom link fails, ADSL links are used as backup links for each mail server.

VIRTUAL ROUTER: Default_SLT-FL-LAN (id 3)
==========
destination nexthop metric flags age interface next-AS
0.0.0.0/0 10.100.60.1 10 A S ethernet1/1.60
0.0.0.0/0 10.100.61.1 15 S ethernet1/1.61
10.100.60.0/24 10.100.60.254 0 A C ethernet1/1.60
10.100.60.254/32 0.0.0.0 0 A H
10.100.61.0/24 10.100.61.254 0 A C ethernet1/1.61
10.100.61.254/32 0.0.0.0 0 A H
192.168.15.0/24 192.168.45.254 10 A S ethernet1/2
192.168.20.0/24 192.168.45.254 10 A S ethernet1/2
192.168.30.0/24 192.168.45.254 10 A S ethernet1/2
192.168.45.0/24 192.168.45.253 0 A C ethernet1/2
192.168.45.253/32 0.0.0.0 0 A H
192.168.100.0/23 192.168.45.254 10 A S ethernet1/2
total routes shown: 12

VIRTUAL ROUTER: VR2_SLT-AD-LC (id 4)
==========
destination nexthop metric flags age interface next-AS
10.100.1.0/24 10.100.1.100 10 S ethernet1/3.62
10.100.1.0/24 10.100.1.253 0 A C ethernet1/3.62
10.100.1.253/32 0.0.0.0 0 A H
20.100.2.0/24 20.100.2.100 10 S ethernet1/3.63
20.100.2.0/24 20.100.2.253 0 A C ethernet1/3.63
20.100.2.253/32 0.0.0.0 0 A H
192.168.2.0/24 192.168.2.253 0 A C ethernet1/3.64
192.168.2.0/24 192.168.2.254 10 S ethernet1/3.64
192.168.2.253/32 0.0.0.0 0 A H
total routes shown: 9

I have used Policy based routing to transfer traffic through fiber links. Fiber links are working in failover mode. I have added a static route in core switch to transfer mail traffic to DMZ zone. But with what I'm experiencing, this route doesn't work since all the traffic are going through fiber links.

  • 2951 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!