Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP, ECMP, PBF, PAT to access internet, Destincaton NAT to Local Server

L1 Bithead

Dear Collegues,

 

Need your help & clarify some douts.

 

G1/1 - xxxxx/30 (ISP 1)

G1/2 - xxxxx/30 (ISP 2)

G1/3 - xxxxx/24 (LAN)

 

Both the ISP have also provided xxxxxx/29 range of usable IPs

 

Have Configured Dula ISP Redundancy with single virtual router by enabling ECMP and link monitor for static route

Have configured source NAT to access internet from local LAN  ( G1/1 & G1/2) 

Have also configured PBF for specific zone/network to access internet from specific ISP ( G1/1 & G1/2) 

 

Configured Destination NAT from public IP xxxxx/29 to local server (red). for both ISP it's configured

 

When both ISP are connected

able to access local server (red) from internet on only from ISP1

 

But when i disconnect ISP1 from firewall then am able to access local server from internet through ISP2

 

can any one plz help.

 

 

 

 

7 REPLIES 7

Cyber Elite
Cyber Elite

@sharathshashidhar,

Regardless of configuration you will not be able to have simultanious connections from ISP1 and ISP2 to the same internal resource. Your weighted routes and PBF with monitoring policies don't really allow for that. 

You mean destination NAT will not work for both the ISP  if PBF is configured ??

 

How can i achive Destination NAT from both ISP (ISP1 & IPS2)  to local server.

 

@sharathshashidhar,

Can you share how you have configured the NATs in question. Your NAT policies are evaluated the same as the security policies, so the first NAT policy that matches the traffic is going to be the policy that gets used. 

 

Best case scenario you are able to advertize one IP range across both ISPs, but unless you actually own the IP range then the ISP is unlikely to agree to this. There are other ways to accomplish what you are trying to do but the easiest way to configure this is actually to just have dual IPs on your server in question and setup completely seperate NAT policies for both IPs to allow access. 

L7 Applicator

@sharathshashidhar

The ways decribed by @BPry are (in my opinion) not the the easiest, these are the only ways to achieve what you want to do.

  1. The /29 is your IP range and this range is available over both ISP connections --> one NAT policy is needed and the server will be available over both connections
  2. You have 2 /29 IP ranges --> you need to configure 2 NAT policies - one for ISP1 IP range and one for ISP2 IP range. In the FQDN used to access the server you also have to add both IP's

image.png

Is this configuration Correct 

 

One Question,  Can ECMP & PBF both work side by side. 

 

@sharathshashidhar

Does this config now work or did you create this after this topics discussion?

Looks actually pretty good, I think

Sorry for the late responce, i was on leave.

 

Yes, I had started this topic discussion after the configuring the firewall.

 

Recently had spoken to PA support tech about this issue.

Since this issue was happeining intermittent will post my findings when it happens.

  • 4624 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!