[j-nsp] SRX FBR and destination nat
Yuriy B. Borysov
yokodzun at yokodzun.kiev.ua
Thu Jun 26 09:39:06 EDT 2014
Hello!
I have two connections to the ISP on SRX220H (12.1X45-D15.5).
ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
Default gateway looks in to pp0.1
I need to do destination nat to host in lan PC (10.121.0.101) via non
default ISP1 (int pp0.0).
First of all, configure FBR for LAN network via pp0.0:
routing-options
interface-routes {
rib-group inet all;
}
.....
rib-groups {
all {
import-rib [ inet.0 cat.inet.0 ];
}
.....
cat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
......
firewall family inet filter cat
term route-to-cat {
from {
source-address {
10.121.0.0/24;
}
}
then {
routing-instance cat;
}
}
term default {
then accept;
}
.....
interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
mtu 1500;
filter {
input cat;
}
address 10.121.0.200/24;
}
.....
security policies from-zone cctv to-zone untrust
policy proxmox-inet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
security policies from-zone untrust to-zone cctv
policy cctv-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Everything looks OK, outgoing traffic goes via pp0.0
After that, configure dest nat:
pool cctv-rdr {
address 10.121.0.101/32;
}
rule-set cctv-rdr {
from interface pp0.0;
rule cctv-rdr {
match {
destination-address 1.1.1.2/32;
}
then {
destination-nat {
pool {
cctv-rdr;
}
}
}
}
}
Traffic comes through pp0.0 but returns through pp0.1
That breaks port forward (due to uplink urpf).
Where I'm wrong in my configuration?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
More information about the juniper-nsp
mailing list