Routing

 View Only
last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-07-2022 05:32
      |   view attached
    Hi,

    I'm still learning on using SRX as Router and Firewall. I'm trying to implementing Triple ISP as Failover and NAT Destination on my Local Zone. I've read documents about Dual ISP Failover either using FBF or Virtual Router & Separate Security Zones on each ISP. But when i put it on my Implementation Plan on Triple ISP, it doesnt work on both FBF and Virtual Router. I'm wondering if my SRX345 is having a limitation regarding multiple default route or something?

    Currently my SRX345 configuration still on like this

    Local (192.168.1.0-3.0) -> Default Static Route on ISP 1 (NAT Source & Destination using ISP1)
    Local (192.168.4.0)          -> Filter Based Forwarding on ISP2 (NAT Source & Destination using ISP2)
    Both ISP1 & ISP2 are in the same Security Zone as Internet.

    How do i implement in ISP 3 so i can use it as NAT Source and Destination on Local 192.168.3.0? I tried to put ISP3 on same Security Zone and created another FBF and put the filter on Local Interface and still not working. Do i need to create Virtual Router on each ISP and created separate Security Zone? When i do Virtual Router, is the failover plan using Probe willl work?

    And also for Failover, i'm planning to use Probe for that (Haven't implemented yet)

    Please enlight me on my learning.

    Thank you.
    Here is my complete Show Configuration of my SRX345
    root@BSRX-FW-001> show configuration 
    ## Last commit: 2022-01-06 00:44:59 GMT+7 by root
    version 15.1X49-D170.4;
    groups {
        global {
            system {
                services {
                    ssh;
                }
            }
        }
    }
    system {
        host-name SRX-FW-001;
        time-zone GMT+7;
        root-authentication {
            encrypted-password "$5$ndM/6sJc$WxfEVxaQoVyu6WlLKdzpBkLPYBW4iPR6e/1jzVYXVY4"; ## SECRET-DATA
        }
        name-server {
            8.8.8.8;
        }
        services {
            ssh;
            telnet;
            xnm-clear-text;
            web-management {
                https {
                    system-generated-certificate;
                }
            }
        }
        syslog {
            archive size 100k files 3;
            user * {
                any emergency;
            }
            file messages {
                any notice;
                authorization info;
            }
            file interactive-commands {
                interactive-commands any;
            }
        }
        max-configurations-on-flash 5;
        max-configuration-rollbacks 5;
        license {
            autoupdate {
                url https://ae1.juniper.net/junos/key_retrieval;
            }
        }
    }
    security {
        nat {
            source {
                rule-set Production-to-Internet {
                    from zone Production;
                    to zone Internet;
                    rule internet-access {
                        match {
                            source-address [ 192.168.1.0/24 192.168.2.0/24 192.168.10.0/24 192.168.4.0/24 192.168.3.0/24 ];
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            destination {
                pool PRISM {
                    address 192.168.2.10/32 port 9440;
                }
                pool test-ssh {
                    address 192.168.4.1/32 port 22;
                }
                rule-set Internet-to-Production {
                    from zone Internet;
                    rule PRISM {
                        match {
                            destination-address 114.5.230.165/32;
                            destination-port {
                                9440;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    PRISM;
                                }
                            }
                        }
                    }
                    rule Test-SSH {
                        match {
                            destination-address 114.7.229.97/32;
                            destination-port {
                                22;
                            }
                        }
                        then {
                            destination-nat {
                                pool {
                                    test-ssh;
                                }
                            }
                        }
                    }
                }
        policies {
            from-zone Internet to-zone Production {
                policy All_Internet_Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            application-services {
                                utm-policy junos-av-wf-policy;
                            }
                        }
                    }
                }
            from-zone Production to-zone Internet {
                policy All_Internet_Production {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit {
                            application-services {
                                utm-policy junos-av-wf-policy;
                            }
                        }
                    }
                }
            }
        zones {
            security-zone Production {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/1.0 {
                        host-inbound-traffic {
                            system-services {
                                ssh;
                                http;
                                https;
                                ping;
                            }
                        }
                    }
                }
            }
            security-zone Internet {
                host-inbound-traffic {
                    system-services {
                        all;
                    }
                }
                interfaces {
                    ge-0/0/0.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/3.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                    ge-0/0/5.0 {
                        host-inbound-traffic {
                            system-services {
                                ping;
                            }
                        }
                    }
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                family inet {
                    address 114.4.249.170/24;
                }
            }
        }
        ge-0/0/1 {
            speed 1g;
            link-mode full-duplex;                               
            unit 0 {
                family inet {
                    filter {
                        input Internet2;
                    }
                    address 192.168.10.254/24;
                }
            }
        }
        ge-0/0/3 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
                description Internet-2;
                family inet {
                    address 114.7.241.90/30;
                }
            }
        }
        ge-0/0/5 {
            speed 1g;
            link-mode full-duplex;
            unit 0 {
    	    description Internet-3
                family inet {
                    address 36.95.235.82/29;
                }
            }
        }
    }
    routing-options {
        interface-routes {
            rib-group inet Internet2;
        }
        static {
    	route 0.0.0.0/24 next-hop 114.4.249.169;
            route 192.168.10.253/32 next-hop 192.168.10.254;
            route 192.168.1.0/24 next-hop 192.168.1.1;
            route 192.168.255.0/24 next-hop 192.168.10.253;
            route 192.168.200.0/24 next-hop 192.168.10.253;
            route 192.168.2.0/24 next-hop 192.168.10.253;
            route 192.168.3.0/24 next-hop 192.168.10.253;
    	route 192.168.4.0/24 next-hop 192.168.10.253;
        }
        rib-groups {
            Internet2 {
                import-rib [ inet.0 Internet2.inet.0 ];
            }
        }
    }
    protocols {
        l2-learning {
            global-mode switching;
        }
        rstp {
            interface all;
        }
    }
    firewall {
        family inet {
            filter Internet2 {
                term 0 {
                    from {
                        source-address {
                            192.168.4.0/24;
                        }
                    }
                    then {
                        routing-instance Internet2;
                    }
                }
                term 1 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        Internet2 {
            instance-type forwarding;
            routing-options {
                static {
                    route 0.0.0.0/0 next-hop 114.7.241.89;
                }
            }
        }
    }​
    ISP1
    ISP2 ISP3
    SRX345
    Failover NAT Source & Destination
    Local Local Local
    192.168.1.0 192.168.4.0 192.168.3.0
    192.168.2.0    


