[j-nsp] Policy based routing on SRX 210

Brandon Ross bross at pobox.com
Thu Sep 30 09:54:02 EDT 2010


This config is doing exactly what you configured it to do.  That's how 
computers work.  Did you want it to do something else?  If so, you might 
want to tell us what you think it should be doing that it isn't.

On Thu, 30 Sep 2010, Bikash Bhattarai wrote:

> Dear all,
>
>
>
> My PBR configuration is below. I have configured everything as suggested in
> juniper's documentation. But it's not working as desired. Please help me out
> to sort out the issue.
>
>
>
>
>
>    ge-0/0/0 {
>
>        unit 0 {
>
>            description HO-LAN;
>
>            family inet {
>
>                address 10.139.1.1/24;
>
>
>
>
>
>
>
>    fe-0/0/5 {
>
>        unit 0 {
>
>            description SUBISU-INTERNET;
>
>            family inet {
>
>                address 10.10.10.2/29;
>
>
>
>
>
>    fe-0/0/6 {
>
>        unit 0 {
>
>            description ADSL;
>
>            family inet {
>
>                address 192.168.254.2/24;
>
>
>
>
>
>
>
>
>
> routing-options {
>
>    interface-routes {
>
>        rib-group inet IMPORT-PHY;
>
>    }
>
>    static {
>
>        route 0.0.0.0/0 {
>
>            next-hop [ 10.10.10.1 1 192.168.254.1 ];
>
>            metric 5;
>
>
>
>    }
>
>    rib-groups {
>
>        IMPORT-PHY {
>
>            import-rib [ pbr_fe-0/0/5_static.inet.0 pbr_fe-0/0/6_adsl.inet.0
> inet.0 ];
>
>
>
>    nat {
>
>        source {
>
>            rule-set trust-to-untrust {
>
>                from zone trust;
>
>                to zone untrust;
>
>                rule source-nat-rule {
>
>                    match {
>
>                        source-address 0.0.0.0/0;
>
>                    }
>
>                    then {
>
>                        source-nat {
>
>                            interface;
>
>
>
>
>
>            rule-set TRUST-TO-WIFI-NAT {
>
>                from zone trust;
>
>                to zone WIFI-ZONE;
>
>                rule wifi-nat {
>
>                    match {
>
>                        source-address 10.139.1.0/24;
>
>                        destination-address 0.0.0.0/0;
>
>                    }
>
>                    then {
>
>                        source-nat {
>
>                            interface;
>
>
>
>
>
>
>
>
>
>    zones {
>
>        security-zone trust {
>
>            address-book {
>
>                address HO-LAN 10.139.1.0/24;
>
>
>
>            }
>
>            host-inbound-traffic {
>
>                system-services {
>
>                    all;
>
>                }
>
>                protocols {
>
>                   all;
>
>                }
>
>            }
>
>            interfaces {
>
>                vlan.0 {
>
>                    host-inbound-traffic {
>
>                        system-services {
>
>                            https;
>
>                            ping;
>
>                            ssh;
>
>                            all;
>
>                        }
>
>                    }
>
>                }
>
>                ge-0/0/0.0 {
>
>                    host-inbound-traffic {
>
>                        system-services {
>
>                            https;
>
>                            ping;
>
>                            ssh;
>
>                            all;
>
>                        }
>
>                    }
>
>                }
>
>            }
>
>        }
>
>        security-zone untrust {
>
>            host-inbound-traffic {
>
>                system-services {
>
>                    https;
>
>                    ping;
>
>                    ssh;
>
>                    telnet;
>
>                }
>
>                protocols {
>
>                    all;
>
>                }
>
>            }
>
>            interfaces {
>
>                fe-0/0/5.0 {
>
>                    host-inbound-traffic {
>
>                        system-services {
>
>                            ping;
>
>                            https;
>
>                            ssh;
>
>                            telnet;
>
>                            ike;
>
>
>
>
>
>
>
>        security-zone WIFI-ZONE {
>
>            interfaces {
>
>                fe-0/0/6.0 {
>
>                    host-inbound-traffic {
>
>                        system-services {
>
>                            ping;
>
>
>
>
>
>    policies {
>
>        from-zone trust to-zone untrust {
>
>            policy trust-to-untrust {
>
>                match {
>
>                    source-address any;
>
>                    destination-address any;
>
>                    application any;
>
>                }
>
>                then {
>
>                    permit;
>
>                }
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>        from-zone trust to-zone WIFI-ZONE {
>
>            policy TRUST-TO-WIFI {
>
>                match {
>
>                    source-address HO-LAN;
>
>                    destination-address any;
>
>                    application any;
>
>                }
>
>                then {
>
>                    permit;
>
>
>
>
>
>
>
>
>
>
>
>
>
> }
>
> firewall {
>
>    filter trust-adsl {
>
>        term TERM1 {
>
>            from {
>
>                source-address {
>
>                    10.139.1.167/32;
>
>                }
>
>            }
>
>            then {
>
>                routing-instance pbr_fe-0/0/6_adsl;
>
>            }
>
>        }
>
>        term TERM2 {
>
>            then {
>
>                routing-instance pbr_fe-0/0/5_static;
>
>            }
>
>        }
>
>    }
>
> }
>
> routing-instances {
>
>    pbr_fe-0/0/5_static {
>
>        instance-type forwarding;
>
>        routing-options {
>
>            static {
>
>                route 0.0.0.0/0 {
>
>                    next-hop 10.10.10.2;
>
>                    qualified-next-hop 192.168.254.1;
>
>                    metric 100;
>
>                }
>
>            }
>
>        }
>
>    }
>
>    pbr_fe-0/0/6_adsl {
>
>        instance-type forwarding;
>
>        routing-options {
>
>            static {
>
>                route 0.0.0.0/24 {
>
>                    qualified-next-hop 192.168.1.1;
>
>                    qualified-next-hop 10.10.10.1 {
>
>                        metric 100;
>
>
>
>
>
> Regards,
>
> Bikash Bhattarai
>
> Technical Manager
>
> Dristi Tech Pvt. Ltd.
>
> skype: bkbhattarai
>
> mob:+977-9851039710
>
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

-- 
Brandon Ross                                              AIM:  BrandonNRoss
                                                                ICQ:  2269442
                                    Skype:  brandonross  Yahoo:  BrandonNRoss


More information about the juniper-nsp mailing list