yes the incoming traffic comes thru correct interface (Y) whatever the source is local ISP3 or Global internet users but the different is global users thy can browse it and their traffic goes out thru ISP1 interface (X) ( asymmetrically ) !! and ISP3 users can't browse it since the FW is dropping the packet .. So, why do global users can browse it with asymmetric routes while local ISP3 users can't do it ?
... View more
HI; I have PaloAlto FW and I have 3 ISPs and I'm using default route ( statically ) with this value ISP1 distance 5 ( Interface X), ISP2 distance 9 and ISP3 distance 15 ( Interface Y) and I've server with NAT IP using ISP3 subnet. the server is reachable from global internet but the users who are using ISP3 they are unable to reach it after some tshoot we have done using trace route we found the following. what is the issue ? NOTE: we cant apply the following 1- PBF 2- we can't update route table statically for each user Trace route from NATed server using ISP3 subnet toward user using ISP3 : Server --> Palo Alto outside interface(X)--> ISP1 -->ISP3--> ISP3 USER Trace route from user using ISP3 toward NATed server using ISP3 subnet : USER-->ISP3 --> WAN Router--> Palo Alto outside interface(Y)--> drop Trace route from NATed server using ISP3 subnet toward global Internet : Server --> Palo Alto outside interface(X)--> ISP1 --> Global Internet --> 22.214.171.124 (example) Trace route from global user toward NATed server using ISP3: Global User --> Global Internet --> ISP3--> reach to NATed server
... View more