NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT and Security Policies, PBF Failover and Symmetric Return - Dual ISP

Not applicable

This is two parts:

1) I configured Destination NAT rules and corresponding Security Policies to allow inbound access to servers on private LAN.  These all utilize the Primary ISP public IP address.  If I want these internal servers accessible over the Secondary ISP (as we already have configured PBF failover to the secondary ISP should the primary go down), do I then have to create duplicate NAT rules and Security Policies for each, replacing the Primary ISP IP with the Secondary ISP IP?  Or, is there a way to just do NATs and Security Policies to handle both ISPs in a single rule and corresponding policy?

2) With the PBF Failover, I've read about symmetric return being needed for Dual ISPs.  The document "Symmetic Return.docx" gives an example, but it's Dual ISPs being NATed and Security Policy'ed to one internal server.  If I have rules for several internal servers, does that mean I have to create several PBF rules enforcing symmetric return for each private server, or can I just create one PBF rule enabling symmetric return for the ISP the traffic came through on, period?    

1 accepted solution

Accepted Solutions

L6 Presenter

1) You have to create a second NAT rule which's interface will be different

2)You can use 1 rule regarding to ALL server IP addresses inside

View solution in original post

3 REPLIES 3

L6 Presenter

1) You have to create a second NAT rule which's interface will be different

2)You can use 1 rule regarding to ALL server IP addresses inside

L4 Transporter

Did you implement something like gslb?

if it done, the client will be redirected to the internal server via  the public ip either from  your first provider or the second (it depend the load balancing mecanisme, it could be a just a failover)

and you need 1 destinations NAT rule as destination orginal packet base on the 2 public ip and transfert to the same server private ip

regards

 

Hi,

i have slightly different scenario here-

 

1) we have 2 ISP (ISP1 - eth1/1 & ISP2- eth1/8)

2) 3 zones - Trust, Wi-FI, Untrust (ISP1) & ISPB (ISP2)

3) Trust & Wi-Fi zones access internet via Untrust.

4) Destination NAT configured (published web apps ) on Untrust (ISP1 IP)

4) Trust & Wi-Fi machines are allowed to access published web apps using internet IP addresses.(U-turn NAT)

 

Desired setup (working)

 

1) internet access from Zone - Trust via ISP1 (untrust)

2) internet access from Zone - Wi-Fi via ISPB (ISP2)

 

Trouble facing:

1) Wi-Fi Zone users can't access published service (Destination NAT) from ISP-B (ex: webmail/vpn..etc)

 

[in a TCP 3-way handshake, syn is reaching to interal server but, syn-ack is not reaching the client]

 

Please help me to resolve the issue

  • 1 accepted solution
  • 4792 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!