Palo Alto Networks Knowledgebase: How to Create Inbound NAT to a Single Server with 2 ISPs Without Using Symmetric Return

How to Create Inbound NAT to a Single Server with 2 ISPs Without Using Symmetric Return

5060
Created On 02/08/19 00:08 AM - Last Updated 02/08/19 00:08 AM
VPNs
Resolution

Details

When a Palo Alto Networks firewall has access to two or more service providers, creating an inbound NAT rule has to be done differently because of the fact that inbound traffic might come from either ISP.

For this example;

  • Public IP address to be used from ISP "A" will be 1.1.1.1 and connected to Ethernet 1/1
  • Public IP address to be used from ISP "B" will be 2.2.2.2 and connected to Ethernet 1/2
  • Firewall's default gateway points to ISP "A"

A crucial requirement for this scenario is for the server to have two internal IP addresses. 172.16.1.10 and 172.16.1.11 will be used for this example.

Another alternative would be to use the symmetric return feature which alleviates the need for multiple IP addresses on the server, reference the following article for more information on configuring symmetric return for the same scenario:

How to Configure Symmetric Return

NAT Rules

Rule NumberSource
Destination
Action
1Untrusted Zone1.1.1.1Translate Destination IP to 172.16.1.10
2172.16.1.10Untrusted ZoneTranslate Source IP to 1.1.1.1
3Untrusted Zone2.2.2.2Translate Destination IP to 172.16.1.11
4172.16.1.11Untrusted ZoneTranslate Source IP to 2.2.2.2

Policy Based Forwarding (PBR) Rule

SourceDestinationForwarding
172.16.1.11Untrusted ZoneAction : Forwarding

Egress Interface : Ethernet 1/2

Next Hop : <ISP "B"s gateway IP>

Security Rules

Create the necessary rules to allow traffic to/from the server and commit the changes.

owner: jteetsel



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKcCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language