This is a below example which will help you in config:
Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1
ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7
Requirements
- Trust and DMZ zones should egress out ISP1 with source-nat.
- If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
- If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
- ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
- ISP2 also has destination NAT for same web and mail servers.
- When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.
Solution:
This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
address 192.168.1.254/24;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 10.10.10.254/24;
}
}
}
fe-0/0/6 {
unit 0 {
family inet {
filter {
input isp1-in;
}
address 1.1.1.2/29;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
filter {
input isp2-in;
}
address 2.2.2.2/29;
}
}
}
}
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 {
next-hop 1.1.1.1;
qualified-next-hop 2.2.2.1 {
preference 10;
}
}
}
rib-groups {
inside {
import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
}
}
}
security {
nat {
source {
rule-set interface-nat-out {
from routing-instance INSIDE;
to routing-instance [ ISP2 default ];
rule interface-nat-out {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool web-server-trust {
address 192.168.1.5/32 port 80;
}
pool mail-server-dmz {
address 10.10.10.5/32 port 25;
}
rule-set isp1-to-trust {
from interface fe-0/0/6.0;
rule isp1-http-in {
match {
source-address 0.0.0.0/0;
destination-address 1.1.1.5/32;
destination-port 80;
}
then {
destination-nat pool web-server-trust;
}
}
rule isp1-mail-in {
match {
source-address 0.0.0.0/0;
destination-address 1.1.1.5/32;
destination-port 25;
}
then {
destination-nat pool mail-server-dmz;
}
}
}
rule-set isp2-to-dmz {
from interface fe-0/0/7.0;
rule isp2-http-in {
match {
source-address 0.0.0.0/0;
destination-address 2.2.2.5/32;
destination-port 80;
}
then {
destination-nat pool web-server-trust;
}
}
rule isp2-mail-in {
match {
source-address 0.0.0.0/0;
destination-address 2.2.2.5/32;
destination-port 25;
}
then {
destination-nat pool mail-server-dmz;
}
}
}
}
proxy-arp {
interface fe-0/0/6.0 {
address {
1.1.1.5/32;
}
}
interface fe-0/0/7.0 {
address {
2.2.2.5/32;
}
}
}
}
zones {
security-zone trust {
address-book {
address web-server 192.168.1.5/32;
}
interfaces {
ge-0/0/0.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone dmz {
address-book {
address mail-server 10.10.10.5/32;
}
interfaces {
ge-0/0/1.0 {
host-inbound-traffic {
system-services {
all;
}
}
}
}
}
security-zone isp1 {
interfaces {
fe-0/0/6.0 {
host-inbound-traffic {
system-services {
ssh;
https;
ping;
}
}
}
}
}
security-zone isp2 {
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
ssh;
https;
ping;
}
}
}
}
}
}
policies {
from-zone trust to-zone dmz {
policy allow-trust-to-dmz {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone isp1 {
policy allow-trust-out-isp1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone isp2 {
policy allow-trust-out-isp2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone trust {
policy allow-dmz-to-trust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone isp1 {
policy allow-dmz-out-isp1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone dmz to-zone isp2 {
policy allow-dmz-out-isp2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone isp1 to-zone trust {
policy isp1-http-incoming {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
}
}
}
from-zone isp1 to-zone dmz {
policy isp1-mail-incoming {
match {
source-address any;
destination-address mail-server;
application junos-mail;
}
then {
permit;
}
}
}
from-zone isp2 to-zone trust {
policy isp2-http-incoming {
match {
source-address any;
destination-address web-server;
application junos-http;
}
then {
permit;
}
}
}
from-zone isp2 to-zone dmz {
policy isp2-mail-incoming {
match {
source-address any;
destination-address mail-server;
application junos-mail;
}
then {
permit;
}
}
}
}
}
firewall {
filter isp1-in {
term 1 {
from {
destination-address {
1.1.1.0/29;
}
}
then {
routing-instance TRUST-VRF;
}
}
term 2 {
then {
accept;
}
}
}
filter isp2-in {
term 1 {
from {
destination-address {
2.2.2.0/29;
}
}
then {
routing-instance TRUST-VRF;
}
}
term 2 {
then {
accept;
}
}
}
}
routing-instances {
TRUST-VRF {
instance-type forwarding;
routing-options {
static {
route 192.168.1.0/24 next-hop 192.168.1.1;
route 10.10.10.0/24 next-hop 10.10.10.1;
}
}
}
INSIDE {
instance-type virtual-router;
interface ge-0/0/0.0;
interface ge-0/0/1.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 next-table inet.0;
}
}
}
ISP2 {
instance-type virtual-router;
interface fe-0/0/7.0;
routing-options {
interface-routes {
rib-group inet inside;
}
static {
route 0.0.0.0/0 {
next-hop 2.2.2.1;
qualified-next-hop 1.1.1.1 {
preference 10;
}
}
}
}
}
}