Palo Alto multiple ISP

Similar Messages

• WLC Guest Setup thru Palo Alto Firewall

  We currently have a Guest wireless setup at my company, instead of using a anchor controller we have dual contorllers with each having one interface connecting out into our dmz and then going out.  it's a pure L2 connection and exits out to the internet via a DMZ interface on our ASA.  We recently purchased a PA-200 Palo Alto firewall to use for this Guest network, and configured everything exactly how it's all ready setup on our dmz switch and asa with the same ip addresses.  When we connect the outside interfaces from the controller to a L2 switch that's connected to the Palo Alto firewall we can't get dhcp requests thru and have no connectivity, even if we set a static IP on our client we still have no connectivity and it won't redirect us.  We use Web-Auth for our authenication with this network and I know once you get an IP address it will only allow dns to redirect to the virtual IP for authenication before it allows anything else but it is the exact same setup as we had before just with a different firewall so I'm stuck.  Also if I plug directly into the switch via ethernet cable I can get an IP address and get out to the internet.  Is there anyone who has experience with this type of setup, or might know what I need to allow on the firewall for it to work?  I've attached a diagram of the basic topology we have setup.
  Thanks

  Hi Rod
  You WLC interface and PA interface config look correct. I assume you have policies rules on the PA to permit traffic from your guest zone to the destination. You will also require a policy on the PA to permit traffic from the guest zone to the guest zone as the default route for the subnet is on the PA and any traffic to the IP is filtered by the policies.
  I have my WLC doing DHCP for my guest subnet as your guest SSID/vlan is probably central switched on the WLC its the easiest way to do this. The PA has no DHCP helper function as far as I am aware and I've never tried passing DHCP requests through a PA via a centrally switched SSID. I assume 10.118.6.112 is the management IP of your controller? if its not try changing the IP to your controller management IP if your not getting DHCP
  I'm not sure how your guest system works but I have an SSID which has a web-auth policy fowarding the guest auth to an authentication server with a webconsole which the passes a radius auth session back to the WLC.
  Do you have any other SSID's configured to use that physical port on the WLC? Even if there HREAP and not using the interface.
  Do you also have the web policy configured correctly on the SSID? I assume you want the browser to redirect to the guest web login page when they connect to the SSID. Are you using an external server for this or the WLC?

• Palo Alto NetConect not working in Mountain Lion, anyone else having this issue?

  I use Palo Alto NetConnect to access a VPN and it always worked fine with Mac OS X 10.6 & 10.7. I updated to Mountain Lion almost immediately after release and the client no longer connects. Is there anyone who has encountered an issue and knows how to fix it? Its very important for my daily use and without it I'll have to downgrade back to Lion.
  -Chris

  Hi 2themax11
  Still no update from PA Networks - it is like they are in total denial that Mountain Lion exists!
  The Cisco app works but only just and is very slow, i think that may be more to do with us than the use of the app. Bear in mind we used to use the Cisco service and so it is not something I had to set up from scratch but it is not something our network team are happy about as this service was buried and was not supposed to be supported any more.
  I am also using a Cisco SSL webvpn for accessing our intranet etc. it is a quicker fix for a few things. Like you I am now using 2 laptops...one is an old Dell...it is horrible!

• Lumira Hands-On Workshop Coming Up in Palo Alto, USA - June 26th

  Hello  Everyone,
  Due to popular demand for a Lumira hands-on training, we are holding our next one in Palo Alto on June 26th!
  Workshop details and registration link are available here.
  Alternately, you can register by sending an email to [email protected] with the Subject Line – “Registration request for Lumira Workshop – June 26th“. 
  The workshop is free of cost and open to everyone interested. Please note that The is an on-premise workshop and a remote option is not available. We will be running out on capacity soon, hence reserve your spot today! Finally, please feel free to pass this along to anyone who might be interested.
  Cheers!
  Ruchi

  I took one of their classes in London and it was an excellent class - very hands on, 2 - 3 hrs of lecture a day, and lots of hardware, lab time!!!. I also saw an email from Jesse T who said he knows the instructor and said he was EXCELLENT. Jesse's response was in the ims-alias this morning I think. Trust me you wont regret it. Also I saw another email saying he is going to have a workshop in Europe, so if you are interested, let them know :-)

