First post here!!
I have a PA-500 that I'm trying to add a second internet connection to and I'm running into an issue. The goal here is to keep the primary line (a bonded T1 solution) for corperate traffic such as VPN tunnels, remote connectivity, SIP phones, mail delivery and then add the second line (a standard cable line) for general internet surfing.
I have the second line in place and I can use it. the issue I run into is two things. First what is likely the easy one - on the new connection I can ping and get replies to the internet, but I can't browse the internet. I would assume this is something set-up in NAT or in the application layer being allowed only to browse on the old conection IP address? I feel like I can figure this out, but I haven't messed with it much since I'm running into the next issue.
Then the second issue is a little more complex I think. I have a route already in place which is 0.0.0.0/0 --> corperate line. When I change my 0.0.0.0/0 route to use the new connection I can no longer connect from an outside address to a IP on the corperate line. So for example we have a published RDP server, it uses one of the static IP's on the corperate line. When I change the route I can't RDP to that server.
I'm pretty sure what's happening here is the connection comes in the corperate line, goes to the server then is trying to return using the new connection. I asummed that the established routes would follow their same path back, but they seem to be trying to follow the 0.0.0.0/0 route to the new connection instead. Which I guess sort of makes sense, after all when traffic gets to the PA-500 and wants to go to the users IP address it looks at the route and follows it, when I want it to ignore the route table and just go back the direction it came from.
Can this be done on a PA-500? Is there some global setting I need to set to make this work? Any help would be appreciated.
Lets see your second issue first !!. You are right the RDP to server is not working because your traffic is coming one way and going out other. We do have the feature which allows us to send the traffic back the same path we received and this feature is introduced in 5.0.
I have the same kind of set-up and can tell you that it does work... With 5.0.1 (my PA-500 is brand new) ...
I have some of my users going out via the secondary, and others via my primary, but it was tricky... You do need some NAT rules and Policy Based ones for the out-in of your secondary, even before trying to make people go out via secondary.
I cannot say if it can be done for specific applications (my next project to look into )
I had great help from the support tema here, that was how I got it to work so indeed, "keep" pushing your provider to get your support asap...
Hello again all,
I'm picking back up where I left off before upgrades amd looking to get a little help.
I've found the check box in the policy based forwarding but still not having any luck. Anyway, if anyones knows how I can get this firewall to return traffic from the interface it came from instead of following the 0.0.0.0 route.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!