    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------


  • 2.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-11-2022 05:29
    Hi,

    you can find a working config example down below. In this setup all ISP interfaces are grouped under ISP security zone and all local area interfaces are grouped under LAN security zone. If you need different rules for different subnets, you can change them as per your requirement.

    security {
        nat {
            source {
                rule-set ISP-NAT {
                    from zone LAN;
                    to zone ISP;
                    rule R1 {
                        match {
                            source-address 192.168.0.0/16;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
        }
        policies {
            from-zone LAN to-zone ISP {
                policy ALLOW-ANY {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
            from-zone ISP to-zone LAN {
                policy ALLOW-ANY {
                    match {
                        source-address any;
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone ISP {
                interfaces {
                    ge-0/0/0.0;
                    ge-0/0/1.0;
                    ge-0/0/2.0;
                }
            }
            security-zone LAN {
                interfaces {
                    ge-0/0/3.0;
                    ge-0/0/4.0;
                    ge-0/0/5.0;
                }
            }
        }
    }
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 1.1.1.1/24;
                }
            }
        }
        ge-0/0/1 {
            unit 0 {
                family inet {
                    address 2.2.2.2/24;
                }
            }
        }
        ge-0/0/2 {
            unit 0 {
                family inet {
                    address 3.3.3.3/24;
                }
            }
        }
        ge-0/0/3 {
            unit 0 {
                family inet {
                    filter {
                        input ISP-1;
                    }
                    address 192.168.1.1/24;
                }
            }
        }
        ge-0/0/4 {
            unit 0 {
                family inet {
                    filter {
                        input ISP-2;
                    }
                    address 192.168.2.1/24;
                }
            }
        }
        ge-0/0/5 {
            unit 0 {
                family inet {
                    filter {
                        input ISP-3;
                    }
                    address 192.168.3.1/24;
                }
            }
        }
    }
    firewall {
        family inet {
            filter ISP-1 {
                term t1 {
                    then {
                        routing-instance ISP-1;
                    }
                }
            }
            filter ISP-2 {
                term t2 {
                    then {
                        routing-instance ISP-2;
                    }
                }
            }
            filter ISP-3 {
                term t1 {
                    then {
                        routing-instance ISP-3;
                    }
                }
            }
        }
    }
    routing-instances {
        ISP-1 {
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        qualified-next-hop 1.1.1.254 {
                            preference 6;
                        }
                        qualified-next-hop 2.2.2.254 {
                            preference 7;
                        }
                        qualified-next-hop 3.3.3.254 {
                            preference 8;
                        }
                    }
                }
            }
            instance-type forwarding;
        }
        ISP-2 {
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        qualified-next-hop 1.1.1.254 {
                            preference 8;
                        }
                        qualified-next-hop 2.2.2.254 {
                            preference 6;
                        }
                        qualified-next-hop 3.3.3.254 {
                            preference 7;
                        }
                    }
                }
            }
            instance-type forwarding;
        }
        ISP-3 {
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        qualified-next-hop 1.1.1.254 {
                            preference 7;
                        }
                        qualified-next-hop 2.2.2.254 {
                            preference 8;
                        }
                        qualified-next-hop 3.3.3.254 {
                            preference 6;
                        }
                    }
                }
            }
            instance-type forwarding;
        }
    }
    routing-options {
        interface-routes {
            rib-group inet ISP-RIB;
        }
        rib-groups {
            ISP-RIB {
                import-rib [ inet.0 ISP-1.inet.0 ISP-2.inet.0 ISP-3.inet.0 ];
            }
        }
    }
    ​


