Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA-500 dual internet connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-500 dual internet connections

L0 Member

Hello all,

First post here!!

I have a PA-500 that I'm trying to add a second internet connection to and I'm running into an issue. The goal here is to keep the primary line (a bonded T1 solution) for corperate traffic such as VPN tunnels, remote connectivity, SIP phones, mail delivery and then add the second line (a standard cable line) for general internet surfing.

I have the second line in place and I can use it. the issue I run into is two things. First what is likely the easy one - on the new connection I can ping and get replies to the internet, but I can't browse the internet. I would assume this is something set-up in NAT or in the application layer being allowed only to browse on the old conection IP address? I feel like I can figure this out, but I haven't messed with it much since I'm running into the next issue.

Then the second issue is a little more complex I think. I have a route already in place which is 0.0.0.0/0 --> corperate line. When I change my 0.0.0.0/0 route to use the new connection I can no longer connect from an outside address to a IP on the corperate line. So for example we have a published RDP server, it uses one of the static IP's on the corperate line. When I change the route I can't RDP to that server.

I'm pretty sure what's happening here is the connection comes in the corperate line, goes to the server then is trying to return using the new connection. I asummed that the established routes would follow their same path back, but they seem to be trying to follow the 0.0.0.0/0 route to the new connection instead. Which I guess sort of makes sense, after all when traffic gets to the PA-500 and wants to go to the users IP address it looks at the route and follows it, when I want it to ignore the route table and just go back the direction it came from.

Can this be done on a PA-500? Is there some global setting I need to set to make this work? Any help would be appreciated.

Thanks.

Doug

16 REPLIES 16

L6 Presenter

Hi Doug,

Lets see your second issue first !!. You are right the RDP to server is not working because your traffic is coming one way and going out other. We do have the feature which allows us to send the traffic back the same path we received and this feature is introduced in 5.0.

Tx,

Sandeep T

I did check and we are running version 3.1.10, so there's not going to be much I can do until I get the support renewed anyway.

Not applicable

Hi Doug!

I have the same kind of set-up and can tell you that it does work... With 5.0.1 (my PA-500 is brand new) ...

I have some of my users going out via the secondary, and others via my primary, but it was tricky... You do need some NAT rules and Policy Based ones for the out-in of your secondary, even before trying to make people go out via secondary.

I cannot say if it can be done for specific applications (my next project to look into Smiley Happy )

I had great help from the support tema here, that was how I got it to work so indeed, "keep" pushing your provider to get your support asap...

Serge

yea, we have support now!!

next problem - newest version in the list for me to download and install is 4.0.13. I suspect this is becuase I will need to go to a 4 level from 3 before I can go to a 5 level?


In order to upgrade to 5.0.0 you need to have at least 4.1.0 and above running on the box else you cannot upgrade to 5.0.0 and also your application and threats content version should be above 320 version. Please check the release notes for the same.

Thanks,

Sandeep T

Well this is working great!!

I tried to install the latest version I can to get this done (4.0.13) and now the device is dead. the amber status light is on and none of the other network lights are on. The managment one does come on so maybe I need to plug into that???


Mssion "4.0.13" complete, thanks to great support help!!

Now moving on to mission "4.1.9", hopefully this one will go a little smoother.


woo-hoo!! 4.1.10 is loaded with no problems!! Downloading the 5's now, one more update path and I should be good to go.

alright, 5.0.1 is loaded and its working!!!

now what was I doing again???


Hello again all,

I'm picking back up where I left off before upgrades amd looking to get a little help.

I've found the check box in the policy based forwarding but still not having any luck. Anyway, if anyones knows how I can get this firewall to return traffic from the interface it came from instead of following the 0.0.0.0 route.

Thanks,

Doug

I will check with my team and will try to make this a public one or create a new one for the same. I will update you no than tomorrow !!

Hi,

When the document will be downloadable?

regards,

Iarno Pagliani

Hi Larno,

I am putting together a document. I will attach it here today so that you can download it.

Tx,

Sandeep T

L6 Presenter

Here we go with the doc.

Symmetric Return.docx -Box

Let me know if you u need more info.

Tx,

Sandeep T

  • 6209 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!