Palo Alto With TWO ISPs

cancel
Showing results for 
Search instead for 
Did you mean: 

Palo Alto With TWO ISPs

Not applicable

Hello,

We have migrated firewall from ASA firewall to Palo Alto firewall. In my case, we have below interfaces in Palo Alto firewall.

1. ISP1 Interface (E1/1)

2  ISP2 Interface (E1/2)

3. DMZ Interface (E1/3)

4. Inside Interface (E1/4)

Since we are using ISP1 for accessing DMZ servers from internet and we are using ISP2 for web traffic of users from inside zone. We are using PBF (Policy Based Forwarding) for redirecting web-traffic to ISP2.

As all the http and https traffic is diverted to ISP2 the users(Inside Zone) are not able to access the servers those are in DMZ Zone.

Please suggest how we can solve this problem.

Regards,

Parvez

7 REPLIES 7

L6 Presenter

can you share your pbf rule ?

L6 Presenter

if you need to seperate connections you may configure 2 virtual routers (not mandatory)

1- Make your LAN and WAN2(ISP2) use default VR

2- Make your DMZ and WAN1(ISP1) use second VR2

3- Add default Gateways for VR1 and VR2 (for each one 0.0.0.0/0 route)

4-Configure NAT rules for LAN and DMZ

5- Add a route for each VR for the other network.(for default VR add a route as destination "subnet DMZ", Next VR, VR2) (for VR2 add a route as destination "subnet LAN", Next VR, default VR)

L4 Transporter

Without seeing a topology this is going to be difficult to diagnose. Are your DMZ servers tied to public IP addresses allocated by isp1 or isp2?

Normally dual ISP is a simple config.

ISP 1 is your primary link so the PBF points to this ISP as the next hop and you monitor this next hop.

ISP 2 is the secondary so the default route in the routing table points here.

Once you have this working you can try getting fancy. But keep in  mind that NAT plays a big role here.  If people are connecting to the x.x.x.x address to access your servers, you can not send the response packets out the other link with a source NAT of z.z.z.z.

Use ping tosee where the packets are going.

show session all filter source <IP_DMZ_Serv_inside>

then

Show session id xxxxx

The output should show you what interface is being used, what NAT rule is used, what sec policy is used.

This should give you good insight as to what is going wrong.

SKrall

Would you please explain your point 5 in more details? Thank you.

if your lan is 192.168.0.0/24(default VR)

dmz is 172.16.0.0/24(VR2)

for default VR which uses LAN you should add a route destination ip 172.16.0.0/24 next hope will be next VR(vr2)

for VR2 which uses DMZ you should add a route destination ip 192.168.0.0/24 next hope will be next vr default VR

also you don't need pbf rules with that config.

your nat to outside and security rules will be

lan to wan2

dmz to wan1

Thanks panos. It is working fine.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!