    Here is the session table

    root> show security flow session
    Session ID: 46, Policy name: ALLOW-ANY/4, Timeout: 32, Valid
      In: 192.168.3.10/38232 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/5.0, Pkts: 1, Bytes: 84,
      Out: 8.8.8.8/0 --> 3.3.3.3/24645;icmp, Conn Tag: 0x0, If: ge-0/0/2.0, Pkts: 0, Bytes: 0,
    
    Session ID: 47, Policy name: ALLOW-ANY/4, Timeout: 48, Valid
      In: 192.168.2.10/41560 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/4.0, Pkts: 1, Bytes: 84,
      Out: 8.8.8.8/0 --> 2.2.2.2/3137;icmp, Conn Tag: 0x0, If: ge-0/0/1.0, Pkts: 0, Bytes: 0,
    
    Session ID: 48, Policy name: ALLOW-ANY/4, Timeout: 58, Valid
      In: 192.168.1.10/43352 --> 8.8.8.8/0;icmp, Conn Tag: 0x0, If: ge-0/0/3.0, Pkts: 1, Bytes: 84,
      Out: 8.8.8.8/0 --> 1.1.1.1/3296;icmp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 0, Bytes: 0,
    Total sessions: 3
    


    Here is the routing table of the device

    root> show route | no-more
    
    inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    1.1.1.0/24         *[Direct/0] 00:36:02
                        >  via ge-0/0/0.0
    1.1.1.1/32         *[Local/0] 00:36:02
                           Local via ge-0/0/0.0
    2.2.2.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/1.0
    2.2.2.2/32         *[Local/0] 00:36:01
                           Local via ge-0/0/1.0
    3.3.3.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/2.0
    3.3.3.3/32         *[Local/0] 00:36:01
                           Local via ge-0/0/2.0
    192.168.1.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/3.0
    192.168.1.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/3.0
    192.168.2.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/4.0
    192.168.2.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/4.0
    192.168.3.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/5.0
    192.168.3.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/5.0
    
    ISP-1.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/6] 00:36:02
                        >  to 1.1.1.254 via ge-0/0/0.0
                        [Static/7] 00:36:01
                        >  to 2.2.2.254 via ge-0/0/1.0
                        [Static/8] 00:36:01
                        >  to 3.3.3.254 via ge-0/0/2.0
    1.1.1.0/24         *[Direct/0] 00:36:02
                        >  via ge-0/0/0.0
    1.1.1.1/32         *[Local/0] 00:36:02
                           Local via ge-0/0/0.0
    2.2.2.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/1.0
    2.2.2.2/32         *[Local/0] 00:36:01
                           Local via ge-0/0/1.0
    3.3.3.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/2.0
    3.3.3.3/32         *[Local/0] 00:36:01
                           Local via ge-0/0/2.0
    192.168.1.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/3.0
    192.168.1.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/3.0
    192.168.2.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/4.0
    192.168.2.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/4.0
    192.168.3.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/5.0
    192.168.3.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/5.0
    
