SRX Services Gateway
Reply
Contributor
bobjunga
Posts: 63
Registered: ‎02-29-2012
0
Accepted Solution

SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

* I have a SRX220h cluster with two ISP connections, each providing several IP blocks.

* I am setting up static NAT to assign services from my internal servers to public IPs provided by one ISP or the other.

* There is one default route that goes to one of the two ISPs.

 

This seems to work so far but I just realized that this probably creates asymmetricrouting.  Incoming traffic is coming in via which ever ISP provides the particular public IP, but all the return traffic is going out via just the one ISP. Even though the first service I setup on the second ISP seems to work, I think its not idea and I would rather that return traffic leave on the interface that it came in on.

 

On a multihomed  linux box I would create a routing table for each interface and use rules to route to one table or the other based on the source IP of the traffic. That way the server  can provide services on each interface without creating asymmetric routing.

 

How do I do that on the SRX?

 

--BobG

 

 

Recognized Expert
ronf
Posts: 264
Registered: ‎04-04-2011
0

Re: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

In order to do that on the SRX, you would create a seperate routing-instance of type virtual-router, and place the appropriate internal and external interfaces into each. Ron
JNCIE-SEC #127
Recognized Expert
mhariry
Posts: 340
Registered: ‎06-01-2011
0

Re: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

Hi,

 

check this link it will give you what do you need exactly.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223&actp=RSS

 

 

Regards,

 

Mohamed Elhariry

 

JNCIE-M/T # 1059, CCNP & CCIP

 

 

 

----------------------------------------------------------------------------------------------------------------------------------------

If this post was helpful, please mark this post as an "Accepted Solution".Kudos are always appreciated!

Regards,
Mohamed Elhariry
2* JNCIE (SEC # 159, SP # 1059),JNCIP-ENT

[Click the "Star" for Kudos if you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Contributor
bobjunga
Posts: 63
Registered: ‎02-29-2012
0

Re: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

Thank you both for your replies, particularly the link to the KB.

 

I am glad to see that adding a routing instance is not as complicated as I first assumed it would be. I was conjuring images of a ompletely separate virtual routers, eah with a lot of dulicate config.

 

Maybe its the use of the "forwarding" type router instance that makes it light and easy. This KB shows that it is realy similar to how I am alrady familar with on a linux box.

 

BTW, I also found this KB which is very similar to the one you linked. http://kb.juniper.net/InfoCenter/index?page=content&id=KB23300&cat=OBSOLETE&actp=LIST&smlogin=true

 

--BobG

Contributor
bobjunga
Posts: 63
Registered: ‎02-29-2012
0

Re: SRX220 - two ISPs -- how to prevent asymmetric return traffic from services

I am wondering now about traffic generated by the SRX, i.e. services it provides like a VPN tunnel. If the SRX service is on ISP1, the return traffic should be on ISP1, and likewise for ISP2. I think the config in the KBs mentioned above will only cover traffic that passes through the SRX. I don't think there is a place to put a firewall filter that will apply to the return traffic generated by the SRX. Is there? 

 

Is that why, ron@mandstech.com, you suggested using router instances of "virtual router" instead of "forwarding"?  Does anybody know of  a KB that covers this use of "virtual router" routing instances?

 

--BobG

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.