08-11-2023 08:07 AM
Hello everyone,
I've a setup on a PA-820 cluster with 3 ISP connections.
Every connection has its own zone (for clarity WAN-1, WAN-2 and WAN-3) and the default route in the virtual router is for WAN-2.
I need to publish some services from my DMZ subnet on the WAN-1 but if I try to configure the nat and security policy i can't see any sort of traffic coming from Internet because of asymmetric routing.
The packet is entering from the interface on WAN-1 zone but the response packet is going through the default route to WAN-2.
I try to configure a PBF policy (following this article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClF5CAK) for the WAN-1 interface with forward to egress interface of DMZ and force return to WAN-1 isp router but is not working at all.
In the traffic monitor I can't see nothing and if I make a packet capture on the interface I see a lot of tcp retransmissions.
Any idea to solve the problem and to configure the pbf correctly?
Regards
Michele
08-16-2023 01:26 AM
Hi everyone,
finally I found the resolution to my problem.
I find out that on my zones WAN-1,WAN-2,WAN-3 there was a zone protection policy and the option "IP Spoofed Address" was enabled.
I create a new zone protection specific for the WAN-1 zone disabling the mentioned option and suddenly everything starts working as expected.
I already have a PBF for outgoing traffic from the DMZ to the WAN-1 for returning traffic as suggested by Tom.
Thanks to everyone
Michele
08-11-2023 12:26 PM
Hi @MicheleCane ,
If you enabled ECMP with Symmetric Return traffic coming in a WAN interface will go out the same interface. If you want all traffic to continue to go out WAN-2, then you could use a Method of Weighted Round Robin with WAN-2 configured for 100 and WAN-1 and WAN-3 configured for 0. You will need to add default routes for WAN-1 and WAN-3, but the WRR should force all outbound traffic out WAN-2. I have NOT tested this in a lab.
Thanks,
Tom
08-12-2023 04:56 AM
Hi Michele,
Did you find the solution to you're issue?
Regards
08-13-2023 06:42 AM
Not yet, I try to find a solution using pbf because it's a production environment and I'm a little scary of making changes in the virtual router
08-13-2023 10:24 AM
Hi Michele,
what I was thinking is configuring the nat with bidirectional, so whatever the service your publishing using wan 1 or 2 for those NATs you can enable bidirectional, so that they follow same session on which interface traffic is arriving
just a thought.
Regards
08-14-2023 01:44 PM
Hi @MicheleCane ,
For those services on DMZ that you want to publish on WAN-1, do you want all traffic from those DMZ servers to egress WAN-1? If so, create a simple PBF rule that forwards all traffic from that source IP to the WAN-1 next hop.
Thanks,
Tom
08-16-2023 01:26 AM
Hi everyone,
finally I found the resolution to my problem.
I find out that on my zones WAN-1,WAN-2,WAN-3 there was a zone protection policy and the option "IP Spoofed Address" was enabled.
I create a new zone protection specific for the WAN-1 zone disabling the mentioned option and suddenly everything starts working as expected.
I already have a PBF for outgoing traffic from the DMZ to the WAN-1 for returning traffic as suggested by Tom.
Thanks to everyone
Michele
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