    ISP-2.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/6] 00:36:01
                        >  to 2.2.2.254 via ge-0/0/1.0
                        [Static/7] 00:36:01
                        >  to 3.3.3.254 via ge-0/0/2.0
                        [Static/8] 00:36:02
                        >  to 1.1.1.254 via ge-0/0/0.0
    1.1.1.0/24         *[Direct/0] 00:36:02
                        >  via ge-0/0/0.0
    1.1.1.1/32         *[Local/0] 00:36:02
                           Local via ge-0/0/0.0
    2.2.2.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/1.0
    2.2.2.2/32         *[Local/0] 00:36:01
                           Local via ge-0/0/1.0
    3.3.3.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/2.0
    3.3.3.3/32         *[Local/0] 00:36:01
                           Local via ge-0/0/2.0
    192.168.1.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/3.0
    192.168.1.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/3.0
    192.168.2.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/4.0
    192.168.2.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/4.0
    192.168.3.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/5.0
    192.168.3.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/5.0
    
    ISP-3.inet.0: 13 destinations, 15 routes (13 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both
    
    0.0.0.0/0          *[Static/6] 00:36:01
                        >  to 3.3.3.254 via ge-0/0/2.0
                        [Static/7] 00:36:02
                        >  to 1.1.1.254 via ge-0/0/0.0
                        [Static/8] 00:36:01
                        >  to 2.2.2.254 via ge-0/0/1.0
    1.1.1.0/24         *[Direct/0] 00:36:02
                        >  via ge-0/0/0.0
    1.1.1.1/32         *[Local/0] 00:36:02
                           Local via ge-0/0/0.0
    2.2.2.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/1.0
    2.2.2.2/32         *[Local/0] 00:36:01
                           Local via ge-0/0/1.0
    3.3.3.0/24         *[Direct/0] 00:36:01
                        >  via ge-0/0/2.0
    3.3.3.3/32         *[Local/0] 00:36:01
                           Local via ge-0/0/2.0
    192.168.1.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/3.0
    192.168.1.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/3.0
    192.168.2.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/4.0
    192.168.2.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/4.0
    192.168.3.0/24     *[Direct/0] 00:36:01
                        >  via ge-0/0/5.0
    192.168.3.1/32     *[Local/0] 00:36:01
                           Local via ge-0/0/5.0
    
    


    ------------------------------
    MEHMET SUEL
    ------------------------------



  • 3.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-11-2022 06:05
    Hi @MEHMET SUEL

    Thanks for your response. I have several questions for the config that you provided.

    1. So you dont have default static route 0.0.0.0/0 to any of the ISP beside the qualified next hop route on each forwarding instances?
    2. I only have 1 LAN interface that receives several subnets of the LAN Segments. I cant use 3 filters on 1 LAN Interface like your configuration. Any workaround how to solve this?
    3. When it comes to NAT Destination, is there any additional config that needs to be done? In order on respective subnet can use the Dedicated IP Public from each ISP?
    Ex: 192.168.1.0/24 can use Public IP from ISP-1 and 2, while 192.168.2.0/24 will be using Public IP from ISP-2 and 3

    Thank you mehmet. Sorry if it looks silly to you.

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 4.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-11-2022 16:55
    Hi,

    1. So you dont have default static route 0.0.0.0/0 to any of the ISP beside the qualified next hop route on each forwarding instances?
    I use qualified next hop to prioritize each ISP differenlty on each routing instance.
    For routing instance ISP-1, isp-1 interface is selected as primary interface. If this interface disconnects, isp-2 interface will be used for all traffic. You do not need to add each isp route to each routing instance but in case you only add one default route and that interface is disconnects, then all traffic destined on that routing instance will be discarded.
    2. I only have 1 LAN interface that receives several subnets of the LAN Segments. I cant use 3 filters on 1 LAN Interface like your configuration. Any workaround how to solve this?
    It is matter of using one firewall filter with many terms to differentiate traffic and forward them to their corresponding routing instance.
    An example filter and interface configuration is like this

    [edit]
    root# show firewall
    family inet {
        filter FBF {
            term T1 {
                from {
                    source-address {
                        192.168.1.0/24;
                    }
                }
                then {
                    routing-instance ISP-1;
                }
            }
            term T2 {
                from {
                    source-address {
                        192.168.2.0/24;
                    }
                }
                then {
                    routing-instance ISP-2;
                }
            }
            term T3 {
                from {
                    source-address {
                        192.168.3.0/24;
                    }
                }
                then {
                    routing-instance ISP-3;
                }
            }
        }
    }
    
    [edit]
    root# show interfaces ge-0/0/3
    unit 0 {
        family inet {
            filter {
                input FBF;
            }
            address 10.0.0.1/24;
        }
    }​

    I am assuming you have the needed static route for LAN networks and it is distributed with rib-group configuration.

