SRX

Hi,

I’m trying to implement design shown in attached pic.

All traffic between networks 10.1.1.0/24 and 10.1.2.0/24 should normally go through IPS1, but traffic from and to SRV2 should use ISP2.

 

I’ve configured static route to SRV2 on SRX1 and FBF on SRX2. That worked fine in GNS3 setup, but on my production SRXs I’ve faced with the Filter Based Forwarding (FBF) does not work on SRX for client traffic when the session is initiated by server issue. So sessions initiated from SRV2 to hosts take ISP2 route as expected, but when a session is initiated from hosts to SRV2, the SRV2 reply takes ISP1 route. As I understand, my 

 

Is there any way to overcome this behavior and achieve my goal?

Hi Vadim,

 

Could you rephrase your query clearly as what is not working and from which host behind SRX has problems.

 

Regards

rparthi

Hi ,

 

if you want to make the connections to work if routing path not an issue then

 

Trying configuring all the exit interfaces of both SRX to be on the security zone so that packets coming from any ISP may match the existing session so that connection continue to work.

 

Regards,

rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Hi Vadim,

 

Can you try applying a interface based source NAT for traffic originated from hosts destined to SRV2, so that the reply will be destined to ISP2 IP on SRX1.

 

Thanks,

Suraj

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Can you please share the configuration?

Try configuring routing-instance type virtual-router.
Then add the interface related to ISP2 to this R-I

This will completely segregate the interface connected to ISP2 and even the reverse traffic will work properly...

The simplest way would be to create a matching FBF rule on SRX1 to guide traffic from your hosts to SRV2 over ISP2 - that should get around the reverse lookup issue described in that KB article.