Dual ISP and returning traffic

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
myrdin
L2 Linker

Dual ISP and returning traffic

Hi,

 

this is the scenario:

 

- ISP1 : only for GlobalProtect

-ISP2 : only for Internet access

 

ISP1 has distance 10 and metric 10

ISP2 has distance 10 and metric 15

 

in this scenario the ISP1 interface responds to Global protect gateway/portal no problem. Also ISP2 pings, and i can access management through ISP2 public ip.

 

If i change the metric to ISP1 to 20, ISP2 becomes primary. BUT ISP1 no longer responds to pings nor GlobalProtect nor management, nothing.

 

It appears that returning traffic entering ISP1 go out through ISP2 no matter what if ISP2 is preferred. The other way around tho, when ISP1 is primary, traffic entering ISP2 get out ISP2.

 

any clues?

thanks 

 


Accepted Solutions
myrdin
L2 Linker

I have resolved like this:

 

- created a default route to ISP1 (usuale way in the Virtual route).

- removed ISP2 as second default route with higher metric

- added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted).

- This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow)

 

Very akward way to achieve a working configuration in such scenario, but thats it.

View solution in original post


All Replies
myrdin
L2 Linker

I have resolved like this:

 

- created a default route to ISP1 (usuale way in the Virtual route).

- removed ISP2 as second default route with higher metric

- added PBF to force traffic from lan to ISP2, and negate routing to internal networks (so only traffic to 0.0.0.0/0 would be intercepted).

- This kept ISP1 accessible while forcing traffic originating from LAN to ISP2. (and ISP2 is still accessible somehow)

 

Very akward way to achieve a working configuration in such scenario, but thats it.

View solution in original post

pulukas
L7 Applicator

An alternative way to configure this would be to place your Global Protect ISP into a separate virtual router.  This would isloate and give this traffic their own routing table.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!