SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Expand all | Collapse all

SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

  • 1.  SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-09-2020 06:24

    I have 2 ISP, which currently automatically switches well, however when my SRX box switches from ISP1 ( primary, ge-0/0/5.0) to ISP2 (backup, ge-0/0/0.0 ), routing does not considering 1-1 NAT rule in ISP2 zone (  outbound NAT is using different IP, not the one which has static NAT).

    Example : 192.168.1.0 is my email MTA, for which SPF records are either 1.1.1.3 or 2.2.2.3 in my DNS server, when primary link is up outgoing email is going through 1.1.1.3 as expected, but say example if I disconnect primary ISP cable, then email will be going through 2.2.2.2, which is not correct, it has to use 1-1 static NAT of ISP2 which is 2.2.2.3.

     

    ISP1 default gateway : 1.1.1.1
    ISP2 default gateway : 2.2.2.1

     

    I don't know what I am missing, internet and other services are working fine in ISP2, and 1-1 NAT rules also defined like ISP1 in ISP2 zone. I expect outbound traffic should be from 2.2.2.3 when on ISP2, currently outbound traffic is using 2.2.2.2.

     

    Please someone help me to fix issue, not sure whats going wrong.

     

    Static NAT

    static {
                rule-set Server-ISP1 {
                    from zone ISP1;
    		 rule mta-isp1 {
                        match {
                            destination-address 1.1.1.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.1.0/32;
                                }
                            }
                        }
                    }
    	    }
    
    	    rule-set Server-ISP2 {
                    from zone ISP2;
                    rule mta-isp2 {
                        match {
                            destination-address 2.2.2.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                     192.168.1.0/32;
                                }
                            }
                        }
                    }
                }
    }
    

    Proxy ARP

    proxy-arp {
                interface ge-0/0/5.0 {
                    address {
                        1.1.1.3/32;
                      }
                 }
    	     interface ge-0/0/0.0 {
                    address {
                        2.2.2.3/32;
                    }
                }
              }

    Policies

    policies {
    
    from-zone DMZ to-zone ISP1 {
    	policy isp2-mta {
                    match {
                        source-address 192.168.1.0/32;
                        destination-address any;
                        application [  junos-smtp ];
                    }
                    then {
                        permit;
                    }
                }
    }
    
    from-zone DMZ to-zone ISP2 {
    	policy isp2-mta {
                    match {
                        source-address 192.168.1.0/32;
                        destination-address any;
                        application [  junos-smtp ];
                    }
                    then {
                        permit;
                    }
                }
    }
    
    }
    

    Routing Options

    routing-options {
        static {
            route 0.0.0.0/0 {
                next-hop 1.1.1.1;
                preference 10;
            }
        }
        instance-import from_ISP2-VR_to_master;
    }
    
    policy-options {
        policy-statement from_ISP2-VR_to_master {
            term policy1 {
                from {
                    instance ISP2-VR;
                    route-filter 0.0.0.0/0 exact;
                }
                then accept;
            }
            term policy2 {
                then next policy;
            }
        }
        policy-statement from_master_to_ISP2-VR {
            term policy1 {
                from {
                    instance master;
    		 route-filter 192.168.1.10/24 exact;
                }
                then accept;
            }
            term policy2 {
                then reject;
            }
        }
    }
    
    routing-instances {
        ISP2-VR {
            instance-type virtual-router;
            interface ge-0/0/0.0;
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        next-hop 2.2.2.1;
                        preference 20;
                    }
                }
                instance-import from_master_to_ISP2-VR;
            }
        }
    }
    

    RPM services for automatic switchover

    services {
        rpm {
            probe ISP_1 {
                test link {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 3;
                    probe-interval 5;
                    test-interval 10;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface ge-0/0/5.0;
                    next-hop 1.1.1.1;
                }
            }
            probe ISP_2 {
                test link {
                    probe-type icmp-ping;
                    target address 8.8.8.8;
                    probe-count 3;
                    probe-interval 5;
                    test-interval 10;
                    thresholds {
                        successive-loss 3;
                        total-loss 3;
                    }
                    destination-interface ge-0/0/0.0;
                    next-hop 2.2.2.1;
                }
            }
        }
        application-identification {
            enable-heuristics;
        }
        ip-monitoring {
            policy ISP_1 {
                match {
                    rpm-probe ISP_1;
                }
                then {
                    preferred-route {
                        routing-instances ISP2-VR {
                            route 0.0.0.0/0 {
                                next-hop 2.2.2.1;
                            }
                        }
                    }
                }
            }
            policy ISP_2 {
                match {
                    rpm-probe ISP_2;
                }
                then {
                    preferred-route {
                        routing-instances master {
                            route 0.0.0.0/0 {
                                next-hop 1.1.1.1;
                            }
                        }
                    }
                }
            }
        }
    }

