08-02-2025 01:25 AM - edited 08-02-2025 01:27 AM
Hello i have configuration that need to be revise since there some ISP that can't provide asymmetric connection source. the rest Inbound NAT already clear using PBF but only Global Protect that still can't be enforce symmetric.
Here my example configuration in firewall :
ISP A : 10.10.10.2/28 ( Zone : Untrust )
GW ISP A : 10.10.10.1
VPN ISP A IP Public : 10.10.10.3
Loopback.1 : 10.1.2.1 ( Zone : VPN )
ISP B : 10.10.20.2/28 ( Zone : Untrust )
GW ISP B : 10.10.20.1
VPN ISP B IP Public : 10.10.20.3
Loopback.1 : 10.1.5.1 ( Zone : VPN )
As the metric ISP A is act as our primary and ISP B become our secondary ( for failover purpose ). The situation for the connection to portal Global Protect from public to VPN ISP B they can't be reached due asymmetric route send back to client via ISP A. Is there anyway to resolve this configuration so both of ISP can be use and be able to access to our rule policy internal ?
Notes :
- Already check with resolution using 2 VR but since ISP A & ISP B is have failover condition i think we can't approach that,
- Already tried to put the VPN Portal / Gateway in the management interface ( so without NAT, it doesn't succeed too ).
08-04-2025 03:19 AM
Hi @NYanico ,
I haven't tested this myself but have you tried using PBF and enabling symmetric return ?
I'm thinking about creating a PBF rule that forces any traffic originating from the GlobalProtect tunnel interface (Loopback.1) to use the same ISP that the original connection came in on.
Enable the "Symmetric Return" optionand specify the public IP for ISP B (10.10.20.3) as the return address. This tells the firewall to force return traffic for this specific NAT session to egress the same interface it came in on, overriding the default routing table.
How to configure symmetric return.
Hope this helps,
-Kim.
08-05-2025 03:55 AM
Hi Kiwi,
Thank you for your reply, can you please more elaborate. since i have tried PBF and still no luck.
Do you mean i need to set the source PBF from Eth1/2 (ISP B) with destination of 10.10.20.3 and set the egress with loopback ( nexthop : none ). and enforce symmetric return with the Gateway (10.10.20.1) ?
08-05-2025 04:35 AM
Hi @NYanico ,
Actually you need to tell the firewall that the traffic originating from the VPN tunnel must be sent back out the same physical interface that the original client connection came in on.
I would think the following logic for the PBF rule for ISP B applies:
Source Zone: The zone of your GlobalProtect tunnel, which is your VPN zone.
Source Address: The IP address pool assigned to your GlobalProtect clients.
Destination Zone: The Untrust zone (or the zone of ISP B).
Destination Address: any
Action: Forward
Forwarding Type: Next Hop IP address
Next Hop: 10.10.20.1 (the gateway for ISP B).
Egress Interface: The physical interface for ISP B (e.g., ethernet1/2).
Enforce Symmetric Return: Yes
Next Hop Address List: 10.10.20.3 (the public IP of your VPN Gateway on ISP B).
The purpose of this rule is to force the return traffic from a GlobalProtect client, which has been assigned an IP from the VPN pool, to exit the firewall through the correct physical interface and public IP address.
I have no environment to test this currently but I believe the above logic applies.
hope this helps,
Kim.
08-05-2025 04:57 AM
Hi Kiwi,
Yes from the logic i would like to tell the firewall to route all traffic back from original source, but the problem i don't know which one that i need to configure to achive that.
And from your configuration, i'm pointing some mistake that i can verified :
But thanks though for the help, perhaps if there any way solution will be glad. Waiting for our partner support almost 1 week still no feedback.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