• Multiple ISPs & single IP/MPLS/ADSL infrastructure

  Actually very soon we'll have an IP/MPLS core network with ADSL access network.
  What we are going to do is to make several ISPs to use the IP/MPLS core in order to provide internet to their users.
  Can we configure an MPLS VPN for each Service Provider so that it can support the ADSL users from its own Backbone. (I suppose that the MPLS VPN will span several cities, and it will be secure and totally separate from other ISPs MPLS VPNs) .
  If so , can an ASDL user choose the ISP that he wants , or the ADSL port will be dedicated for a specific ISP.
  Could you provide me with examples for multiple ISPs that use the same IP/MPLS/ADSL infrastructure & what are the all existing(already applied in the real world) senarios ?
  Thank You in advance

  Mike,
  You can definitly do what you described. actually i am a network engineer for an isp that uses exactly that service from a carrier. there are at least 10 more isps on that share this mpls core to reach that carriers dsl customers.
  There are few ways i know to do while enabling users to select their isp:
  use PPPoE or PPPoA for the dsl users. get those dsl users to terminate at your BRAS (which should also be a PE in some of the options (for example a7301 routers stack). from this point the solution divides to two options:
  1. this option is faster but not so acaleable.
  In this option you termintae the ppp sessions sends a radius request to your radius server that by the domain name recognizes to which isp the customer belongs to (for example [email protected] vs [email protected]), and forward the request to that isp radius which then authorizes it and within the response sends an vrf selection. then the users belongs to that vrf on your network that belong to that isp.
  in this option one dsl user can have severel isp accounts and switch between them by changing the credientials in his ppp software.
  2. this options requires a more comples system from the isp but gives him much greater control over his subscribers and saves you a hell of a management burden. this options begin like the previous one with a PPPoE/PPPoA session coming from the dsl users to your BRAS (which doesn't need to be a PE but rather be a CE) however this time the BRAS is configured not the teminate the ppp sessions but to map them (by the domain name) to l2tp tunnels which will terminate in the isp BRAS. in this scenario all isps can share the same vrf since they get the l2tp/ppp seperation of each user session.
  It gives he isp many advantages like controlling the addressing, applying serivces etc etc. again users can switch between isps by changing the username@doamin at their ppp software.
  The third option is based on service selection devices like cisco ssg. in this option you can use the adsl in 1483b mode (cisco rbe for example).the service selection device is the one that terminates the atm pvcs from the dslam. when the users is trying to access the internet he is presented with captive web page where he is required to authenticate with his isp. this authentication request is then proxied to the right isp (again by the domain) which replys with a radius response that include the vrf assignment. again users can switch between isps any time.
  I hope this helps.
  If you require further clarifications you are welcome to contact me at: [email protected]
  BR
  Amos Rosenboim

• Multiple ISPs

  I have multiple ISPs one is Cable and the other is a bonded T-1 on the carriers side. I have 2 5525x ASA's and want to configure Active Active failover over. Would I need to enable Multiple Context groups inside the Active Active configurations to allow multiple ISP's?
  How would this normally be done?
  I want to use the 2nd ISP as my wireless guest network since it is a slower network. 

  It's more difficult to load balance between ISPs without owning your public networks and ASN.  Aside from using multiple contexts, you could try using 2 independent firewalls, but put a router (or pair of routers with HSRP) on the inside interface of the firewalls to act as a gateway for clients.  You would then divide the source networks up and use a route map to send traffic from network A to firewallA/gatewayA and network B to firewallB/gatewayB.  That way all return traffic would also be load balanced.  However, this wouldn't address any traffic sourced from the Internet to sites you might be hosting.  If you are hosting public sites, I don't see any way to load balance that traffic without using BGP, except for LISP possibly.  And to have failover, you'd need to enable tracking in your route map so if one of the firewalls would suffer a hardware failure or an ISP goes down you could then use the 2nd firewall/ISP.  This however, would not provide for stateful failover, such as that provided by a failover pair configuration on the firewalls.
  http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/locator-id-separation-protocol-lisp/qa_c67-582925.html

• Cisco ASA packet-tracer Palo Alto equivalent

  Hi All
  Does anyone know if the Palo Alto 3020 boxes have an equivalent feature to the Cisco ASA Packet-tracer ?
  many thanks

  I have used the "test security-policy-match" cli command which identifies the specific policy rule a source/destination traffic pair matches against.  You need to make sure you specify all fields (zone, src/dst network, protocol and ports.

