Hi, I am getting a issues when using NAT with FBF in my configuration as below.
As attached image. I have an Internal Server (192.168.1.96) using static NAT to external WAN fixed IP (1.1.1.1). If I just use direct setting (no other Internet access), its success.
But after I added another faster WAN access (2.2.2.1) for default Internet access and using other routing-instance (wtt-bb) through FBF for the dedicated server, I cannot access the server from Internet anymore. But the server can successfully using static NAT to access the Internet (I just check IP website that the server got the right WAN IP and trace route using the right port).
Can anyone help? thanks!!
Configuration:
set interfaces ge-0/0/2 unit 0 family inet address 2.2.2.1/24
set interfaces ge-0/0/4 unit 0 family inet address 1.1.1.1/24
set interfaces ge-0/0/6 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/6 unit 0 family inet filter input serverDedicatedRoute
set routing-options interface-routes rib-group inet allRoute
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.254
set routing-options rib-groups allRoute import-rib inet.0
set routing-options rib-groups allRoute import-rib wtt-bb.inet.0
set security nat static rule-set tempTest from interface ge-0/0/4.0
set security nat static rule-set tempTest rule tempNAT match destination-address 1.1.1.1/32
set security nat static rule-set tempTest rule tempNAT then static-nat prefix 192.168.1.96/32
set security policies from-zone untrust to-zone trust policy tempFullAccess match source-address any
set security policies from-zone untrust to-zone trust policy tempFullAccess match destination-address any
set security policies from-zone untrust to-zone trust policy tempFullAccess match application any
set security policies from-zone untrust to-zone trust policy tempFullAccess then permit
set security policies default-policy permit-all
set security zones security-zone trust interfaces ge-0/0/6.0
set security zones security-zone untrust interfaces ge-0/0/4.0
set security zones security-zone untrust interfaces ge-0/0/2.0
set firewall filter serverDedicatedRoute term serverService from source-address 192.168.1.96/32
set firewall filter serverDedicatedRoute term serverService then routing-instance wtt-bb
set firewall filter serverDedicatedRoute term default then accept
set routing-instances wtt-bb instance-type forwarding
set routing-instances wtt-bb routing-options static route 0.0.0.0/0 next-hop 1.1.1.254