     

     


    #SRX
    #routing


  • 2.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

     
    Posted 04-11-2020 13:38

    Hi there,

     

    It appears it is hitting one of your other source nat rules here, if it is binding the session to 2.2.2.2

     

    Can you perhaps share the entire source NAT hierarchy so we can look at the order of the rules and the context of the rule-set which is currently being matched?

     

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 3.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-11-2020 23:10

    Thank you very much for reply, please find the below NAT source

     

    nat {
         source {
    	rule-set LAN-to-ISPS {
                    from zone LAN;
                    to zone [ ISP2 ISP1 ];
                    rule R1 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
            }
    	rule-set DMZ-to-ISPS {
                    from zone DMZ;
                    to zone [ ISP2 ISP1 ];
                    rule R2 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
    	rule-set junoshost-to-ISPS {
                    from zone junos-host;
                    to zone [ ISP2 ISP1 ];
                    rule R3 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }
            }
            static {
                rule-set Server-ISP1 {
                    from zone ISP1;
    		 rule mta-isp1 {
                        match {
                            destination-address 1.1.1.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.1.0/32;
                                }
                            }
                        }
                    }
    	    }
    	    rule-set Server-ISP2 {
                    from zone ISP2;
                    rule mta-isp2 {
                        match {
                            destination-address 2.2.2.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                     192.168.1.0/32;
                                }
                            }
                        }
                    }
                }
            }
    }


  • 4.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

     
    Posted 04-12-2020 17:55

    Thank you 

     

    So with static NAT, I expect a 1-to-1 binding between 192.168.1.0/32 to the IP in question.

     

    In your case, ISP1's public ip has been bound to this private ip.

     

    One of your 'source-nat interface' rules with 2.2.2.2 on the interface ip-address is being picked up here.

     

    Can I have you enable a flow traceoption and provide the trace file output on here?

     

    Refer these commands:

    set security flow traceoptions file jtac
    set security flow traceoptions flag basic-datapath
    set security flow traceoptions packet-filter pf1 source-prefix 7.7.7.7/32       <<<Use the accurate source-ip here
    set security flow traceoptions packet-filter pf1 destination-prefix 8.8.8.8/32   <<<Use accurate destination-ip
    set security flow traceoptions packet-filter pf2 source-prefix 8.8.8.8/32          <<<Response direction, use accurate IPs on both
    set security flow traceoptions packet-filter pf2 destination-prefix 7.7.7.7/32

     

    Cheers

    Pooja 

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     



  • 5.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

     
    Posted 04-13-2020 06:51

    Good morning

     

    Following-up on this.

     

    Any chance you provide the flow traces today perhaps?

     

    Cheers

    Pooja 

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 6.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-13-2020 09:13
    Hello,
    Sorry due to present COVID-19, I currently do not have direct access either ssh/j-web to my srx box which is in office premise, during this time, I had configuration file, and I was going through many post on forums regarding dual isp routing solutions to make use of lockdown period.

    So thought of getting help from experts here.

    Can you please clarify one doubt ?

    Does srx345 support static NAT from 2 ISPs ? Or it just can handle mapping of only one public IP to one private IP.

    If it doesn't support I will try NAT by specific port ( for outbound traffic ), surprising I confirmed with dual ISP NAT by port works for inbound traffic.

    Example if I have 2 public IP 4.4.4.4, 5.5.5.5 and if I NAT private IP 192.168.3.3 for port 443,80, my website is reachable from both ISPs.



  • 7.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

     
    Posted 04-13-2020 09:22

    No problem, I understand.

     

    Yes, you can add specific ports into the binding to separate out the two ISPs.

     

    Refer https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-nat-static.html

    Specifically, refer the section that reads 'Example: Configuring Static NAT for Port Mapping'

     

    Hope this helps.

    Cheers

    Pooja

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 8.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

     
    Posted 04-17-2020 06:40

    Hi there,

     

    Just curious, are you all set on this?

     

    Cheers

    Pooja 

    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!



  • 9.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-17-2020 11:25
    No, I will be visiting office on 20th of this month due to lockdown issue, however I am still not understanding why 1-to-1 NAT isn't using public ip assigned for outbound traffic on isp2 where as it's working as expected on primary isp1.


