Junos OS

 View Only
last person joined: 7 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  NAT on multiwan not working

    Posted 02-28-2024 04:52

    Good day,

    I have a SRX240 with 2 isp's

    the primary use a PPoE pp0.0 and work as expected

    The secondary use ethernet with vlan tagging.

    I switched some of the ipsec tunnels to this new connection, and works fine.

    i also want to use destination nat. but this isn't working. 

    ge-0/0/15 {
        vlan-tagging;
        unit 9 {
            vlan-id 9;
            family inet {
                address 1.2.3.4/28;
            }
        }
    }

    The Routing instance

    fiber {
        instance-type virtual-router;
        interface ge-0/0/15.9;
        routing-options {
            interface-routes {
                rib-group inet inet-group;
            }
            static {
                route 0.0.0.0/0 next-hop 1.2.3.5
            }
        }
    }
    

    Routing options

    interface-routes {
        rib-group inet inet-group;
    }
    static {
        route 0.0.0.0/0 next-hop pp0.0;
    }
    rib-groups {
        inet-group {
            import-rib [ inet.0 fiber.inet.0 ];
        }
    }

    Destenation nat

    rule-set untrust {
        from zone untrust;
        rule myserver {
            match {
                destination-address 0.0.0.0/0;
                destination-port 443;
            }
            then {
                destination-nat {
                    pool {
                        myserver;
                    }
                }
            }
        }
    }
    rule-set untrust-fiber {
        from zone untrust-fiber;
        rule myserver-fiber {
            match {
                destination-address 0.0.0.0/0;
                destination-port 443;
            }
            then {
                destination-nat {
                    pool {
                        myserver;
                    }
                }
            }
        }
    }

    The security policies are identical for untrust and untrust-fiber

    If i connect to the public ip of pp0.0 the webpage shows.

    if i connect to the public ip of ge-0/0/15.9 there is no response.

    I know the connection is working, since the ipsec is working fine.

    what am i missing?



  • 2.  RE: NAT on multiwan not working

    Posted 02-28-2024 14:02

    Is there also a inbound security policy for the new untrust-fiber zone to permit the traffic matching  the original untrust zone policy?



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: NAT on multiwan not working

    Posted 02-29-2024 09:12

    For some reason the ticket get posted twice.
    https://community.juniper.net/discussion/nat-on-multiwan-not-working