SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

NAT Destination from 2 ISPs in Juniper SRX345

  • 1.  NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 10:18
    Hi, i posted something about Connecting into 2 Different ISP  from SRX345 before  SRX

    But it only solve for NAT Source to Internet because when i try to NAT Destination to 1 of my IP to public, it doesnt work. Do i have to use Virtual Router routing instance instead of routing instance forwarding? So i can NAT Source and Destination Segment 1.x and 2.x to ISP A using virtual router routing instance 1, and then NAT Source and Destination Segment 3.x and 4.x to ISP B using virtual router routing instance 2?

    Please help me. 
    Thanks.

    This is the config file from my current SRX345 using Forwarding Routing Instance

        nat {
            source {
                pool FMS-MOON-ISAT-2 {
                    description FMS-MOON-ISAT-2;
                    address {
                        114.7.229.97/32 to 114.7.229.97/32;
                    }
                }
                rule-set Production-to-Transmission-1 {
                    description Production-to-Transmission-1;
                    from zone Production;
                    to zone Transmission-1;
                    rule FMS-ACCESS {
                        match {
                            source-address 192.168.4.0/24;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
    
        policies {
            from-zone Transmission-1 to-zone Production {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Production to-zone Transmission-1 {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Production {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                http;
                                https;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone Transmission-1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/3.0;
                }
            }
        }
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 114.4.249.170/24;
                }
            }
        }
        ge-0/0/1 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 192.168.10.254/24;
                }
            }
        }    
        ge-0/0/3 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description Internet-2;
                family inet {
                    address 114.7.241.90/30;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet transmission-isat-2;
        }
        static {
            route 0.0.0.0/0 next-hop 114.4.249.169;
        }
        rib-groups {
            transmission-isat-2 {
                import-rib [ inet.0 transmission-isat-2.inet.0 ];
            }
        }
    }
    firewall {
        family inet {
            filter transmission-isat-2 {
                term 0 {
                    from {
                        source-address {
                            192.168.4.0/24;
                        }
                    }
                    then {
                        routing-instance transmission-isat-2;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        transmission-isat-2 {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 114.7.241.89;
                }
            }
        }
    }​


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------


  • 2.  RE: NAT Destination from 2 ISPs in Juniper SRX345

     
    Posted 06-30-2021 05:41
    Please share the actual destination nat rule you created for each ISP.
    And the associated policy to allow that inbound traffic.

    Then capture a flow setting on an failed connection attempt with the source public ip address of the internet host making the attempt to reach the internal server.
    show security flow session source-prefix 11.1.2/32

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------