[j-nsp] SRX FBR and destination nat

Ben Dale bdale at comlinx.com.au
Thu Jun 26 19:59:54 EDT 2014 

Hi Yuriy,

This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here:

http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/

Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! 

Cheers,

Ben

On 26 Jun 2014, at 11:39 pm, Yuriy B. Borysov <yokodzun at yokodzun.kiev.ua> wrote:

> Hello!
> 
> I have two connections to the ISP on SRX220H (12.1X45-D15.5). 
> 
> ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
> ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
> 
> Default gateway looks in to pp0.1 
> 
> I need to do destination nat to host in lan PC (10.121.0.101) via non 
> default ISP1 (int pp0.0).
> 
> First of all, configure FBR for LAN network via pp0.0:
> 
> routing-options 
> interface-routes {
>    rib-group inet all;
>    }
> 
> .....
> 
> rib-groups {
>    all {
>            import-rib [ inet.0 cat.inet.0 ];
>       }
> 
> .....
> 
> cat {
>    instance-type forwarding;
>        routing-options {
> 	        static {
> 		  route 0.0.0.0/0 next-hop pp0.0;
> 		}
> 	}
> }
> 
> ......
> 
> firewall family inet filter cat                
> term route-to-cat {
>    from {
>        source-address {
>            10.121.0.0/24;
>        }
>    }
>    then {
>        routing-instance cat;
>    }
> }
> term default {
>    then accept;
> }
> 
> .....
> 
> interfaces ge-0/0/0.99 
> description cctv;
> vlan-id 99;
> family inet {
>    mtu 1500;
>    filter {
>        input cat;
>    }
>    address 10.121.0.200/24;
> }
> 
> .....
> 
> security policies from-zone cctv to-zone untrust 
> policy proxmox-inet {
>    match {
>        source-address any;
>        destination-address any;
>        application any;
>    }
>    then {
>        permit;
>    }
> }
> 
> security policies from-zone untrust to-zone cctv    
> policy cctv-access {
>    match {
>        source-address any;
>        destination-address any;
>        application any;
>    }
>    then {
>        permit;
>    }
> }
> 
> 
> Everything looks OK, outgoing traffic goes via pp0.0
> 
> After that, configure dest nat:
> 
> pool cctv-rdr {
>    address 10.121.0.101/32;
> }
> 
> rule-set cctv-rdr {
>    from interface pp0.0;
>    rule cctv-rdr {                     
>        match {
>            destination-address 1.1.1.2/32;
>        }
>        then {
>            destination-nat {
>                pool {
>                    cctv-rdr;
>                }
>            }
>        }
>    }
> }
> 
> 
> Traffic comes through pp0.0 but returns through pp0.1
> That breaks port forward (due to uplink urpf).
> 
> Where I'm wrong in my configuration?
> 
> Thanks!
> 
> 
> -- 
> WBR, Yuriy B. Borysov
> YOKO-UANIC | YOKO-RIPE	
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list