Routing

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
Expand all | Collapse all

NAT Destination from 2 ISPs in Juniper SRX345

  • 1.  NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 10:18
    Hi, i posted something about Connecting into 2 Different ISP  from SRX345 before  SRX

    But it only solve for NAT Source to Internet because when i try to NAT Destination to 1 of my IP to public, it doesnt work. Do i have to use Virtual Router routing instance instead of routing instance forwarding? So i can NAT Source and Destination Segment 1.x and 2.x to ISP A using virtual router routing instance 1, and then NAT Source and Destination Segment 3.x and 4.x to ISP B using virtual router routing instance 2?

    Please help me. 
    Thanks.

    This is the config file from my current SRX345 using Forwarding Routing Instance

        nat {
            source {
                pool FMS-MOON-ISAT-2 {
                    description FMS-MOON-ISAT-2;
                    address {
                        114.7.229.97/32 to 114.7.229.97/32;
                    }
                }
                rule-set Production-to-Transmission-1 {
                    description Production-to-Transmission-1;
                    from zone Production;
                    to zone Transmission-1;
                    rule FMS-ACCESS {
                        match {
                            source-address 192.168.4.0/24;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
    
        policies {
            from-zone Transmission-1 to-zone Production {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone Production to-zone Transmission-1 {
                policy Transmission-to-Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone Production {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                http;
                                https;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone Transmission-1 {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/3.0;
                }
            }
        }
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 114.4.249.170/24;
                }
            }
        }
        ge-0/0/1 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 192.168.10.254/24;
                }
            }
        }    
        ge-0/0/3 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description Internet-2;
                family inet {
                    address 114.7.241.90/30;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet transmission-isat-2;
        }
        static {
            route 0.0.0.0/0 next-hop 114.4.249.169;
        }
        rib-groups {
            transmission-isat-2 {
                import-rib [ inet.0 transmission-isat-2.inet.0 ];
            }
        }
    }
    firewall {
        family inet {
            filter transmission-isat-2 {
                term 0 {
                    from {
                        source-address {
                            192.168.4.0/24;
                        }
                    }
                    then {
                        routing-instance transmission-isat-2;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        transmission-isat-2 {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 114.7.241.89;
                }
            }
        }
    }​


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------


  • 2.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 10:47
    You need an instance-type forwarding with configuration as below: 

    set routing-instances ISP_B instance-type forwarding
    set routing-instances ISP_B routing-options static route 0.0.0.0/0 next-hop ISP -B 
    set routing-instances ISP_B routing-options static route 0.0.0.0/0 qualified-next-hop ISP A  preference XX
    set routing-instances ISP_B routing-options static route 0.0.0.0/0 qualified-next-hop ISP A metric XX 

    set routing-options interface-routes rib-group inet ISP_B
    set routing-options rib-groups ISP_B import-rib inet.0
    set routing-options rib-groups ISP_B import-rib ISP_B.inet.0


    set firewall family inet filter LAN A  term 0 from source-address 
    set firewall family inet filter LAN A term 0 from destination-address 
    set firewall family inet filter LAN A  term 0 then routing-instance ISP_B
    set firewall family inet filter LAN A  term 1 then accept

    You also need to apply the filter LAN A to the interface as well.

    ------------------------------
    ANKUR
    ------------------------------



  • 3.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 11:38
    Thanks Ankur for your response.

    I read other docs stating that Virtual Router is the best practice for separating traffic for each LAN Segment. But matching my config with your suggestion, the only thing i need to add is qualified next hop preference and metric to ISP A isnt it?

    Will it solve my issue so i can NAT Destination my segment to ISP B?

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 4.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 12:15
    You can go without the qualified next hop its there just in case ISP 1 goes down or flaps the traffic can be routed  outbound via ISP 2 you need to modify the filter to match source/destination based on the requirement.  I am routing 10.0.0.0/24  and 10.1.0.0/24 via ISP 1 and 10.3.0.0/24 and 10.1.4.0/24 via ISP 2 outbound via "Source NAT with Egress Interface Address" and filter on the interface  and destination NAT with respective ISP.

