For details on cookie usage on our site, read our Privacy Policy
NAT or policy based routing in multiple ISP case
- LIVEcommunity
- Discussions
- General Topics
- NAT or policy based routing in multiple ISP case
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-16-2010 12:21 PM
Hi,
I have a three internet access from different ISP. So I have 3 untrust(ethernet1/1, ethernet1/2, ethernet1/3) interface and on trust(ethernet1/4) interface. All of them are in same virtual router. The default route will be on ethernet1/1 interface (0.0.0.0/0 -> default gateway of ethernet 1/1)
I would like to use ethernet1/1 interface for some of internal IPs called X, so I made a source NAT. All traffic coming from these IP group will be use ethernet1/1 for internet access.(trust -> untrust, from X to any -> source nat on ethernet1/1)
The rest of the internal IPs will go to internet from ethernet1/2. To achive this which method is more suitable. NAT or PBF?
I would like to forward the traffic to ethernet1/3 to access my internal server on a remote branch office.
I am planning to write a PBF for this route. If I write a PBF, do I have to create a NAT rule too? or does PBF also handle NAT functionality?
Finally, Do I have to create additional route then default route in virtual router ?
Thanks.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-30-2010 09:54 AM
Ismail
You can write the NAT rule to match the destination interface- i..e any traffic going out via e1/3 which in your case is the youtube traffic.
That will be one way to tie the NAT rule with PBF rule.
Thank you
jerish
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-16-2010 02:26 PM
Hi Ismail,
I believe you are on the right track with the PBF and NAT. PBF does not take care of NAT so you will have to do that separately. The final configuration will depend on how you want the ISP redundancy to work (if any). In any case you will have a combination of default route, PBF rules, and NAT rules.
Cheers,
Kelly
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-18-2010 04:02 AM
Thanks for your feedback.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-29-2010 08:32 AM
Hi Kelly,
You said that "PBF does not take care of NAT so you will have to do that separately"
But I have some doubts about this issue. Let me explain with an example.
Let's that I have to ISP connection. If I want to forward only all youtube requests to second ISP via ethernet1/3.
The rest of the traffic will go over first ISP. I can write a PBF rule for youtube. Because PBF support rule for applications.
But, how can I write a NAT for only youtube application? There is no way to specify application in NAT rules.
If I create a service based NAT rule, It can be only HTTP service, In this case all HTTP traffic will go over second ISP?
I guess, PBF does not require extra NAT rules?
Thanks.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-30-2010 09:54 AM
Ismail
You can write the NAT rule to match the destination interface- i..e any traffic going out via e1/3 which in your case is the youtube traffic.
That will be one way to tie the NAT rule with PBF rule.
Thank you
jerish
- Import multiple address & Service objects in Security policy using CSV in expedition tool in Best Practice Assessment Discussions
- Cortex XDR disabling itself in Cortex XDR Discussions
- IKE phase 1 not working in General Topics
- Agent Blocking files/processes dynamically based on conditions in Cortex XDR Discussions
- Panorama in Panorama Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
