SRX

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Connecting to 2 Different ISPs via SRX.345

  • 1.  Connecting to 2 Different ISPs via SRX.345

    Posted 04-29-2021 03:31
    Hi,

    I'm new to Networking and also Juniper Devices.
    I have my environment shown below


    I tried using configuration on this KB
    [SRX] Source-based routing configuration example - Juniper Networks
    and here is my configuration on SRX345



    My VM on segment 192.168.2.0 and 3.0 are able to ping internet via ISP A, but i have  VM on segment 192.168.4.0/24 that i want to direct the traffic via ISP B and they are able to ping ISP B (114.7.241.89) but unable to gain access internet eventhough i already give Source Nat

    Is there any steps that i just missed or i did wrong? Please enlight me on this.

    Thanks. Regards.

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------


  • 2.  RE: Connecting to 2 Different ISPs via SRX.345

     
    Posted 04-29-2021 04:19
    Hi, 

    Are both ISPA and ISPB under the same security-zone?
    The source nat is matching on destination-zone "Transmission-1".

    If ISPB is not part of that security-zone another source nat rule-set matching the respective security-zone would be needed.

    Cheers,

    ------------------------------
    Ashvin
    ------------------------------



  • 3.  RE: Connecting to 2 Different ISPs via SRX.345

    Posted 04-29-2021 04:58
    Hi,

    ISP A and ISP B are on different security zones.

    ISP A is on Internet Zone
    ISP B is on Transmission-1 Zone

    source NAT rule: FMS-ACCESS             Rule-set: Production-to-Transmission-1
      Rule-Id                    : 3
      Rule position              : 3
      From zone                  : Production
      To zone                    : Transmission-1
      Match
        Source addresses         : 192.168.4.0     - 192.168.4.255
      Action                        : interface
        Persistent NAT type         : N/A
        Persistent NAT mapping type : address-port-mapping
        Inactivity timeout          : 0
        Max session number          : 0
      Translation hits           : 1129
        Successful sessions      : 1120
        Failed sessions          : 9
      Number of sessions         : 0
    
    source NAT rule: internet-access        Rule-set: Production-to-Internet
      Rule-Id                    : 1
      Rule position              : 1
      From zone                  : Production
      To zone                    : Internet
      Match
        Source addresses         : 192.168.1.0     - 192.168.1.255
                                   192.168.2.0     - 192.168.2.255
                                   192.168.10.0    - 192.168.10.255
                                   192.168.3.0     - 192.168.3.255
      Action                        : interface
        Persistent NAT type         : N/A
        Persistent NAT mapping type : address-port-mapping
        Inactivity timeout          : 0
        Max session number          : 0
      Translation hits           : 62695743
        Successful sessions      : 62494524
        Failed sessions          : 201219
      Number of sessions         : 817
    ​
    Those are on different Source NAT Rule set. So now they should be separated already.

    ------------------------------
    KARANG DIKA KUSUMA
    ------------------------------



  • 4.  RE: Connecting to 2 Different ISPs via SRX.345

     
    Posted 04-29-2021 10:55
    This version of the kb shows the security policy you need to have in place in addition to the nat rules.  Also note it is recommended to use the same security zone for both ISP as this facilitates failover when needed.  As noted you need to verify the policy is in place for the second ISP.

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------