SRX

 View Only
last person joined: 16 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 10:18
    Hi, i posted something about Connecting into 2 Different ISP  from SRX345 before  SRX

    But it only solve for NAT Source to Internet because when i try to NAT Destination to 1 of my IP to public, it doesnt work. Do i have to use Virtual Router routing instance instead of routing instance forwarding? So i can NAT Source and Destination Segment 1.x and 2.x to ISP A using virtual router routing instance 1, and then NAT Source and Destination Segment 3.x and 4.x to ISP B using virtual router routing instance 2?

    Please help me. 
    Thanks.

    This is the config file from my current SRX345 using Forwarding Routing Instance

        nat {
            source {
                pool FMS-MOON-ISAT-2 {
                    description FMS-MOON-ISAT-2;
                    address {
                        114.7.229.97/32 to 114.7.229.97/32;
                    }
                }
                rule-set Production-to-Transmission-1 {
                    description Production-to-Transmission-1;
                    from zone Production;
                    to zone Transmission-1;
                    rule FMS-ACCESS {
                        match {
                            source-address 192.168.4.0/24;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
    
        policies {
            from-zone Transmission-1 to-zone Production {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Production to-zone Transmission-1 {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Production {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                http;
                                https;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone Transmission-1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/3.0;
                }
            }
        }
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 114.4.249.170/24;
                }
            }
        }
        ge-0/0/1 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 192.168.10.254/24;
                }
            }
        }    
        ge-0/0/3 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description Internet-2;
                family inet {
                    address 114.7.241.90/30;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet transmission-isat-2;
        }
        static {
            route 0.0.0.0/0 next-hop 114.4.249.169;
        }
        rib-groups {
            transmission-isat-2 {
                import-rib [ inet.0 transmission-isat-2.inet.0 ];
            }
        }
    }
    firewall {
        family inet {
            filter transmission-isat-2 {
                term 0 {
                    from {
                        source-address {
                            192.168.4.0/24;
                        }
                    }
                    then {
                        routing-instance transmission-isat-2;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        transmission-isat-2 {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 114.7.241.89;
                }
            }
        }
    }​


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------


  • 2.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-30-2021 05:41
    Please share the actual destination nat rule you created for each ISP.
    And the associated policy to allow that inbound traffic.

    Then capture a flow setting on an failed connection attempt with the source public ip address of the internet host making the attempt to reach the internal server.
    show security flow session source-prefix 11.1.2/32

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------