In 5.0 there is a feature being added called return to sender which will take care of most of your config. In the meantime most of it can be done. >>Currently we have no inbound services on cable, and plan to use that primarily for web browsing, however we will need to setup GlobalProtect on >>that interface as soon as possible. We have a few services inbound on DSL. This will actually need to be done with two VR. PBF does not apply to traffic that is src or dst to the pan. It will only apply to traffic that through the pan. If you have a PBF rule to route traffic through cable and a default route to route traffic out DSL all request to GP will route back out the cable line. >>We have a few services inbound on DSL. What may be happening here is the syn comes in on the DSL and PBF matched the syn/ack and routes it back out the cable line. If DNATS are required on the DSL line you will need to split the VRs, or put a negate rule above the PBF so it will use the VR route out the DSL line. This in turn will route ALL traffic out the DSL for those machines. >When trying to change outbound NAT rules, a SYN comes in on one (DSL) interface, gets properly translated to the internal host, however the >outbound ACK gets sent out the correct interface with the correct destination IP, but with a MAC address that isn't even in it's ARP table (and the Which mac is incorrect the DST mac after it leave PAN or the SRC? >When trying to setup the VNC connections, the traffic monitor says the traffic is allowed by the OWA rule (which has nothing to do with that port >or its application type), but still does not get NATted correctly. First packet will allow traffic not based on application so if the service field is ANY or the same port as vnc this would match for the 3 way and change once the application is identified. Dominic
... View more