Route specific traffic out backup ISP?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Route specific traffic out backup ISP?

L4 Transporter

We have dual ISP (ISP-A and ISP-B) and utilizting PBR which works just fine.  Now I have use case whereas I have a NAT configured on ISP-B (1 to 1) and I want to force traffic to a specific destination out the backup interface.  I want to do this to ensure traffic destined for a specific address IP-B is sent out the backup interface.  I tried adding a specific route on the VR with the interface and next hop as ISP-B but the path from behind the PAN still takes the primary interface and hop.  


I am missing something but not sure what?  


The 1 to 1 NAT in question is at the top of the list, followed by the dynamic NAT statements for ISP-A and ISP-B. 


Is there a command I can run to see if a NAT is being applied to certain traffic based on source IP?  


Within the CLI you can run 'test nat-policy-match' and build out the complete traffic match and it'll tell you the exact NAT policy that the traffic will match. shows its applying the NAT from the source and destination IP I created the NAT for.  Still don't understand why the provider would tell me they are seeing .37 vs .38 NAT'd IP.  


test nat-policy-match source destination protocol 1

Source-NAT: Rule matched: NAT-provider-1to1 => (1), ethernet1/3




I would attempt to contact the provider and have them verify the source-address they are getting on their end again, maybe they just typo'd. I've never had nat-policy-match lie to me unless I entered something in wrong, but maybe? You can also verify within your own logs what NAT address was actually applied to the traffic, so verify that the address is being recorded correctly and that the logs aren't also indicating the wrong NAT IP. 

So its fixed.  It looks like the PAN was holding onto the old sessions before the NAT?  Once I cleared them it started using the NAT IP and the connection started to work.  Does PA not kill sessions after x amount of time?


\UNfrotunately I didn't do a show prior to clearing them...


admin@fw-PAN(active)> show session all filter source

ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
124573       ipsec-esp-udp  ACTIVE  FLOW  NS[4505]/trust/17  ([4505])
vsys1                                [4500]/untrust  ([4500])
114885       ipsec-esp-udp  ACTIVE  FLOW  NS[4505]/trust/17  ([4505])
vsys1                                [4500]/untrust  ([4500]

Thanks for all your help dudes. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!