    ------------------------------
    ANKUR
    ------------------------------



  • 5.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 12:49
    Hi Ankur,

    Yes i already add filter to the my LAN Interface and my 3.0 and 4.0 segment is able to browse the internet thanks to Source NAT Engress Interface ISP 2. But my 3.0 and 4.0 segment still unable to being accessed from outside when i NAT Destination them, example my 192.168.4.1 NAT Destination to 114.7.229.97. When i try to ping and SSH 114.7.229.97, it wont show up anything.
    Here's my latest configuration
    root@BRIIT-FW-001> show security nat source summary
    
    Total rules: 2
    Rule name          Rule set       		From              To                   	Action
    internet-access    Production-to-Internet 	Production 	Internet            	interface
    FMS-ACCESS         Production-to-Transmission-1 Production 	Transmission-1 		interface
    
    root@BRIIT-FW-001> show configuration firewall
    family inet {
        filter transmission-isat-2 {
            term 0 {
                from {
                    source-address {
                        192.168.4.0/24;
                    }
                }
                then {
                    routing-instance transmission-isat-2;
                }
            }
            term 1 {
                then accept;
            }
        }
    }
    
    root@BRIIT-FW-001> show configuration interfaces
    ge-0/0/0 {
        speed 1g;
        link-mode full-duplex;
        unit 0 {
            family inet {
                address 114.4.249.170/24;
            }
        }
    }
    ge-0/0/1 {
        speed 1g;
        link-mode full-duplex;
        unit 0 {
            family inet {
                filter {
                    input transmission-isat-2;
                }
                address 192.168.10.254/24;
            }
        }
    }
    ge-0/0/2 {
        speed 1g;
        link-mode full-duplex;
        unit 0 {
            family inet {
                address 172.10.10.98/28;
            }
        }
    }
    ge-0/0/3 {
        speed 1g;
        link-mode full-duplex;
        unit 0 {
            description Internet-2;
            family inet {
                address 114.7.241.90/30;
            }
        }
    }
    ​



    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 6.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 13:21
    You might want to take a look at the policies to determine if the traffic is indeed hitting the SRX and is routed via correct interface.

    ------------------------------
    ANKUR
    ------------------------------



  • 7.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 13:42
    I've checked the Firewall Policy Rules and i think all good since the rule is permit from Local to ISP B and vice versa.
    How to make sure that configuration for incoming packets / NAT Destination from ISP B should be directed to my segment 4.0 is correct?

    From zone: Production, To zone: Transmission-1
      Policy: Transmission-to-Production, State: enabled, Index: 7, Scope Policy: 0, Sequence number: 1
        Source vrf group: any
        Destination vrf group: any
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit
    From zone: Transmission-1, To zone: Production
      Policy: Transmission-to-Production, State: enabled, Index: 6, Scope Policy: 0, Sequence number: 1
        Source vrf group: any
        Destination vrf group: any
        Source addresses: any
        Destination addresses: any
        Applications: any
        Action: permit
    ​


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 8.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-29-2021 14:08
    Check the traffic logs  it will have the inbound and outbound interface information.

    ------------------------------
    ANKUR
    ------------------------------



  • 9.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-30-2021 05:41
    Please share the actual destination nat rule you created for each ISP.
    And the associated policy to allow that inbound traffic.

    Then capture a flow setting on an failed connection attempt with the source public ip address of the internet host making the attempt to reach the internal server.
    show security flow session source-prefix 11.1.2/32

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 10.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-30-2021 11:42
    Hi,

    These are my nat destination configuration, security policies and some details about my environment

    Production = My LAN Segmen
    Internet = My ISP A
    Transmission-1 = My ISP B
    ISP A and ISP B are put in different security zones.

    IP Public Block ISP A = 114.5.230.161-174
    IP Public Block ISP B = 114.7.229.97-110

    pool VPN2-Access {
        address 192.168.2.64/32 port 1194;
    }
    pool tes {
        routing-instance {
            default;
        }
        address 192.168.4.1/32 port 22;
    }
    rule-set Internet-to-Production {
        from zone Internet;
        rule Public-Access {
            match {
                destination-address 114.5.230.166/32;
                destination-port {
                    1194;
                }
                protocol udp;
            }
            then {
                destination-nat {
                    pool {
                        VPN2-Access;
                    }
                }
            }
        }
    rule-set Test {
        from zone Transmission-1;
        rule test {
            match {
                destination-address 114.7.229.97/32;
                destination-port {
                    22;
                }
            }
            then {
                destination-nat {
                    pool {
                        tes;
                    }
                }
            }
        }
    }
    root@BRIIT-FW-001> show configuration firewall
    family inet {
        filter transmission-isat-2 {
            term 0 {
                from {
                    source-address {
                        192.168.4.0/24;
                    }
                }
                then {
                    routing-instance transmission-isat-2;
                }
            }
            term 1 {
                then accept;
            }
        }
    }
    root@BRIIT-FW-001> show configuration routing-instances
    transmission-isat-2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 114.7.241.89;
            }
        }
    }
    
