SRX

Hello all,

I have an SRX210, and 2 ISP's.  Here is my scenario:

ISP 1 gives me a single static IP on fe-0/0/7 in subnet A, This is a single IP that exists on that interface.

ISP 2 gives me a static IP on fe-0/0/6 in subnet B.  Same as above, single IP that exists directly on that interface.

ISP 1 then routes me a subnet C which comes to my router on Lo0, which is a /28.  I use these IP's for my primary outbound traffic, inbound services, etc..  I have policies to direct particular devices within my network to set the outbound IP as one of the addresses within the subnet C including my general access.  Example would be general access uses 1.1.1.1, server 1 uses 1.1.1.2, server 2 uses 1.1.1.3, etc...  This allows SSL to work right on inbound traffic, outbound to look like it's the right IP, etc.  Also allows me to setup rules at my clients sites, to allow only 1.1.1.1 to access their network and I can get in when I need to.

What I'd like to do is have the ability to fail over to ISP 2 in the case of ISP 1 failure, for outboud traffic.  I know inbound wont work as I'm working with bottom tier ISP's who don't offer BGP.  

The problem is that since I set my outbound IP directly through a policy, how do I get an entire new policy structure to take effect when ISP 1 is having issues?  I have read several articles about how to do dual ISP with failover, but they don't take into account loopback/routed interfaces.  

Attached is a small snippet of code that shows how it's setup for the outbound.  If I remove the address off the outbound then all my outbound requests show to the intewebs as ISP1 static (2.2.2.2).  The way it is I can direct the IP that external servers/services see.  

Thanks!

Sean Garland

Garland Tech

Attachment(s)

gt210forum1.txt   1 KB 1 version

Hi Sean,

Looks like you might need to use rpm/ip-monitoring to detect and trigger failover. See;

http://kb.juniper.net/InfoCenter/index?page=content&id=KB25052&smlogin=true

Also separate NAT rule-set's so when the default route changes the correct ISP NAT policy is applied.

Tim

Hello Tim,

I have read that article that you have linked, which is fine and good, but it's the separation of the NAT rule-sets that I don't understand.  How do I tie a particular gateway/action from the rpm/ip-monitoring to a particular rule-set?  I think that is exactly what I need to do. 

Basically have it use "set 1" normally but when in failure mode, use "set 2" which will look like a normal NAT config on a much simpler ISP setup and thereby appearing as my second ISP network, and working correctly.

Thanks for your help!

Sean

Hi Sean,

My understanding is that you will need two rule-sets to define the source nats, one for each isp. With regards to the rule-sets there is an order of operation to allow for different from/to criteria to trigger the rule.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15758&smlogin=true

Option 1 - Both ISPs are in the same zone but one rule-set uses 'to interface'

security {
    nat {
        source {
            rule-set isp1 {
                from zone inside;
                to interface ge-0/0/0;
		rule nat-isp1 {
                    match {
                        source-address [ 192.168.2.0/24 192.168.3.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set isp2 {
                from zone inside;
                to zone internet;
		rule nat-isp2 {
                    match {
                        source-address [ 192.168.2.0/24 192.168.3.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
}

So under normal operation the static route is pointing out ge-0/0/0, so the first rule will take precedence over the second. When the route is changed to forward traffic via isp2, the second rule will become action because the from/to for the first rule will no longer be matched.

Option 2 - Separate zones for the isp links

security {
    nat {
        source {
            rule-set isp1 {
                from zone inside;
                to zone isp1;
		rule nat-isp1 {
                    match {
                        source-address [ 192.168.2.0/24 192.168.3.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set isp2 {
                from zone inside;
                to zone isp2;
		rule nat-isp2 {
                    match {
                        source-address [ 192.168.2.0/24 192.168.3.0/24 ];
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
}

Both rule-sets are matching the from/to of the security zones related to the traffic flow.

Edit - You can also just modify the then nat action to use your pool of addresses for isp1 as well.

Tim

Tim,

I finally got around to changing the config to match your example.  I used method 2, with putting the two ISP's into their own zones and then setup the NAT rules accordingly.  This is working perfectly!!!!  

Thank you very much!  I now have my primary ISP setup, and all NAT/destination NAT is working, with the proper source IP, AND the second internet connection wroks on demand as I would like 🙂

Sean Garland

Garland Tech