SRX

 View Only
last person joined: 15 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

SRX345 Implementing Triple ISP Failover & NAT Destination

  • 1.  SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-07-2022 05:32
      |   view attached
    Hi,

    I'm still learning on using SRX as Router and Firewall. I'm trying to implementing Triple ISP as Failover and NAT Destination on my Local Zone. I've read documents about Dual ISP Failover either using FBF or Virtual Router & Separate Security Zones on each ISP. But when i put it on my Implementation Plan on Triple ISP, it doesnt work on both FBF and Virtual Router. I'm wondering if my SRX345 is having a limitation regarding multiple default route or something?

    Currently my SRX345 configuration still on like this

    Local (192.168.1.0-3.0) -> Default Static Route on ISP 1 (NAT Source & Destination using ISP1)
    Local (192.168.4.0)          -> Filter Based Forwarding on ISP2 (NAT Source & Destination using ISP2)
    Both ISP1 & ISP2 are in the same Security Zone as Internet.

    How do i implement in ISP 3 so i can use it as NAT Source and Destination on Local 192.168.3.0? I tried to put ISP3 on same Security Zone and created another FBF and put the filter on Local Interface and still not working. Do i need to create Virtual Router on each ISP and created separate Security Zone? When i do Virtual Router, is the failover plan using Probe willl work?

    And also for Failover, i'm planning to use Probe for that (Haven't implemented yet)

    Please enlight me on my learning.

    Thank you.
    Here is my complete Show Configuration of my SRX345
    root@BSRX-FW-001> show configuration 
    ## Last commit: 2022-01-06 00:44:59 GMT+7 by root
    version 15.1X49-D170.4;
    groups {
        global {
            system {
                services {
                    ssh;
                }
            }
        }
    }
    system {
        host-name SRX-FW-001;
        time-zone GMT+7;
        root-authentication {
            encrypted-password "$5$ndM/6sJc$WxfEVxaQoVyu6WlLKdzpBkLPYBW4iPR6e/1jzVYXVY4"; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        nat {
            source {
                rule-set Production-to-Internet {
                    from zone Production;
                    to zone Internet;
                    rule internet-access {
                        match {
                            source-address [ 192.168.1.0/24 192.168.2.0/24 192.168.10.0/24 192.168.4.0/24 192.168.3.0/24 ];
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            destination {
                pool PRISM {
                    address 192.168.2.10/32 port 9440;
                }
                pool test-ssh {
                    address 192.168.4.1/32 port 22;
                }
                rule-set Internet-to-Production {
                    from zone Internet;
                    rule PRISM {
                        match {
                            destination-address 114.5.230.165/32;
                            destination-port {
                                9440;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    PRISM;
                                }
                            }
                        }
                    }
                    rule Test-SSH {
                        match {
                            destination-address 114.7.229.97/32;
                            destination-port {
                                22;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    test-ssh;
                                }
                            }
                        }
                    }
                }
        policies {
            from-zone Internet to-zone Production {
                policy All_Internet_Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            application-services {
                                utm-policy junos-av-wf-policy;
                            }
                        }
                    }
                }
            from-zone Production to-zone Internet {
                policy All_Internet_Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            application-services {
                                utm-policy junos-av-wf-policy;
                            }
                        }
                    }
                }
            }
        zones {
            security-zone Production {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                http;
                                https;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/5.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 114.4.249.170/24;
                }
            }
        }
        ge-0/0/1 {
            speed 1g;
            link-mode full-duplex;                               
            unit 0 {
                family inet {
                    filter {
                        input Internet2;
                    }
                    address 192.168.10.254/24;
                }
            }
        }
        ge-0/0/3 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description Internet-2;
                family inet {
                    address 114.7.241.90/30;
                }
            }
        }
        ge-0/0/5 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
    	    description Internet-3
                family inet {
                    address 36.95.235.82/29;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet Internet2;
        }
        static {
    	route 0.0.0.0/24 next-hop 114.4.249.169;
            route 192.168.10.253/32 next-hop 192.168.10.254;
            route 192.168.1.0/24 next-hop 192.168.1.1;
            route 192.168.255.0/24 next-hop 192.168.10.253;
            route 192.168.200.0/24 next-hop 192.168.10.253;
            route 192.168.2.0/24 next-hop 192.168.10.253;
            route 192.168.3.0/24 next-hop 192.168.10.253;
    	route 192.168.4.0/24 next-hop 192.168.10.253;
        }
        rib-groups {
            Internet2 {
                import-rib [ inet.0 Internet2.inet.0 ];
            }
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        family inet {
            filter Internet2 {
                term 0 {
                    from {
                        source-address {
                            192.168.4.0/24;
                        }
                    }
                    then {
                        routing-instance Internet2;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        Internet2 {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 114.7.241.89;
                }
            }
        }
    }​
    ISP1
    ISP2 ISP3
    SRX345
    Failover NAT Source & Destination
    Local Local Local
    192.168.1.0 192.168.4.0 192.168.3.0
    192.168.2.0    


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------