    root@BRIIT-FW-001> show route 0.0.0.0
    
    inet.0: 1715 destinations, 1715 routes (1715 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 9w0d 07:49:41
                        > to 114.4.249.169 via ge-0/0/0.0
    
    transmission-isat-2.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/5] 9w0d 09:44:06
                        > to 114.7.241.89 via ge-0/0/3.0
    
    root@BRIIT-FW-001> show configuration security policies
    from-zone Internet to-zone Production {
        policy All_Internet_Production {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        utm-policy junos-av-wf-policy;
                    }
                }
            }
        }
    }
    from-zone Production to-zone Internet {
        policy All_Internet_Production {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit {
                    application-services {
                        utm-policy junos-av-wf-policy;
                    }
                }
            }
        }
    }
    from-zone Transmission-1 to-zone Production {
        policy Transmission-to-Production {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }
    from-zone Production to-zone Transmission-1 {
        policy Transmission-to-Production {
            match {
                source-address any;
                destination-address any;
                application any;
            }
            then {
                permit;
            }
        }
    }​


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 11.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-30-2021 17:38
    Since you are using different zones for the two ISP you also must make sure the reply traffic is symmetrical with the inbound request.  Otherwise the flow will not match the zone to zone policy for the replies.

    Also confirm that both internal subnets listed are in the same production  zone.

    If these check out we do need the live session capture mentioned of the inbound connection attempts to see what session if any is created and what nat if any occurs on the session as well as the packet counts to verify bidirectional flow.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 12.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 06-30-2021 23:54
    Hii,

    Thanks for that. Really apreciate for your help.

    I put my 2 ISPs in the same security zone for NAT Destination and it works. But when it comes to NAT Source, it doesnt work. And i used nat source from interface to interface instead of from zone Production to ISP B.

    How to fix my 4.0 segment can surf internet via ISP B using NAT Source from Zone to Zone instead from Interface to Interface?

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 13.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 07-02-2021 05:58
    I don't see all the details here but you will need to remove that interface rule.

    Make sure that the source interface is included in what looks like your Production zone.
    The destination interface for the ISP is already included in your internet zone.
    The ip range used by these devices are also in that source nat rule to allow it to apply

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 14.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 07-02-2021 06:18
    Hi Steve,

    Thank you so much. Turned out i forgot to input my 4.0 segmen in NAT Source thats why it cant connect to internet. But is it normal if i can ping 2 ISP GW from all of my segment? Since my firewall filter just source address 4.0 segmen.  Does it mean i just turned on my active-active state internet access? (not destination nat im talking about, or is it automatically got the effect)?
    This is VM from Segmen 2.0 and it can ping 2 ISP GW and also i can put NAT Destination from either ISP A and B. Is it normal?

    I'm so sorry if my questions are silly but im just trying to figuring out something here.



    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 15.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 07-02-2021 19:19
    I'm not sure I follow your question but I think you are asking about reachability of both your ISP gateway addresses even with the source based routing rule in place to force traffic out the other ISP.

    In this case the other ISP gateway is a local installed specific route.  Thus that local route takes precedence over the default route 0.0.0.0/0 going out the other gateway.  More specific routes are always preferred.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 16.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 07-02-2021 23:17
    Sorry steve if i didnt make it clear.

    What i want trying to make sure is, From that source firewall filter routing instance (only put segmen 4.0 routed to ISP 2 and not using qualified next-hop ISP 1), and i put 2 ISP in the same zone and my source NAT is production to Internet (ISP 1 and 2), would my 4.0 segment still be able to access the internet via ISP 1 if the ISP 2 is fall down?

    Can i make it like this way

    Firewall Filter
    Source 4.0 Segment via ISP 2
    Source 4.0 Segment qualified next-hop via ISP 1
    Source 1.0,2.0,3.0 segment via ISP 1
    Source 1.0,2.0,3.0 segment qualified next-hop via ISP 2

    Can i do that so all of my segment still be able to access internet if 1 of my ISP is fall down?

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 17.  RE: NAT Destination from 2 ISPs in Juniper SRX345

    Posted 07-04-2021 11:55
    For failover to occur the link to your primary next hop has to drop so that the route will no longer be valid.  If this does occur then your qualified next hop would kick in as long as that interface is still up and working.

    The issue is that internet can fail without the loss of that physical link.  In which case that default route is still valid and you will not get a failover but traffic will be blackholed.

    To overcome this you would need to config an upstream test using the RPM feature to test for actual internet availability with the link up and initiate failover when it is no longer working.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------