Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Peter_Nugent
Participant

ISP Redundancy with Hide NAT

Hi guys,

I'm tasked with implementing ISP redundancy at one of our sites running ClusterXL on a pair of 4800s R77.30. I read through the SKs and the Static NAT implications but am wondering how hide NAT will work for subnets that are hidden behind specific public IPs i.e. not the gateways address. Will I need to remove the auto NAT and create equivalent manual rules for each ISP?

Thanks in advance,

Peter

0 Kudos
11 Replies
PhoneBoy
Admin
Admin

Honestly, I'm not sure how you'd create manual HIDE NAT rules for each ISP in this situation (though maybe I'm wrong).

The only thing I know works is hiding behind the gateway's external IP on each ISP. 

0 Kudos
Peter_Nugent
Participant

 Thanks Dameon, I can probably revert them to hide behind the gateway so its not too much of an issue. The goal posts have shifted now too Smiley Sad the business is looking to implement some form of PBR and dedicate the second link to voice and av related traffic.

Are ISP redundancy and PBR mutually exclusive? I know I can edit the table.def for specific services and tie them to the primary but I need to allow a couple of internal subnets use the backup link rather than specific service.

0 Kudos
PhoneBoy
Admin
Admin

PBR and ISP Redundancy features are mutually exclusive.

Peter_Nugent
Participant

I thought as much but was hoping otherwise! If I'm using PBR and a link fails, if I have the correct hide NAT rules in place for both ISPs would manually changing the default route to the second ISP work or is ISP redundancy doing much more behind the scenes? Or am I going about this all wrong how would you achieve this?

0 Kudos
PhoneBoy
Admin
Admin

PBR and ISP Redundancy do basically the same thing using slightly different mechanisms, which is why they are incompatible.

ISP Redundancy does change the default route depending on link state, using the script $FWDIR/bin/cpisp_update on the gateway (which you can modify).

The way you create HIDE NAT rules in both situations is described here (using Automatic NAT rules): Connections that go out the Secondary ISP are NATed behind the IP address of the interface that face... 

See also (for NAT rules with PBR): Policy Based Routing rules matching NATed source address do not work 

Vladimir
Champion
Champion

Somewhat relevant question: In case the ISP redundancy is being used with "Hide Nat" behind gateway, in cluster HA environment, what is the best way to implement it?

One ISP to each HA member's non-clustered, monitored interface?

What then should be configured as the VPN link selection (in both, R77.30 and R80.10)?

I seldom encounter this requirement, as in larger installation, this achieved via BGP on pair of ISP facing routers, but when working with smaller clients, this does come-up.

There is no possibility of egress load balancing with ISP redundancy, correct?

0 Kudos
Peter_Nugent
Participant

My understanding is that once the Hide NAT is configured on the object and applied the the firewall cluster object the cluster figures out the correct address to NAT the traffic onto depending on interface see Dameons Hide NAT link above. Also ISP redundancy has 2 modes of operation Active/Backup and load sharing so that should achieve basic egress load balancing. 

Sal_Previtera
Contributor

with any type of NAT, you only controlling outbound traffic.....so there is a possibility of asymmetric routing.

Outbound traffic will go out one ISP and return traffic come in the other ISP.

To better handle internet traffic you may want to implement BGP routers,

where you can still control outbound traffic with LOCAL-PREFERENCE ( to whatever ISP)

 and Inbound traffic PATH-Prepend ,  by advertising to the outside world the cost associated with each ISP....slower ISP higher cost.

Assuming that one ISP is better then the alternate ISP...

0 Kudos
Vladimir
Champion
Champion

Sal,

Wholeheartedly agree on preference of BGP. Unfortunately, smaller shops often do not have a class C to work with and that’s where the requirement for ISP redundancy is most often comes from.

0 Kudos
Peter_Nugent
Participant

Hi guys,


Just to give a quick update so this is in place and being tested for a couple of subnets at the moment. I'd love to have BGP at this site but unfortunately the size doesn't justify it. One quirk I found with PBR is that you loose the connected routes as well this isn't specifically called out in the documentation so needs to be factored into the deployment. Thanks again for all the comments and assistance.

Peter

Nishant12
Explorer

having problems with iso redudancy with active passive mode.

Two gre tunnel created one by each ISP where firewall is only doing nat. manual nat is created .

auto nat will not work as nat needs to be done from other ip than the interface ip so we have put proxy arp and created the manul nat.

 

problem is when one is goes down tunnel is not comming up traffic is going out from primary ISP even the interface of primary ISP is down.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events