Please share the actual destination nat rule you created for each ISP.
And the associated policy to allow that inbound traffic.
Then capture a flow setting on an failed connection attempt with the source public ip address of the internet host making the attempt to reach the internal server.
show security flow session source-prefix 11.1.2/32
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home------------------------------
Original Message:
Sent: 06-29-2021 10:17
From: KARANG DIKA KUSUMA
Subject: NAT Destination from 2 ISPs in Juniper SRX345
Hi, i posted something about Connecting into 2 Different ISP from SRX345 before SRX
But it only solve for NAT Source to Internet because when i try to NAT Destination to 1 of my IP to public, it doesnt work. Do i have to use Virtual Router routing instance instead of routing instance forwarding? So i can NAT Source and Destination Segment 1.x and 2.x to ISP A using virtual router routing instance 1, and then NAT Source and Destination Segment 3.x and 4.x to ISP B using virtual router routing instance 2?
Please help me.
Thanks.
This is the config file from my current SRX345 using Forwarding Routing Instance
nat { source { pool FMS-MOON-ISAT-2 { description FMS-MOON-ISAT-2; address { 114.7.229.97/32 to 114.7.229.97/32; } } rule-set Production-to-Transmission-1 { description Production-to-Transmission-1; from zone Production; to zone Transmission-1; rule FMS-ACCESS { match { source-address 192.168.4.0/24; } then { source-nat { interface; } } } } } policies { from-zone Transmission-1 to-zone Production { policy Transmission-to-Production { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone Production to-zone Transmission-1 { policy Transmission-to-Production { match { source-address any; destination-address any; application any; } then { permit; } } } } zones { security-zone Production { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { ssh; http; https; ping; } } } } } security-zone Transmission-1 { host-inbound-traffic { system-services { all; } } interfaces { ge-0/0/3.0; } } }interfaces { ge-0/0/0 { speed 1g; link-mode full-duplex; unit 0 { family inet { address 114.4.249.170/24; } } } ge-0/0/1 { speed 1g; link-mode full-duplex; unit 0 { family inet { address 192.168.10.254/24; } } } ge-0/0/3 { speed 1g; link-mode full-duplex; unit 0 { description Internet-2; family inet { address 114.7.241.90/30; } } }}routing-options { interface-routes { rib-group inet transmission-isat-2; } static { route 0.0.0.0/0 next-hop 114.4.249.169; } rib-groups { transmission-isat-2 { import-rib [ inet.0 transmission-isat-2.inet.0 ]; } }}firewall { family inet { filter transmission-isat-2 { term 0 { from { source-address { 192.168.4.0/24; } } then { routing-instance transmission-isat-2; } } term 1 { then accept; } } }}routing-instances { transmission-isat-2 { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 114.7.241.89; } } }}
------------------------------
KARANG DIKA KUSUMA
------------------------------