NAT question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

NAT question

L2 Linker

Hello all,

we have configuration with dual ISP.

From the 1st provider we get public IP directly on the PA

2nd provider is with nat, i mean on PA we have private IP.

 

When the route goes through the 1st one everything works fine. 

When we switch to the 2nd one there is a problems . In the monitoring tab i can see all requests  to Internet zone  ends with "Incomplete, aged out".

Meanwhile we have IPSec's configured and they worked just fine from the both providers. 

 

Can someone suggest what can be the problem?

Thank you in advance!

 

 

 

 

5 REPLIES 5

L6 Presenter

Hi @stef ,

 

As it is showing the incomplete and you are facing problems to reach only the  internet, you need to first verify the NAT configuration and check if Source NAT before going to ISP gateway is happening properly. Although the IPSEC is working fine through the circuit, re-verify the reverse path/routing config if it is clear. You need to have routes on the firewall to reach the backend hosts subnet who are sending the internet requests.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Hello,

I agree this sounds like a routing/NAT issue. Are you using PBF for the fail over? Or are both ISP's live at the same time and routing traffic?

 

Please advise,

Hello

I dont use PBF. They are both up.

I have default routes with different Metrics

L4 Transporter

Just agreeing with everybody else really, it does sound like a NAT issue, I would make sure all routes and NAT's makes sense and then look further from there.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

Indeed it was routing issue.

I push the config from Panorama.

Nat policy changed to ISP2, but the default route remain the same because the Virtual router config was overwritten and the changes from panorama didnt applied .

Thank you all for your responses!

  • 3355 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!