01-04-2014 11:51 AM
Hello,
We have migrated firewall from ASA firewall to Palo Alto firewall. In my case, we have below interfaces in Palo Alto firewall.
1. ISP1 Interface (E1/1)
2 ISP2 Interface (E1/2)
3. DMZ Interface (E1/3)
4. Inside Interface (E1/4)
Since we are using ISP1 for accessing DMZ servers from internet and we are using ISP2 for web traffic of users from inside zone. We are using PBF (Policy Based Forwarding) for redirecting web-traffic to ISP2.
As all the http and https traffic is diverted to ISP2 the users(Inside Zone) are not able to access the servers those are in DMZ Zone.
Please suggest how we can solve this problem.
Regards,
Parvez
01-04-2014 02:16 PM
if you need to seperate connections you may configure 2 virtual routers (not mandatory)
1- Make your LAN and WAN2(ISP2) use default VR
2- Make your DMZ and WAN1(ISP1) use second VR2
3- Add default Gateways for VR1 and VR2 (for each one 0.0.0.0/0 route)
4-Configure NAT rules for LAN and DMZ
5- Add a route for each VR for the other network.(for default VR add a route as destination "subnet DMZ", Next VR, VR2) (for VR2 add a route as destination "subnet LAN", Next VR, default VR)
01-04-2014 06:15 PM
Without seeing a topology this is going to be difficult to diagnose. Are your DMZ servers tied to public IP addresses allocated by isp1 or isp2?
Normally dual ISP is a simple config.
ISP 1 is your primary link so the PBF points to this ISP as the next hop and you monitor this next hop.
ISP 2 is the secondary so the default route in the routing table points here.
Once you have this working you can try getting fancy. But keep in mind that NAT plays a big role here. If people are connecting to the x.x.x.x address to access your servers, you can not send the response packets out the other link with a source NAT of z.z.z.z.
Use ping tosee where the packets are going.
show session all filter source <IP_DMZ_Serv_inside>
then
Show session id xxxxx
The output should show you what interface is being used, what NAT rule is used, what sec policy is used.
This should give you good insight as to what is going wrong.
SKrall
01-05-2014 04:02 AM
Would you please explain your point 5 in more details? Thank you.
01-05-2014 04:08 AM
if your lan is 192.168.0.0/24(default VR)
dmz is 172.16.0.0/24(VR2)
for default VR which uses LAN you should add a route destination ip 172.16.0.0/24 next hope will be next VR(vr2)
for VR2 which uses DMZ you should add a route destination ip 192.168.0.0/24 next hope will be next vr default VR
01-05-2014 04:10 AM
also you don't need pbf rules with that config.
your nat to outside and security rules will be
lan to wan2
dmz to wan1
01-23-2014 04:44 AM
Thanks panos. It is working fine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
