- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-11-2012 02:13 PM
01-11-2012 02:50 PM
You need to define 2 inbound NAT rules on the PA firewall.
rule1 dest=1.1.1.1 translate to destIP=3.3.3.3
rule2 dest=2.2.2.2 translate to destIP=3.3.3.3
The inbound NAT setting can be found here: https://live.paloaltonetworks.com/docs/DOC-1517
You must also define security rule(s) to allow the traffic (i.e. the ms-rdp app) from the WAN to 3.3.3.3.
Thanks.
01-12-2012 02:28 PM
thank you for your reply.
That's what I did and it did not work.
It works only on a WAN link (1.1.1.1) which is set in the virtual router as the default route. I can not connect to a terminal server via WAN2 link (2.2.2.2). I think theproblem is in the configuration of virtual router. If I change the default route is WAN2can connect only through WAN2.
01-12-2012 03:41 PM
Make sure to put both WAN links in the same zone. Looks like you are seeing asymmetric routing with the return flows and the sessions are probably not matching up. I'm not sure, but there may be other fancy ways of fixing this with Policy Based Forwarding.
Cheers,
Kelly
01-12-2012 04:14 PM
Thank you very much for your help. Everything works very well.
Both WAN interfaces must be in the same zone.
For virtual router I had to add two routes 0.0.0.0 / 0 with different metrics. Once again,thank you very much.
06-05-2012 12:39 AM
I continue this discussion because we experimented exactly the same problem, and we applied the proposal configuration that we found in the previous post.
We have the two WAN interfaces in the same zone. We configured the two routes 0.0.0.0/0 with different metrics, but we don't solve the problem.
At the moment it's possible to access to the internal host only from one of the two WAN interfaces, not from the the other one.
Can anyone help me?
06-05-2012 05:35 AM
Do you have 2 public IP ranges, 1 IP range per ISP? It may that ISP1 will not permit IP of ISP2, or vice versa. Traffic coming into ISP2 is be replied out ISP1 due the default route and ISP1 is dropping the traffic.
06-05-2012 05:58 AM
THE SITUATION YESTERDAY
two different provider
ISP1 - 1.1.1.0/24
ISP2 - 2.2.2.0/24
INTERNAL HOST - 3.3.3.3/32
NAT RULES
1.1.1.10 -> 3.3.3.3
2.2.2.10 -> 3.3.3.3
ROUTES
0.0.0.0/0 -> 1.1.1.1
if I use 1.1.1.10 I can access the host, if I use 2.2.2.10 no. We look at the traffic in this second case. The packets enter the ISP2, reach the internal host 3.3.3.3 and go outside (using routing table) ISP1 so it doesn't work.
THE SITUATION TODAY (after reading this discussion)
two different provider
ISP1 - 1.1.1.0/24
ISP2 - 2.2.2.0/24
INTERNAL HOST - 3.3.3.3/32
NAT RULES
1.1.1.10 -> 3.3.3.3
2.2.2.10 -> 3.3.3.3
ROUTES (as suggested in this post)
0.0.0.0/0 -> 1.1.1.1 (metric x)
0.0.0.0/0 -> 2.2.2.1 (metric y)
I don't understand how this solution can work. If I use 1.1.1.10 all is ok. If I use 2.2.2.10 the packet enter ISP2, reach the INTERNAL HOST 3.3.3.3 and go outside ISP1 (using the routing table).
Is there any solution I can configure to use both ISP1 and ISP2?
thank you
06-05-2012 06:21 AM
It's work fine. If you use pbf rules you must add new rule with destination address 3.3.3.3 and action no-pbf.
in some situations may arise asymetric routing. (i have that problem and this is solusion)
06-05-2012 12:20 PM
It appears your 2 ISPs will only permit their own IP range and not the other ISP's. We need to ensure the return traffic goes out the same ISP. Try this:
PA1 default route 0.0.0.0/0 --> 1.1.1.1
PA2 default route 0.0.0.0/0 --> 2.2.2.2
Do not sync the virtual-router (VR) so each PA will keep its own def route. This setting in under the HA configuration.
On the inbound NAT, you need to do BOTH src & dst NAT so the return packets will come back to the same PA. Let's say the inside IP of PA1 is 3.3.3.1 and PA2 is 3.3.3.2.
NAT RULES on PA1:
srcIP: any --> 3.3.3.1 and dstIP: 1.1.1.10 -> 3.3.3.3
This ensures the replies from 3.3.3.3 will go back to 3.3.3.1, PA1.
NAT RULES on PA2:
srcIP: any --> 3.3.3.2 and dstIP: 2.2.2.10 -> 3.3.3.3
This ensures the replies from 3.3.3.3 will go to 3.3.3.2, PA2.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!