08-27-2021 01:21 PM
When setup U-turn NAT, can see SNAT part using an internal interface for DIPP. But in the scenario A/P FW has two downstream switches, ie. two internal interfaces, if need to setup 2 U-turn NAT policies . So that when the primary link down, can use the 2nd NAT(which using 2nd internal interface ip address as DIPP)? Please help.
08-28-2021 01:29 PM
Hi Allan
I think I understand your question. The NAT policies on the FW allow for a matching condition of Destination Interface, so if you have 2 internal interfaces on the FW, then you could have 2 different UTurn NAT rules, defining the destination interface, so if one went down, the other would then be active.
However, as I suggested, I am not sure I agree that you need to have 2 internal interfaces defined. Instead, define 2 internal interfaces as an aggregated interface, with a single IP. So if one interface when down, you will have the 2nd interface active, and really only need a single UTurn NAT rule. Try not to make your configuration more complicated. AE interfaces will work for what you need vs 2 separate UTurn NAT rules. Hope that makes sense.
08-27-2021 03:22 PM
Hi there
I think it is important to remember that in HA... that 99% of your configuration is synch'd between the FWs (what does not get synch'd is mgmt IP, hostname, and HA configuration). So your inside interface on FW1 is also on FW2. It is not clear if you mean that both FWs will each have 2 interfaces, or if you are referring each FW having a single interface (but technically, there are 2 internal interfaces).
My point is that whatever you configure on FW1 will show up on FW2. You cannot have 2 different IPs across the internal interface. If you worried about redundancy, you set up 2 interfaces on each FW into an AE (aggregated ethernet interface), so if 1 cable gets unplugged, the FW does not lose/failover.
08-27-2021 03:50 PM
Hi Steve, thanks a lot for the reply. And sorry for the confusion, the thing is two internal interfaces on each FWs.
And looks U-NAT require SNAT part to use internal interface ip address as a DIPP translated to. So my question is based on this, if need to have 2 U-NAT policy so that can have 2 diff. internal interface ip there for the SNAT part. And this is kind of redundancy when 1 internal interface went down.
08-28-2021 01:29 PM
Hi Allan
I think I understand your question. The NAT policies on the FW allow for a matching condition of Destination Interface, so if you have 2 internal interfaces on the FW, then you could have 2 different UTurn NAT rules, defining the destination interface, so if one went down, the other would then be active.
However, as I suggested, I am not sure I agree that you need to have 2 internal interfaces defined. Instead, define 2 internal interfaces as an aggregated interface, with a single IP. So if one interface when down, you will have the 2nd interface active, and really only need a single UTurn NAT rule. Try not to make your configuration more complicated. AE interfaces will work for what you need vs 2 separate UTurn NAT rules. Hope that makes sense.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
