SRX

Attached is the Network Diag I created

Scenario:

We have an SRX with two ISP connections. ISP1 and ISP 2. we have a /27 from both of them. Both ISP connections are connected to a switch then trunked to our SRX. On the SRX, we have vlan interfaces with IPs from both of our ISPs. On the SRX, the default route is the gateway of our ISP1 connection. All IPs from ISP1 works.

Problem:

- interface vlan 101 with public IP 2.1.1.1/27 is not pingable from the outside. (testing with a public ATT router).

- We also have a /24 that is routed to our ISP2's /27 (2.1.1.2) by ISP2 and they are not working either. I created a vlan.102 with IP of 3.1.1.1/24.

Tshooting done:

- ISP2 connecting is confirmed working fine. Tried plugging in directly to ISPs handoff and using our /27 and /24 range and it is working.

- I think what is happening is because my current default route is sent to 1.1.1.1, when someone pings my ISP2 IP 2.1.1.2, it sends the reply to 1.1.1.1. So there is some assymetric routing there but I wanted to confirm this for anyone that has tried it?

I tried googling around and I saw a post talking about creating a separate routing instance for ISP2. So that i can have a different default route towards 1.1.1.1/27. BGP is out of the question right now, just wondering how to get this working with static routes. Setting a floating static route will not work too because ISP1 needs to go down first before it will use the second gateway which is not what I want.

Any comments/suggestions would be helpful.

Thanks

hi,

    you can do the ff:

      -create 2  routing-instances  type virtual router for your 2 isps

      -create 2 security zones for your isps

      -assign 2 interfaces for your isps

      -bind those interfaces to your virtual routers

      -i would suggest to use an L2 switch and individual ports (if your using srx 240, you got lots of ports)

      -your trust network will remain in the inet.0 routing instance (trust-vr in screenos)

      -configure static route with next-hop on each routing instance-virtual router

      -then define rib groups which will allow route sharing of inet.0, isp1.inet.0 and isp2.inet.0 instances

      -define static nat trust -to-isp1

      -define static nat trust-to-isp2

      -configure proxy-arp for those 2 isps interfaces

      -create policies

   there you go.

   for additional information, you can check juniper website on routing-instance and rib-groups.

//dwayne

THanks I will try that.

BTW How do ISPs prevent you from sending packets out with a different source IP that does not belong to you? 

I used the config recommended on this link.

http://forums.juniper.net/t5/SRX-Services-Gateway/Second-ISP-link-on-SRX-can-t-ping-use-http-from-outside-and-ftp/td-p/133359

And it actually worked with GNS3 and VSRX. I was able to see the traffic going out now to the second ISP's GW. 

Question: What would be the disadvantage of leaving ISP1 in the default routing instance and only having ISP2 in it's own routing instance?