Dual ISP scenario

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Dual ISP scenario

L4 Transporter

Hi,

 

I need to create a dual ISP scenario. This FW has 2 interface with differents ISP. (ppoe)

eth1/2 (1.1.1.1/32)

eth1/3 (2.2.2.2/32)

 

We would like to balance both ISPs and in the case one of this ISP goes down, all traffic takes the ISP up in that moment. So i was checking, 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-...

 

Also i would like to force some trust range to take interface 1/2 (using PBF), an in the case this interfaces 1/2 goes down, to take int1/3

 

on the another hand, there are several services on internet for this public IP. So how ca we public the NAT in both ISP interface??? clonning all the NATs using the new ISP IPs??? thats enough i think

 

 

4 REPLIES 4

Cyber Elite
Cyber Elite

Hi @soporteseguridad

 

outbound you would be ok with ECMP and using PBF policies to force certain traffic onto a specific interface

outbound NAT would simply be regular outbound hide-NAT with a destination interface set and source NAT to the proper ISP subnet (clone and change destination interface + source translation)

Inbound NAT will only work for the ISP that routes the public IP so this can only be configured once for the appropriate ISP (so no cloning here)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks reaper. Outbound is ok.

Thinking in inboud:

 

We have these NAT rules:

ISP1 is 1.1.1.1:

 

 

So, there is any way to clone all these NAT rules changing ISP 2.2.2.2, and if ISP 1.1.1.1 goes down, the inbound sessions take ISP 2???? any NAT track or way to configure public services with both ISPs?

 

Forget inbound, we would have DNS problem, and create abother zone for ISP2.......to many config fo this end customer..... 

thanks a lot reaper

Hello,

The only way to get inbound redirection to work would be to use an external load balancer. That way the LB would know which way is the best path and route to it while the public DNS record points to the LB IP's.

 

Hope that helps.

  • 2349 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!