I have SRX240 with two internet links from two different ISP. I have one pool for ISP1 and other pool for ISP2. In order to do the source NAT for the LAN traffic goint to internet, I made two rules in the rule set. One rule for the ISP 1 and other rule for the ISP 2. My question is that if ISP1 is down then how come rule 1 in the rule-set for ISP1 is not processed and rule 2 would be in place for source NAT?
I can answer that question but first I need to know if the pool using an address range that is also part of the address space assigned to the interface?
Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI Technical Trainer, Juniper Networks
Follow us on Twitter @JuniperEducate
-- If this post was helpful, please mark this post as an "Accepted Solution". Kudos are always appreciated!
[edit security nat source] admin@NW-SRX240# show pool ISP-1 { address { 213.83.1.1/32 to 213.83.1.6/29; } } pool ISP-2 { address { 83.111.48.1/32 to 83.111.48.6/32; } }
rule-set Redundant-NAT { from zone Trust-Zone; to zone Untrust-Zone; rule rule1 { match { source-address 192.168.1.0/24; } then { source-nat { pool { ISP-1; } } } } rule rule2 { match { source-address 192.168.1.0/24; } then { source-nat { pool { ISP-2; } } } } }
Since you are multihoming to different ISP's and I don't know the whole config I'll assume there are separate egress interfaces... in which case you'd be better off using two different rule-sets with "to interface" option instead of one rule set with "to zone" with those two separate sub-rules (which specify the same match criteria anyway so only I imagine you would only ever hit ISP1 rule unless it was out of translations).
But this raises the question why not just do "interface nat" i.e. "then source-nat interface" instead of "then source-nat pool ..." is it because you want to do 1:1 nat? In which case the best configuration to use would usually be "static nat" instead source nat...
Hope that helps... if not a diagram and full config would be most helpful.
