SRX Services Gateway
Reply
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Redundant NAT with two ISP

Hi Experts

 

I have SRX240 with two internet links from two different ISP. I have one pool for ISP1 and other pool for ISP2. In order to do the source NAT for the LAN traffic goint to internet, I made two rules in the rule set. One rule for the ISP 1 and other rule for the ISP 2. My question is that if ISP1 is down then how come rule 1 in the rule-set for ISP1 is not processed and rule 2 would be in place for source NAT?

 

Thanks

Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Redundant NAT with two ISP

I can answer that question but first I need to know if the pool using an address range that is also part of the address space assigned to the interface?

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: Redundant NAT with two ISP

Hi

 

The pools are from different than interface IP. But also explain if pools are from the interface IP then how things work.

 

Thanks

Recognized Expert
sfouant
Posts: 190
Registered: ‎11-28-2007
0

Re: Redundant NAT with two ISP

Could you kindly post your config?

Stefan Fouant
JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI
Technical Trainer, Juniper Networks

Follow us on Twitter @JuniperEducate

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: Redundant NAT with two ISP

Here is the my config:

 


[edit security nat source]
admin@NW-SRX240# show
pool ISP-1 {
    address {
        213.83.1.1/32 to 213.83.1.6/29;
    }
}
pool ISP-2 {
    address {
        83.111.48.1/32 to 83.111.48.6/32;
    }
}

rule-set Redundant-NAT {
    from zone Trust-Zone;
    to zone Untrust-Zone;
    rule rule1 {
        match {
            source-address 192.168.1.0/24;
        }
        then {
            source-nat {
                pool {
                    ISP-1;
                }
            }
        }
    }
    rule rule2 {
        match {
            source-address 192.168.1.0/24;
        }
        then {
            source-nat {
                pool {
                    ISP-2;
                }
            }
        }
    }
}


Recognized Expert
rasmus
Posts: 379
Registered: ‎02-28-2010
0

Re: Redundant NAT with two ISP

this would be possible if you configure BFD or Track IP feature (ref: http://forums.juniper.net/t5/Junos/Track-IP-functionality-in-Junos/td-p/3421)

 

this would help in powering off the inactive internet gateway specific interface ... subsequently NAT rule will not be applied

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

Contributor
aeroplane
Posts: 724
Registered: ‎06-30-2009
0

Re: Redundant NAT with two ISP

Hi

 

Any body can reply on this?

Juniper Employee
rayado
Posts: 51
Registered: ‎04-26-2010
0

Re: Redundant NAT with two ISP

Hello...

 

Since you are multihoming to different ISP's and I don't know the whole config I'll assume there are separate egress interfaces... in which case you'd be better off using two different rule-sets with "to interface" option instead of one rule set with "to zone" with those two separate sub-rules (which specify the same match criteria anyway so only I imagine you would only ever hit ISP1 rule unless it was out of translations).

 

But this raises the question why not just do "interface nat" i.e. "then source-nat interface" instead of "then source-nat pool ..." is it because you want to do 1:1 nat? In which case the best configuration to use would usually be "static nat" instead source nat...

 

Hope that helps... if not a diagram and full config would be most helpful.

 

 

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.