topic Re: static nat single host to multiple ISP IP's for failover in Firewall and Security Management

static nat single host to multiple ISP IP's for failover

Sagar_Manandhar — Fri, 08 Apr 2022 03:52:57 GMT

Hi,

I am trying to NAT single host statically to 2 different ISP for failover purpose for publicly hosted servers . Is it possible using manual NAT? Guide me on this... Thanks in advance

Re: static nat single host to multiple ISP IP's for failover

Chris_Atkinson — Fri, 08 Apr 2022 06:20:54 GMT

Using manual NAT this should be straight forward, are you using the ISP redundancy feature?

The only caveat that I can think of otherwise is that you'll likely need some PBR (source routing) or similar for the return traffic.

Re: static nat single host to multiple ISP IP's for failover

Wolfgang — Fri, 08 Apr 2022 08:22:58 GMT

With ISP redundancy enabled the return traffic will be no problem. Outgoing return traffic is sent via the same interface from incoming.

Re: static nat single host to multiple ISP IP's for failover

Sagar_Manandhar — Mon, 11 Apr 2022 08:19:36 GMT

we are using load sharing in our environment and PBR doesn't work in this scenario. Is their any alternative solution for this?

Re: static nat single host to multiple ISP IP's for failover

Wolfgang — Mon, 11 Apr 2022 08:56:55 GMT

for incoming connections only (your webserver will be reachable via 2 external IPs) you have to define two manual NAT rules

Re: static nat single host to multiple ISP IP's for failover

Sagar_Manandhar — Wed, 13 Apr 2022 03:49:46 GMT

Is there any solution for outgoing traffic so that if single nat fail, nat automatically switch to another in load sharing environment.

Re: static nat single host to multiple ISP IP's for failover

Wolfgang — Wed, 13 Apr 2022 06:39:52 GMT

@Sagar_Manandhar maybee you can provide more details of your use case.

With the shown NAT rules your internal webserver can be reached via the IP address from ISP_A and via the IP address from ISP_B. Both are active at all the time. The return traffic from your webserver will be routed through the same ISP as it coming in. An incoming packet via ISP_A will be forwarded to your webserver and the return packet will be send out via ISP_A. This is how ISP redundancy works.

You have to define both external IPs in the external DNS for name resolution of your webserver. In case one of the ISPs is failing the failing ISPs external IP address has to be removed from this DNS record. If you want to have an automatic change of the DNS records you can use DNS proxy feature of ISP redundancy.

But I would prefer an external solution to check the availability of your ISPs and route the traffoc to the right incoming site. Something like Azure Traffic Manger as an example, they can probe your webserver via both ISPs and change DNS following the availability.

Re: static nat single host to multiple ISP IP's for failover

Chris_Atkinson — Wed, 13 Apr 2022 06:58:13 GMT

Agreed, the problem statement should be clarified. It still remains unclear if ISP redundancy (check point feature as different to the concept is being used here).

Provider independent addressing and a GTM solution would certainly help!