SRX

Hi guys,

Our customer has a SRX240 firewall and I have implemented two internet links (from different ISPs).

The default gateway is link 1, but on link 2, I have destination nat pointing to a specific server, but when the packet come back, it doesn't respect the DNat table and goes out through link 1 (default gateway).
Please, I need to know if is it the correct behavior, or it should come back from the link where it came in (link 2).

Could you explain what is the correct packet data flow inside the appliance?

Anyone experienced this before?

Regards,

Are both of the WAN links connected into the SRX? Are you using DSL or Ethernet? Is the SRX acting as the gateway for the LAN+server?

The best way is to get the SRX to do all NAT and act as the router for both WAN links.

The problem you have is called asymmetric-routing.

Hi

 

In response to your question,

 

 

I need to know if is it the correct behavior, or it should come back from the link where it came in (link 2).

 

It is the expected default behavior. When session is set up, SRX checks the route back to the source using routing table of routing instance the packet arrived to. In you case, if both ISPs are in main (master) instance, the reverse route will point to link 1 and traffic will not flow correctly.

 

You can try to put link 2 in a separate routing-instance (type virtual-router) with its own default route. In this case it will work but you will likely need some means of connecting this vrouter to a main one. This can be acheived with lt (local tunnel) interface or RIB-groups, but the config is going to be rather complicated.

Pk,

 

We have a problem: In official Juniper Course, i've read that in processing method of Juniper SRX takes as priority the routing process before the destination nat rules.

 

I want to understand how can i use route instance in this case. I only wanted that the packet respected the flow through one external interface, for example:

 

I came by the WAN port 1 and got to port 8080. The packet then is processed by DNAT rules of Juniper, redirected to DMZ network and then returned through the same way to the IP address that originated the connection.

 

Regards,

Hi,

 

I usually use routing-instance (virtual-router) for the second ISP link not the first one which has the default route I will give you configuration example you could try and tell me the result as expected or not

 

routing-instances {
    DMZ {
        instance-type virtual-router;
        interface ge-1/0/0.0;  ------> your second ISP link
        routing-options {
            static {
                route 0.0.0.0/0 next-hop X.X.X.X;   ------------> your second ISP next-hop
                route Y.Y.Y.Y/Y next-hop z.z.z.z;  -------------> reverse route to your LAN to be included in VR table
            }
        }
    }
}

 

firewall {
    filter DMZ {
        term 1 {
            from {
                source-address {
                     A.A.A.A/32;   -----------> your server IP address
                }
            }
            then {
                routing-instance DMZ;
            }
        }
        term 2 {
            then accept;
        }
    }
}

 

routing-options {
    interface-routes {
        rib-group inet DMZ;
    }
    rib-groups {
        DMZ {
            import-rib [ inet.0 DMZ.inet.0 ];
        }
    }
}

 

interfaces {
    reth1 {
        description "LAN interface";

        vlan-tagging;
        redundant-ether-options {
            redundancy-group 1;
        }
        unit 1 {
            vlan-id 1;
            family inet {
                filter {
                    input DMZ;
                }
                address z.z.z.y;
            }
        }
    }
}

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Hi

 

mhariry is right, you should put your 2nd uplink to routing instance. Regarding

 

In official Juniper Course, i've read that in processing method of Juniper SRX takes as priority the routing process before the destination nat rules.

actually, D-NAT is processed before route lookup. If you point me to the particular page/phrase in courseware then I may be able to clarify.

 

Here is an example config

 

lab@srxB-1# show interfaces 
ge-0/0/3 {
    unit 0 {
        family inet {
            address 1.3.1.2/24;   <--- 1st uplink
        }
    }
}
ge-0/0/4 {
    vlan-tagging;
    unit 103 {
        vlan-id 103;
        family inet {
            address 172.20.103.1/24;   <--- LAN addresses
        }
    }
    unit 243 {
        vlan-id 243;
        family inet {
            address 4.3.2.2/24;   <--- 2nd uplink
        }
    }
}

lab@srxB-1# show routing-options 
static {
    route 0.0.0.0/0 next-hop 1.3.1.1;   <--- route to 1st ISP
}


[edit]
lab@srxB-1# show routing-instances 
vr {
    instance-type virtual-router;
    interface ge-0/0/4.243;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 4.3.2.1;     <--- route to 2nd ISP
            route 172.20.103.0/24 next-table inet.0;   <--- route from vr to local LAN
        }
    }
}


lab@srxB-1# show security nat 
destination {
    pool internal-80 {
        address 172.20.103.10/32 port 80;
    }
    rule-set isp2 {
        from interface ge-0/0/4.243;
        rule 20 {
            match {
                destination-address 4.3.2.2/32;    <-- D-NAT from address assigned by 2nd ISP
                destination-port 8080;
            }
            then {
                destination-nat pool internal-80;
            }
        }
    }
}

 

Also, zone and policy config should be done as usual.

 

Here is how D-NAT session looks like

 

Session ID: 690, Policy name: default-policy/2, Timeout: 1794, Valid
  In: 1.4.1.2/54708 --> 4.3.2.2/8080;tcp, If: ge-0/0/4.243, Pkts: 8, Bytes: 571
  Out: 172.20.103.10/80 --> 1.4.1.2/54708;tcp, If: ge-0/0/4.103, Pkts: 7, Bytes: 538
Total sessions: 2

 

 The session is routed back to the correct interface (ISP2), as needed.

 

Hi Pk and guys,

 

Thank you for help !

 

I did this configuration in my test firewall and the destination nat worked!!

 

Regards,

 

 

Hi people,

 

In configuration I have the one problem.

 

I have static route in inet.0 also for 1 ISP.

For example:

 

 

route 184.44.110.202/32 next-hop 200.159.16.25;  (2º ISP)
route 200.147.67.142/32 next-hop 200.159.16.25;  (2º ISP)
route 0.0.0.0/0 next-hop 192.168.100.1;  (1º ISP)

The traffic not assume the static route, is pass through 1 ISP.

 

When deactivate the routing-instance, the flow is correct, pass through via 2º ISP.

 

Thanks,