This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Dual ISP scenario

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dual ISP scenario

soporteseguridad
L4 Transporter

‎03-22-2018 07:00 AM

Hi,

 

I need to create a dual ISP scenario. This FW has 2 interface with differents ISP. (ppoe)

eth1/2 (1.1.1.1/32)

eth1/3 (2.2.2.2/32)

 

We would like to balance both ISPs and in the case one of this ISP goes down, all traffic takes the ISP up in that moment. So i was checking, 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-ECMP-Load-Balancing-on-...

 

Also i would like to force some trust range to take interface 1/2 (using PBF), an in the case this interfaces 1/2 goes down, to take int1/3

 

on the another hand, there are several services on internet for this public IP. So how ca we public the NAT in both ISP interface??? clonning all the NATs using the new ISP IPs??? thats enough i think

 

 

0 Likes Likes
4 REPLIES 4

reaper
Cyber Elite
Cyber Elite

‎03-22-2018 07:08 AM

Hi @soporteseguridad

 

outbound you would be ok with ECMP and using PBF policies to force certain traffic onto a specific interface

outbound NAT would simply be regular outbound hide-NAT with a destination interface set and source NAT to the proper ISP subnet (clone and change destination interface + source translation)

Inbound NAT will only work for the ISP that routes the public IP so this can only be configured once for the appropriate ISP (so no cloning here)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

soporteseguridad
L4 Transporter
In response to reaper

‎03-22-2018 07:58 AM - edited ‎03-22-2018 08:48 AM

Thanks reaper. Outbound is ok.

Thinking in inboud:

 

We have these NAT rules:

ISP1 is 1.1.1.1:

 

 

So, there is any way to clone all these NAT rules changing ISP 2.2.2.2, and if ISP 1.1.1.1 goes down, the inbound sessions take ISP 2???? any NAT track or way to configure public services with both ISPs?

 

0 Likes Likes

soporteseguridad
L4 Transporter
In response to soporteseguridad

‎03-22-2018 08:03 AM

Forget inbound, we would have DNS problem, and create abother zone for ISP2.......to many config fo this end customer..... 

thanks a lot reaper

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to soporteseguridad

‎03-22-2018 08:14 AM

Hello,

The only way to get inbound redirection to work would be to use an external load balancer. That way the LB would know which way is the best path and route to it while the public DNS record points to the LB IP's.

 

Hope that helps.

0 Likes Likes
  • 2701 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks