Hi
mhariry is right, you should put your 2nd uplink to routing instance. Regarding
In official Juniper Course, i've read that in processing method of Juniper SRX takes as priority the routing process before the destination nat rules.
actually, D-NAT is processed before route lookup. If you point me to the particular page/phrase in courseware then I may be able to clarify.
Here is an example config
lab@srxB-1# show interfaces
ge-0/0/3 {
unit 0 {
family inet {
address 1.3.1.2/24; <--- 1st uplink
}
}
}
ge-0/0/4 {
vlan-tagging;
unit 103 {
vlan-id 103;
family inet {
address 172.20.103.1/24; <--- LAN addresses
}
}
unit 243 {
vlan-id 243;
family inet {
address 4.3.2.2/24; <--- 2nd uplink
}
}
}
lab@srxB-1# show routing-options
static {
route 0.0.0.0/0 next-hop 1.3.1.1; <--- route to 1st ISP
}
[edit]
lab@srxB-1# show routing-instances
vr {
instance-type virtual-router;
interface ge-0/0/4.243;
routing-options {
static {
route 0.0.0.0/0 next-hop 4.3.2.1; <--- route to 2nd ISP
route 172.20.103.0/24 next-table inet.0; <--- route from vr to local LAN
}
}
}
lab@srxB-1# show security nat
destination {
pool internal-80 {
address 172.20.103.10/32 port 80;
}
rule-set isp2 {
from interface ge-0/0/4.243;
rule 20 {
match {
destination-address 4.3.2.2/32; <-- D-NAT from address assigned by 2nd ISP
destination-port 8080;
}
then {
destination-nat pool internal-80;
}
}
}
}
Also, zone and policy config should be done as usual.
Here is how D-NAT session looks like
Session ID: 690, Policy name: default-policy/2, Timeout: 1794, Valid
In: 1.4.1.2/54708 --> 4.3.2.2/8080;tcp, If: ge-0/0/4.243, Pkts: 8, Bytes: 571
Out: 172.20.103.10/80 --> 1.4.1.2/54708;tcp, If: ge-0/0/4.103, Pkts: 7, Bytes: 538
Total sessions: 2
The session is routed back to the correct interface (ISP2), as needed.