• L2L vpn with Palo Alto Firewall

  I am setting up a l2l tunnel with a palo alto firewall and having trouble.  It is a fairly simple setup, we are encrypting public to public traffic for sftp upload from the asa side.  Here are the relevant parts of the config and various outputs...  Remote side admin states that phase 1 passes and we experience a timeout waiting for phase 2.  Any help would be appreciated.
  1.1.1.1 (customer2 destination address)
  1.1.1.2 (customer2 vpn gateway)
  2.2.2.0 (local public ip space)
  name 1.1.1.1 CustomerVPN2 description Customer VPN2
  access-list Inside_nat0_outbound extended permit ip 2.2.2.0 255.255.255.240 host CustomerVPN2
  access-list Outside_4_cryptomap extended permit ip 2.2.2.0 255.255.255.240 host CustomerVPN2
  crypto map Outside_map 4 match address Outside_4_cryptomap
  crypto map Outside_map 4 set connection-type originate-only
  crypto map Outside_map 4 set peer 1.1.1.2
  crypto map Outside_map 4 set transform-set ESP-AES-256-SHA
  crypto isakmp policy 50
  authentication pre-share
  encryption aes-256
  hash sha
  group 2
  lifetime 86400
  tunnel-group 1.1.1.2 type ipsec-l2l
  tunnel-group 1.1.1.2 ipsec-attributes
  pre-shared-key *
  sh crypto isakmp (notice listed as type:user)
  8   IKE Peer: 1.1.1.2
      Type    : user            Role    : initiator
      Rekey   : no              State   : MM_WAIT_MSG2
  debug crypto ipsec (Looks like it tries all crypto maps except the relevant one)
  IPSEC(crypto_map_check): crypto map Outside_map 1 does not hole match for ACL Outside_1_cryptomap.
  IPSEC(crypto_map_check): crypto map Outside_map 2 does not hole match for ACL Outside_2_cryptomap.
  IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL Outside_3_cryptomap.
  IPSEC(crypto_map_check): crypto map Outside_map 3 does not hole match for ACL OO_temp_Outside_map3.
  and finally.
  Oct 03 10:39:09 [IKEv1]: IP = 1.1.1.2, Removing peer from peer table faile
  d, no match!
  Oct 03 10:39:09 [IKEv1]: IP = 1.1.1.2, Error: Unable to remove PeerTblEntr

  Thanks Lee and Manish
  I have no access to the palo alto logs.  I am working with the admin at the other end and this is what he said.  I used the real ip's because it was getting too confusing... 
  I figured out what is wrong.  It didn’t click at first but because my firewall uses “route-based” VPNs as opposed to the “policy-based” VPNs on an ASA, I need to specify a route for your source address(es) which is 66.x.x.48/28.  The issue with that is when my gateway tries to respond to your gateway IKE packets, it is trying to send it over the route that I specified, since 66.x.x.62 is included in this network, and the firewall tries to send the IKE response packets over the tunnel that doesn’t exist.  I changed the route to be 66.x.x.48/32 and it was successful with IKE phase 1 but fails on phase 2 because it is sourcing from 66.x.x.62/32.
  So long story short of what we need to do.  Either you need to NAT your internal address to a different public IP on that firewall or I can assign you a transit network IP (such as 192.168.74.55 or something) and you would NAT that internal address to that transit IP
  Not sure how to translate the traffic for this vpn without changing the global nat, it looks like policy nat is the solution.

• Load balancing Internet and Site to Site VPN's across Multiple ISP.

  Hi Everyone,
  We  are currently connected to a single ISP with different Internet related  services like mail, web, dns and IPSEC site to site VPN's running. We  would be adding another ISP and do load balancing across these multiple  links. We are using Cisco ASA firewall.
  Can anyone suggest a load  balancer which can not only provide load balancing of the links but  failover as well for mail,web and IPSEC Site to Site VPN's. I came  across Peplink that can achieve this but I guess I will have to  decommision our ASA in order to install Peplink.
  Check attached diagram, this will be our proposed design.
  Regards

  Hi Sundeep,
  The simplest solution would be to put an IOS router (or two with HSRP) between the ASA and the ISPs and do policy-based routing for your flows between the 2 ISPs. Otherwise, any load balancer should work fine with the ASA. If failover of the load balancer is a requirement, you'll need to look at product specific documentation for whichever solution you choose.
  -Mike

• Cisco PIX 515E multiple ISP support in a VPN scenario

  Iam currently running a cisco 7.2 ios in a Cisco PIX 515E appliance. I have terminated two ISP links in the two ports, and I also have a inside network (LAN). I want to establish 2 Site-Site VPN tunnels using each one of these ISP links respectively (Site 1 in ISP link 1 && Site 2 in ISP link 2).
  Is this possible to achieve??

