Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

forward from multiple WAN to one host LAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

forward from multiple WAN to one host LAN

L1 Bithead
Hi,
I need a little help with PA configuration. I have two WAN links.
WAN1 - 1.1.1.1
WAN2 - 2.2.2.2
and a host on the network 3.3.3.3
3.3.3.3 ip  is a terminal server. All computers go through WAN1 link. I need to configure the PA so I can login to the server via IP WAN1 and IP WAN2. I ask for directions if possible. Advance thank you very much.

9 REPLIES 9

L6 Presenter

You need to define 2 inbound NAT rules on the PA firewall.

rule1 dest=1.1.1.1 translate to destIP=3.3.3.3

rule2 dest=2.2.2.2 translate to destIP=3.3.3.3

The inbound NAT setting can be found here:  https://live.paloaltonetworks.com/docs/DOC-1517

You must also define security rule(s) to allow the traffic (i.e. the ms-rdp app) from the WAN to 3.3.3.3.

Thanks.

thank you for your reply.
That's what I did and it did not work.
It works only on a WAN link (1.1.1.1) which is set in the virtual router as the default route. I can not connect to a terminal server via WAN2 link (2.2.2.2). I think theproblem is in the configuration of virtual router. If I change the default route is WAN2can connect only through WAN2.

Make sure to put both WAN links in the same zone.  Looks like you are seeing asymmetric routing with the return flows and the sessions are probably not matching up.  I'm not sure, but there may be other fancy ways of fixing this with Policy Based Forwarding.

Cheers,

Kelly

Thank you very much for your help. Everything works very well.
Both WAN interfaces must be in the same zone.
For virtual router I had to add two routes 0.0.0.0 / 0 with different metrics. Once again,thank you very much.

I continue this discussion because we experimented exactly the same problem, and we applied the proposal configuration that we found in the previous post.

We have the two WAN interfaces in the same zone. We configured the two routes 0.0.0.0/0 with different metrics, but we don't solve the problem.

At the moment it's possible to access to the internal host only from one of the two WAN interfaces, not from the the other one.

Can anyone help me?

Do you have 2 public IP ranges, 1 IP range per ISP?  It may that ISP1 will not permit IP of ISP2, or vice versa.   Traffic coming into ISP2 is be replied out ISP1 due the default route and ISP1 is dropping the traffic.

THE SITUATION YESTERDAY

two different provider

ISP1 - 1.1.1.0/24

ISP2 - 2.2.2.0/24

INTERNAL HOST - 3.3.3.3/32

NAT RULES

1.1.1.10 -> 3.3.3.3

2.2.2.10 -> 3.3.3.3

ROUTES

0.0.0.0/0 -> 1.1.1.1

if I use 1.1.1.10 I can access the host, if I use 2.2.2.10 no. We look at the traffic in this second case. The packets enter the ISP2, reach the internal host 3.3.3.3 and go outside (using routing table) ISP1 so it doesn't work.

THE SITUATION TODAY (after reading this discussion)

two different provider

ISP1 - 1.1.1.0/24

ISP2 - 2.2.2.0/24

INTERNAL HOST - 3.3.3.3/32

NAT RULES

1.1.1.10 -> 3.3.3.3

2.2.2.10 -> 3.3.3.3

ROUTES (as suggested in this post)

0.0.0.0/0 -> 1.1.1.1 (metric x)

0.0.0.0/0 -> 2.2.2.1 (metric y)

I don't understand how this solution can work. If I use 1.1.1.10 all is ok. If I use 2.2.2.10 the packet enter ISP2, reach the INTERNAL HOST 3.3.3.3 and go outside ISP1 (using the routing table).

Is there any solution I can configure to use both ISP1 and ISP2?

thank you

It's work fine. If you use pbf rules you must add new rule with destination address 3.3.3.3 and action no-pbf.

in some situations may arise asymetric routing. (i have that problem and this is solusion)

It appears your 2 ISPs will only permit their own IP range and not the other ISP's.  We need to ensure the return traffic goes out the same ISP. Try this:

PA1 default route 0.0.0.0/0 --> 1.1.1.1

PA2 default route 0.0.0.0/0 --> 2.2.2.2

Do not sync the virtual-router (VR) so each PA will keep its own def route.  This setting in under the HA configuration.

On the inbound NAT, you need to do BOTH src & dst NAT so the return packets will come back to the same PA.  Let's say the inside IP of PA1 is 3.3.3.1 and PA2 is 3.3.3.2.

NAT RULES on PA1:

srcIP: any --> 3.3.3.1 and dstIP: 1.1.1.10 -> 3.3.3.3

This ensures the replies from 3.3.3.3 will go back to 3.3.3.1, PA1.

NAT RULES on PA2:

srcIP: any --> 3.3.3.2 and dstIP: 2.2.2.10 -> 3.3.3.3

This ensures the replies from 3.3.3.3 will go to 3.3.3.2, PA2.

  • 4684 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!