    3. When it comes to NAT Destination, is there any additional config that needs to be done? In order on respective subnet can use the Dedicated IP Public from each ISP?
    Ex: 192.168.1.0/24 can use Public IP from ISP-1 and 2, while 192.168.2.0/24 will be using Public IP from ISP-2 and 3
    Destination nat is kinda tricky since you are using ISP assigned IP addresses. If you use interface IP addresses and that interface is disconnected what will happen?
    For multi ISP access scenarios it is best not to use ISP assigned IP addresses but use owned private IP addresses.

    ------------------------------
    MEHMET SUEL
    ------------------------------



  • 5.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-12-2022 05:26
    Hi @MEHMET SUEL

    Thanks for elaborating my questions.

    1. Ahh i see. So that'll do for the default gateway on each ISP Interfaces in case they are down
    2. I'll try using multiple terms on multiple routing instance ISPs in 1 filter and apply the filter to my LAN Interface
    3. Actually each of my ISP gave me Static IP Address (Lets say example, ISP 1 1.1.1.​0/28, it'll give me usable static ip address from 1.1.1.2-1.1.1.14​ ; ISP 2 2.2.2.​0/28, it'll give me usable static ip address from 2.2.2.2-2.2.2.14​, and so on)

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 6.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

     
    Posted 01-12-2022 05:26
    There are several ways to do this but it depends on your requirement. If the ISP connections are directly attached internet obviously how your inbound NAT work will be effected, if the aim is just outbound internet access with a source NAT and 3 ISP's as failover we need to understand that requirement aswell. Of the 3 ISP do you want them all to be active with ECMP running, or do you want only one primary with two backup or will one be primary for all traffic except certain applications will be forward out another ISP using a forwarding instance and the 3rd is purely just for backup? In all these cases you would require RPM to probe beyond your internet breakout, because it is more likely for your ISP to encounter upstream issues then the local onsite router going physically down.


  • 7.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-12-2022 09:33
    Hi @MFB

    Just to clarify, i have this plan
    ISP1 for inbound-outbound my Service A on segmen 192.168.1.0, ISP 3 for inbound-outbound my Service B on segmen 192.168.4.0 while ISP2 for inbound-outbound failover​. So it wont running as 3 active ISP.

    For that failover i also planned to use RPM but i still have no idea how to configure the routing for NAT Source-Destination Failover​

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 8.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

     
    Posted 01-12-2022 14:23
    So we are almost there yet regarding the requirements but there are still some points that needs clarity.  I have attached an example of one way to do it which would be my recommneded way, because using FBF i see it as a work around or last resort solution because firewall filters is decoupled from routing so it will not be very clean. Although it works fine i would only consider it if there are no other way around. Again if i understand your requirment i will just segment service A and B to its own ISP and configure the default route in that VR (VRF-LITE). Then you can add a second default route with a next hop of table inet.0. Each local service interface will have a sec zone and each ISP will have its sec zone. Your sec policies will then be in the direction of the flow, from zone A to ISP1 any any , from zone B to ISP3 any any but then also zone X to ISP 2 any any. That is for inside to outside. Then your source nat rulebase would be Zone A to ISP1,ISP2 then source nat interface, Zone B to ISP3,ISP2 the source nat interface. So far we have only allow inbound to outbound(internet). Detsination nat requires it own rulebase but keep in mind now when it comes to inbound NAT your public will only be with the ISP who owns it, it wont shift between ISP so there isnt much you can do on the SRX to make that work, but if you need some destination NAT as i mentioned seperate rulebases is required for defrent types of NAT, source, destination and static. At least in this setup your service if they are always communication outwards and it doesn't mattter wat IP it sources from the SRX then you will good, destination NAT will not work for the ISP that is down unless you have some LB infront or DNS then. Again it all depends on your requirements. Regarding RPM it has been a while i configured that but you will have the option to either admin shut the ISP interface and the QNH will become available or you can change the default route preference or something like that.




  • 9.  RE: SRX345 Implementing Triple ISP Failover & NAT Destination

    Posted 01-13-2022 05:32
    Hi @MFB

    Please correct me if im misunderstanding your explanation.

    1. Delete current static route to ISP1
    2. Create 2 VRs each corresponding to respective ISP based on Zone A and Zone B while creating Qualified Next Hop to ISP2 as NAT Source Failover
    3. Create security zones from each ISP and create policy zones
    4. Configure NAT Source to each ISP interfaces
    5. For Failover NAT Destination, i need to put Load Balancer as the frontline before facing my SRX345 is that correct? Since SRX is not capable for doing so.​​

    For options beside RPM like admin shut ISP Interface, can you give me references for that? I just heard about it.

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------