  Hello,
  This should work. Route the remote endpoint for site 1 out link 1 (using a static route) and for site 2 out link 2 (using a static route) and that should do it.
  Return traffic should work, assuming both ISPs aren't advertising the networks your interfaces are on via BGP (ie, you don't want return traffic from site one coming down the link to site 2 because that ISP is advertising that AS as well.)
  --Jason

• Load Balancing with ASR9000 vN and multiple ISPs

  Hi,
  we will deploy a new DC as Active/Active.
  We will have ISPA and ISP B in each DC. Internet users are anybody in the internet coming to our e-commerce DC application.
  How could we do load balancing between ISPs using the ASR9001 and nV feature ?
  There is any IOS-XR feature that could help us about to do load balancing between ISPs?
  Thanks a lot.
  Regards,
  J

  You have 2 options here Jordi, either you can use BGP loadbalancing, this requires multipath as BGP by default would only install one route from the BGP table to the RIB hence FIB.
  But this may result in excessive IRL (inter rack link) usage in the cluster when traffic coming in on rack0 wants to take the bGP path out on rack1
  You could also use ABF (access-list based forwarding) to forcelly push traffic received on rack0 out on the link on rack0 and use an ipsla tracker to fallback to rack1 in case the uplink is gone.
  Alternatively to extend this by IGP signaling to redirect traffic preferably to rack1 to start with to minimize the IRL usage.
  And then you also have the ability to use RPL in the uplink path to make one link more preferred on teh internet then the other in case you want to control a bit which link is preferably used on rack0 or rack1
  regards
  xander

• Multiple ISP load balancing

  Hi All,
  I am having three ISP link at location and I want to use all of them for my outgoing Internet traffic,Can anyone help me how can I accomplish this.
  Thanks
  SS

  What is the routing protocol used in your router?
  Is all three links are connected in a single router?
  Generally, if you add three default routes to three links with same AD, it does equal cost load balancing. Also if CEF is runnig, by default, it does per destination load balancing. 

• Multiple ISP connection on TMG

  Hi, guys
  We have three ISP connections. How could I configure to control relevant traffic go out via relevant ISP connection?
  Nice Day

  
  Hi,
  Based on my knowledge, TMG cannot support more than two ISP connections. Meanwhile ISP redundancy can only help you load balance but not select routing path.
  http://technet.microsoft.com/en-us/library/ee796231.aspx#ISPRedundancyIssues
  Best Regards
  Quan Gu

• PBR using multiple ISP's on 6509

  I want to use one ISP for the outgoing traffic for a a specific vlan .if that ISP fails or BGP fails will the outgoing traffic from that vlan takes the other ISP link .

  Mostly the answer to your questions depends on how you have configured PBR.
  In the most simple case where you have just configured PBR and set the next hop, if the router knows that the next hop is not available then it does not do PBR and will just use the default routing. This probably works ok if the next hop is over a point to point serial interface. Otherwise you probably need to get involved with PBR verify-reachabilty (which gets you into IP SLA etc). 
  If the router does recognize that the PBR next hop is not reachable (which may require tracking and IP SPA) then the traffic will just use the normal routing table logic.
  HTH
  Rick

• Multiple ISP's and NAT

  I need to configure NAT with two ISPs on an 1841 modular router with a 4-port ethernet switch HWIC running IOS 12.4T advanced security/k9. My customer has one DSL connection and one RoadRunner connection. I'm confused about how to configure NAT so that the translations are divided amongst the two outside interfaces. The two exernal ip networks are disjoint. Here's the relevant information:
  DSL connection: outside
  IP:68.37.58.165/29 GW:68.37.58.166
  RR connection: outside
  IP:71.60.171.66/30 GW:71.60.171.65
  Vlan: inside
  IP:192.168.128.1/24
  I've configured enhanced object tracking to set routes based on whether one or both of the connections to the internet are alive.
  The problem that I'm experiencing is that the translations are always initiated through one of the interfaces even if that interface is down. When that happens the inside hosts can't see the internet, even though there is a static route installed in the router via object tracking and pinging from the router works fine.
  I've tried several things, and am just about ready to pull out what little hair I have left.
  I think I may have to bounce the packets off a loopback interface in order to get it to work right. I've even tried that, but I may have configured it incorrectly.
  Please help!

  Hi Brian,
  So what you want is that all traffic moves out from one serial interface and if that goes down the traffic should move out from another serial interface right? Also once the traffic moves out from another interface the NAT statement should be changes obviously because WAN interface has different ip because of different subnets?
  If I am right you need to kinda test the interface if it is up and then apply the NAT
  Something like this
  route-map NAT-DSL permit 10
  match interface s0/0
  route-map NAT-RR permit 10
  match interface s0/1
  ip nat inside source route-map NATDSL interface Serial0/0 overload
  ip nat inside source route-map NAT-RR interface Serial0/1 overload
  Regards,
  Ankur