  • 10.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-17-2020 15:31

    The 1-to-1 nat rules are exclusive.  Once you configure this it only allows that nat to occur by nature you can't have two of them only one will work.

     

    Thus you have to switch to using separate source and destination rules with more narrow matches so that all scenarios you need will work.

     



  • 11.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-17-2020 21:58

    Thank you spuluka,

     

    Can you please elaborate for my case, Do you mean to say I have to make changes like below by specific port ? but I tried this, below will use default gateway that is 1.1.1.1 and 2.2.2.2.

     

    static {
                rule-set Server-ISP1 {
                    from zone ISP1;
    		 rule mta-isp1 {
                        match {
                            destination-address 1.1.1.3/32;
                            destination-port 25;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.1.0/32;
                                    mapped-port 25;
                                }
                            }
                        }
                    }
    	    }
    
    	    rule-set Server-ISP2 {
                    from zone ISP2;
                    rule mta-isp2 {
                        match {
                            destination-address 2.2.2.3/32;
                            destination-port 25;
                        }
                        then {
                            static-nat {
                                prefix {
                                     192.168.1.0/32;
                                      mapped-port 25;
                                }
                            }
                        }
                    }
                }
    }

     

     

    Only below first NAT only working as expected That is 1.1.1.3, but if ISP1 is down then email outbound is going from 2.2.2.2 ( which is not correct), I expect 2.2.2.3.

     

    static {
                rule-set Server-ISP1 {
                    from zone ISP1;
    		 rule mta-isp1 {
                        match {
                            destination-address 1.1.1.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                    192.168.1.0/32;
                                }
                            }
                        }
                    }
    	    }
    
    	    rule-set Server-ISP2 {
                    from zone ISP2;
                    rule mta-isp2 {
                        match {
                            destination-address 2.2.2.3/32;
                        }
                        then {
                            static-nat {
                                prefix {
                                     192.168.1.0/32;
                                }
                            }
                        }
                    }
                }
    }

     

     

     

     



  • 12.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-19-2020 05:44

    Sorry for the confustion.

     

    What I mean to say is that there are three options under nat

    1. source
    2. destination
    3. static

    Static is essentiall a short cut where you are mapping both source and destination between two ip addresses at the same time.  This can be restricted for security as you are doing.  But this is a 1-to-1 mapping as a short cut.

     

    In your case, if I understand it correctly, you need the mapping to have two version one when ISP1 is active and the other when ISP2 is active.  Thus you cannot use the short cut.  You have to configure the separate rules for all your scenarios under source and destination instead.

     



  • 13.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.

    Posted 04-19-2020 09:57

    Thank you so much for explaining truth about 1-to-1 NAT, to be very frank, I really have no idea how to go about further, can you please give me some code snippet, or any example based on my case. I currently have below config for ISPs ( full detail given in my first post )

     

    rule-set DMZ-to-ISPS {
                    from zone DMZ;
                    to zone [ ISP2 ISP1 ];
                    rule R2 {
                        match {
                            source-address 0.0.0.0/0;
                            destination-address 0.0.0.0/0;
                        }
                        then {
                            source-nat {
                                interface;
                            }
                        }
                    }
                }


  • 14.  RE: SRX 1-1 static NAT on backup ISP routing not working as expected on ISP failover.
    Best Answer

    Posted 05-03-2020 08:57

    Sorry for the delay in response, been a little busy here but had some time today to generate the sample config in my lab.  What I assume you need here is inbound connections from internet to your servers based on the ip addresses you have from each provider.  This would be the example just swap out the provider addresses and server address.

     

    security {
        nat {
            destination {
                pool Server1 {
                    address 192.168.1.1/32;
                }
                rule-set Server-ISP1 {
                    from zone ISP1;
                    rule mta-isp1 {
                        match {
                            destination-address 1.1.1.3/32;
                        }
                        then {
                            destination-nat {
                                pool {
                                    Server1;
                                }
                            }
                        }
                    }
                }
                rule-set Server-ISP2 {
                    from zone ISP2;
                    rule mta-isp2 {
                        match {             
                            destination-address 2.2.2.3/32;
                        }
                        then {
                            destination-nat {
                                pool {
                                    Server1;
                                }
                            }
                        }
                    }
                }
            }
        }
    

    And if the ip addresses used for the provider side are NOT your actual interface address you will need to add proxy-arp to the provider interface.

    set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.3/32