How to Create Inbound NAT to a Single Server with 2 ISPs Without Using Symmetric Return
When a Palo Alto Networks firewall has access to two or more service providers, creating an inbound NAT rule has to be done differently because of the fact that inbound traffic might come from either ISP.
For this example;
- Public IP address to be used from ISP "A" will be 184.108.40.206 and connected to Ethernet 1/1
- Public IP address to be used from ISP "B" will be 220.127.116.11 and connected to Ethernet 1/2
- Firewall's default gateway points to ISP "A"
A crucial requirement for this scenario is for the server to have two internal IP addresses. 172.16.1.10 and 172.16.1.11 will be used for this example.
Another alternative would be to use the symmetric return feature which alleviates the need for multiple IP addresses on the server, reference the following article for more information on configuring symmetric return for the same scenario:
|1||Untrusted Zone||18.104.22.168||Translate Destination IP to 172.16.1.10|
|2||172.16.1.10||Untrusted Zone||Translate Source IP to 22.214.171.124|
|3||Untrusted Zone||126.96.36.199||Translate Destination IP to 172.16.1.11|
|4||172.16.1.11||Untrusted Zone||Translate Source IP to 188.8.131.52|
Policy Based Forwarding (PBR) Rule
|172.16.1.11||Untrusted Zone||Action : Forwarding|
Egress Interface : Ethernet 1/2
Next Hop : <ISP "B"s gateway IP>
Create the necessary rules to allow traffic to/from the server and commit the changes.