About NAT in dual ISP

Reply
Highlighted
L1 Bithead

About NAT in dual ISP

Hi fellow panw admin

 

Need some clarity before i plan to setup my firewall, i have pretty big network. Right now the load sharing and nat handled by some appliance above firewall, no nat in firewall. I need some info about source and destination nat in dual isp scenario, i read many post about dual isp scenario in this forum but most talk about pbf and failover nat with the outside interface.
- For inside to outside internet connection Source NAT, does this nat will work when failover occur :
Can i create a NAT rule like,
Normal LAN1(10.10.1.0/24) ISP1(Public_IP 1.1.1.101)
Normal LAN2(10.10.2.0/24) ISP2(Public_IP 2.2.2.201)
Failover LAN1(10.10.1.0/24) ISP2(Public_IP 2.2.2.101)
Failover LAN2(10.10.2.0/24) ISP1(Public 1.1.1.201)
- For Outside to DMZ Server Destinatian NAT Can i create active active 2 public ip with 1 dmz server :
Outside ISP1(1.1.1.10) DMZ(192.168.0.1)
Outside ISP2(2.2.2.10) DMZ(192.168.0.1)
- And Last question an opinion about best practice scenario for dual isp to achive active2 failover connection that acomodate incoming and outgoing connection.

If something not clear, i will give more info.

Thanks

 


Accepted Solutions
Highlighted
L2 Linker

hi @srsairbag99 ,

 

NAT policy will be evaluated only after the route lookup, so as per PBF if it is going to ISP 1 it will use the NAT policy for ISP 1 , if PBF fails and if the traffic goes to ISP 2 NAT policy of ISP 2 will be used. Please use destination interface as relevant interfaces of ISP.

 

Thanks,

Ram

View solution in original post


All Replies
Highlighted
L2 Linker

Hi.

 

Outbound traffic :

If your both ISP are almost equivalent bandwidth you can use ECMP using IP modulo or IP hash algorithm. If they are not then use PBF to route the traffic to internet based on the source LAN subnets.

 

NAT :

Source Zone : Trust Destination Zone : Untrust Source address : LAN pool  Destination address : any Destination interface : ISP 1 interface Source Translation : ISP 1 interface IP 

Source Zone : Trust Destination Zone : Untrust Source address : LAN pool Destination address : any Destination interface : ISP 2 interface Source Translation : ISP 2 interface IP 

 

Outside to DMZ Server Destinatian NAT ( Active - Active )

 

ECMP enabled :

In ECMP settings make sure Symmetric return is enabled.

Create Destination NAT policy ( do not create Bidirectional NAT) 

Source ZONE : Untrust Destination Zone : Untrust Source Address : any Destination Address : ISP 1 pubic IP source translation : none destination translation : DMZ private IP

Source ZONE : Untrust Destination Zone : Untrust Source Address : any Destination Address : ISP 2 pubic IP source translation : none destination translation : DMZ private IP

 

ECMP not enabled :

Create an Dummy Alias Interface IP in ISP 1 interface and ISP 2 interface 

Create Destination NAT policy ( do not create Bidirectional NAT) 

Source ZONE : Untrust Destination Zone : Untrust Source Address : any Destination Address : ISP 1 pubic IP source translation : Dummy Alias ISP 1 destination translation : DMZ private IP

Source ZONE : Untrust Destination Zone : Untrust Source Address : any Destination Address : ISP 2 pubic IP source translation : Dummy Alias ISP 2 destination translation : DMZ private IP.

 

Hope it helps , please let me know for any clarity.

 

Thanks,

Ram

 

 

 

 

 

 

 

 

 

 

 

 

Highlighted
L1 Bithead

Hi @RamprakashRT ,

 

About Source NAT, your explanation is exactly what i read in this forum by using public interface for ISPx in firewall, for large network 10000 or more the problem is theres only 65xxx port translation available for nat-ing internet(inside to outside) theres  a possibility run out port for translation.

 

About Destination NAT, i think its clear it similiar what i wrote, i can do active2 with that config. Btw i dont use ecmp.

 

Thanks

Highlighted
L2 Linker

Hi@srsairbag99,

 

Yeah, this is correct there is a limit in the number of translation. For source NAT using different public ips for LAn pools is the right way.

 

In destination nat , you should enable the source translation to the interface ip , to ensure the return traffic is coming to the right isp. As you are using PBF the source NAT is required.

 

Thanks,

Ram

Highlighted
L1 Bithead

Hi @RamprakashRT ,

 

So what makes PANOS disable/dont use the first NAT Rule and use the backup NAT , and re use again the first NAT if failure resolve ? Because i think NAT policy process sequentially, therese no failover/monitoring option in NAT policy.

 

Tks

 

Highlighted
L2 Linker

hi @srsairbag99 ,

 

NAT policy will be evaluated only after the route lookup, so as per PBF if it is going to ISP 1 it will use the NAT policy for ISP 1 , if PBF fails and if the traffic goes to ISP 2 NAT policy of ISP 2 will be used. Please use destination interface as relevant interfaces of ISP.

 

Thanks,

Ram

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!