[j-nsp] SRX FBR and destination nat (Yuriy B. Borysov)

Thu Jun 26 20:46:52 EDT 2014

Hi Yuriy,

Assuming you have 2 links with SAME ISP and your ISP is doing BGP for you, the only way this would work is if your ISP is also forwarding 10.121.0.101/32 through your secondary link.

Best Regards

Sinisa Pesa | Senior Network and Security Specialist
www.bluecentral.com | an IPMG company

------------------------------

Message: 2
Date: Thu, 26 Jun 2014 16:39:06 +0300
From: "Yuriy B. Borysov" <yokodzun at yokodzun.kiev.ua>
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] SRX FBR and destination nat
Message-ID: <20140626133906.GA79740 at itsinternet.net>
Content-Type: text/plain; charset=us-ascii

Hello!

I have two connections to the ISP on SRX220H (12.1X45-D15.5).

ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)

Default gateway looks in to pp0.1

I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0).

First of all, configure FBR for LAN network via pp0.0:

routing-options
interface-routes {
    rib-group inet all;
    }

.....

rib-groups {
    all {
            import-rib [ inet.0 cat.inet.0 ];
       }

.....

cat {
    instance-type forwarding;
        routing-options {
                static {
                  route 0.0.0.0/0 next-hop pp0.0;
                }
        }
}

......

firewall family inet filter cat
term route-to-cat {
    from {
        source-address {
            10.121.0.0/24;
        }
    }
    then {
        routing-instance cat;
    }
}
term default {
    then accept;
}

.....

interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
    mtu 1500;
    filter {
        input cat;
    }
    address 10.121.0.200/24;
}

.....

security policies from-zone cctv to-zone untrust policy proxmox-inet {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

security policies from-zone untrust to-zone cctv
policy cctv-access {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

Everything looks OK, outgoing traffic goes via pp0.0

After that, configure dest nat:

pool cctv-rdr {
    address 10.121.0.101/32;
}

rule-set cctv-rdr {
    from interface pp0.0;
    rule cctv-rdr {
        match {
            destination-address 1.1.1.2/32;
        }
        then {
            destination-nat {
                pool {
                    cctv-rdr;
                }
            }
        }
    }
}

Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf).

Where I'm wrong in my configuration?

Thanks!

--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE

------------------------------

Subject: Digest Footer

_______________________________________________
juniper-nsp mailing list
juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

------------------------------

End of juniper-nsp Digest, Vol 139, Issue 21
********************************************

IMPORTANT NOTICE: This email (and any attachments) is only for the personal use of the intended recipient and may contain information that is confidential to BlueCentral or the intended recipient. If you have received this message by mistake, BlueCentral does not authorize you to act on it and asks you to notify us immediately (at the email address shown above) and delete the message from your system. BlueCentral does not accept responsibility for any loss or damage caused by a computer virus, trojan horse, worm or similar program that may have attached itself to this message.