02-10-2020 03:58 AM
I have PaloAlto FW and I have 3 ISPs and I'm using default route ( statically ) with this value ISP1 distance 5 ( Interface X), ISP2 distance 9 and ISP3 distance 15 ( Interface Y) and I've server with NAT IP using ISP3 subnet.
the server is reachable from global internet but the users who are using ISP3 they are unable to reach it after some tshoot we have done using trace route we found the following.
what is the issue ?
we cant apply the following
2- we can't update route table statically for each user
Trace route from NATed server using ISP3 subnet toward user using ISP3 :
Server --> Palo Alto outside interface(X)--> ISP1 -->ISP3--> ISP3 USER
Trace route from user using ISP3 toward NATed server using ISP3 subnet :
USER-->ISP3 --> WAN Router--> Palo Alto outside interface(Y)--> drop
Trace route from NATed server using ISP3 subnet toward global Internet :
Server --> Palo Alto outside interface(X)--> ISP1 --> Global Internet --> 18.104.22.168 (example)
Trace route from global user toward NATed server using ISP3:
Global User --> Global Internet --> ISP3--> reach to NATed server
02-10-2020 06:26 PM
@black1983Hi, can you please check if traffic coming on public IP of ISP3 is coming on correct interface of firewall and doing proper NAT ?
Please check same using test security-policy and test NAT commands through cli.
Hope this helps !
02-11-2020 03:16 AM
yes the incoming traffic comes thru correct interface (Y) whatever the source is local ISP3 or Global internet users but the different is global users thy can browse it and their traffic goes out thru ISP1 interface (X) ( asymmetrically ) !! and ISP3 users can't browse it since the FW is dropping the packet ..
So, why do global users can browse it with asymmetric routes while local ISP3 users can't do it ?
02-11-2020 07:59 AM
Can you explain what you mean by different distance for each route? Do you mean administrative distance?
02-11-2020 07:06 PM
Is it possible for your to explain it with the help of diagram ? Wanted to understand topology properly.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!