SRX

We bought SRX 650 and we want to implement scenario displayed on attached picture. The task is to enable ISP1 public servers to go to ISP1 gateway and nat local lan to this interface, and the same for ISP 2 public and local addresses. Is is enough to put default route with two next hops? What will happen if one ISP link goes down? Do I have to make VR or Filter Based Forwarding?Another queston is how to nat 10.0.0.0/24 LAN to ISP1 if ISP2 goes down and the same scenario for 192.168.100.0/24? In this case I will only lost connection to public servers addresses on appropriate interface but local network will have the internet. Thanks.

Hi

- For ISP1 Public servers should go to ISP1 and ISP2 public servers should go through ISP2 then use the FBF with forwarding instance or virtual routers.Make sure you both routing instances have backup routes with higher preference (This will helpful for LAN traffic to route to ISP2 if ISP1 is down and same for ISP2)

set routing-instance ISP1 routing-options static route 0.0.0.0/0 next-hop ISP1

set routing-instance ISP1 routing-options static route 0.0.0.0/0 next-hop ISP2 preference 200

- For local subnet 192.168.100.0/24 to use ISP2 if ISP1 is down. Then first make firewall filter as part of FBF and send the traffic from 192.168.100.0/24 to ISP1 instance. For the NAT, make two rule-set for soruce nat like below:

Assume 192.168.100.0/24 is in Trust Zone and ISP1 interface is in ISP1 zone and ISP2 interface is in ISP2 zone

set security nat source rule-set ISP-1 from zone Trust
set security nat source rule-set ISP-1 to zone ISP-1
set security nat source rule-set ISP-1 rule rule1 match source-address 192.168.100.0/24
set security nat source rule-set ISP-1 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set ISP-1 rule rule1 then source-nat interface

set security nat source rule-set ISP-2 from zone Trust
set security nat source rule-set ISP-2 to zone ISP-2
set security nat source rule-set ISP-2 rule rule1 match source-address 192.168.100.0/24
set security nat source rule-set ISP-2 rule rule1 match destination-address 0.0.0.0/0
set security nat source rule-set ISP-2 rule rule1 then source-nat interface

HTH

I changed the picture a little bit with another addresses and submit the configuration on SRX 210 in my lab enviroment. ISP1 is my office router attached to internet and ISP2 is another router attached on office router.

This is the part of my configuration and it seems that is working. I still don't have the second internet link to try this on SRX 650 or on SRX 210.

Is this ok?

Attachment(s)

Lab config DUAL link.txt   14 KB 1 version

I looked superficailly and it sounds OK. Just put the description on the interfaces. Another thing, you should keep in mind that if your ISP links are on ethernet then if ISP1 services are down the default route will not switch to other ISP2. You have to manually unplug the ISP1 link OR use the IP track scrip on SRX.

HTH

Thanks for the help. I tried  failover by unpluging the cable and lke you said in taht case it will work. I am using 11.4R1.6 Junos version. How to implement IP track script and is there another way. I found article http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052. Can I use this for solving this issue?

For tracking-ip i think you can using ip-motinoring feature on SRX, not need using ip-tracking scripts. This feature is support on 11.2

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052&cat=SRX_SERIES&actp=LIST

Hello Guys,

I have two different ISP links and I want to configure both of them on the SRX650 firewall so that One link will act as backup incase the other one fails, please can somebody provide step by step cli configuration pleaseeee