PA-500 dual internet connections

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-500 dual internet connections

L0 Member

Hello all,

First post here!!

I have a PA-500 that I'm trying to add a second internet connection to and I'm running into an issue. The goal here is to keep the primary line (a bonded T1 solution) for corperate traffic such as VPN tunnels, remote connectivity, SIP phones, mail delivery and then add the second line (a standard cable line) for general internet surfing.

I have the second line in place and I can use it. the issue I run into is two things. First what is likely the easy one - on the new connection I can ping and get replies to the internet, but I can't browse the internet. I would assume this is something set-up in NAT or in the application layer being allowed only to browse on the old conection IP address? I feel like I can figure this out, but I haven't messed with it much since I'm running into the next issue.

Then the second issue is a little more complex I think. I have a route already in place which is 0.0.0.0/0 --> corperate line. When I change my 0.0.0.0/0 route to use the new connection I can no longer connect from an outside address to a IP on the corperate line. So for example we have a published RDP server, it uses one of the static IP's on the corperate line. When I change the route I can't RDP to that server.

I'm pretty sure what's happening here is the connection comes in the corperate line, goes to the server then is trying to return using the new connection. I asummed that the established routes would follow their same path back, but they seem to be trying to follow the 0.0.0.0/0 route to the new connection instead. Which I guess sort of makes sense, after all when traffic gets to the PA-500 and wants to go to the users IP address it looks at the route and follows it, when I want it to ignore the route table and just go back the direction it came from.

Can this be done on a PA-500? Is there some global setting I need to set to make this work? Any help would be appreciated.

Thanks.

Doug

16 REPLIES 16

Its working!!  I have the PBF rules set-up, I was close but the doc got the last pieces in place.

I still have the internet browsing problem though. Its a bit confusing because I can ping and trace route all of the way through to internet addreses will full replies, but I can't broswe the internet. Could this be something in the application filtering?

Thanks,

Doug

I got it going this morning.

I had to change the translation IP for the Source Translation on default internet NAT from the corperate line to the browsing internet line. I tried to just add it as a second NAT so I'd have one for both, but I guess it only likes the one. I'll just have to make this change if I ever need to switch the browsing from one to the other.

Thanks to all for the help on getting this set-up.


  • 5383 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!