This is two parts:
1) I configured Destination NAT rules and corresponding Security Policies to allow inbound access to servers on private LAN. These all utilize the Primary ISP public IP address. If I want these internal servers accessible over the Secondary ISP (as we already have configured PBF failover to the secondary ISP should the primary go down), do I then have to create duplicate NAT rules and Security Policies for each, replacing the Primary ISP IP with the Secondary ISP IP? Or, is there a way to just do NATs and Security Policies to handle both ISPs in a single rule and corresponding policy?
2) With the PBF Failover, I've read about symmetric return being needed for Dual ISPs. The document "Symmetic Return.docx" gives an example, but it's Dual ISPs being NATed and Security Policy'ed to one internal server. If I have rules for several internal servers, does that mean I have to create several PBF rules enforcing symmetric return for each private server, or can I just create one PBF rule enabling symmetric return for the ISP the traffic came through on, period?
Solved! Go to Solution.
Did you implement something like gslb?
if it done, the client will be redirected to the internal server via the public ip either from your first provider or the second (it depend the load balancing mecanisme, it could be a just a failover)
and you need 1 destinations NAT rule as destination orginal packet base on the 2 public ip and transfert to the same server private ip
i have slightly different scenario here-
1) we have 2 ISP (ISP1 - eth1/1 & ISP2- eth1/8)
2) 3 zones - Trust, Wi-FI, Untrust (ISP1) & ISPB (ISP2)
3) Trust & Wi-Fi zones access internet via Untrust.
4) Destination NAT configured (published web apps ) on Untrust (ISP1 IP)
4) Trust & Wi-Fi machines are allowed to access published web apps using internet IP addresses.(U-turn NAT)
Desired setup (working)
1) internet access from Zone - Trust via ISP1 (untrust)
2) internet access from Zone - Wi-Fi via ISPB (ISP2)
1) Wi-Fi Zone users can't access published service (Destination NAT) from ISP-B (ex: webmail/vpn..etc)
[in a TCP 3-way handshake, syn is reaching to interal server but, syn-ack is not reaching the client]
Please help me to resolve the issue
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!