Source based routing with multiple VRs

yemgi · ‎11-09-2009

I have the following setup:

A cluster of SRX240H with 3 VRs:

1 VR is an external zone to which a VPN router is connected

2 VRs corresponding to different environments, LAN A and LAN B.

Coming from the VPN the clients are NATted in 2 subnets depending on which environment they belong to.

Currently VPN A can access both LAN A and LAN B and so does VPN B. I can prevent communication between VPN A and LAN B and between VPN B and LAN A.

This is not good enough for what I need to do as LAN A and LAN B have the same subnets so with the rib groups allowing the external VR to learn routes from VR A and VR B the VPN clients have 2 routes to access the same subnet.

The solution would be to create a source based routing so that subnat VPN A in VR External is forced to VR A and VPN B in VR External is forwarded to VR B

I have looked at this but it does not involved multiple VRs:

http://forums.juniper.net/t5/SRX-Services-Gateway/Source-Based-Routing/m-p/26459#M555

Would any of you have a suggestion on how to do this?

yemgi · ‎11-09-2009

I found this post and configured the following:
http://forums.juniper.net/t5/SRX-Services-Gateway/Policy-based-routing-and-source-routing-on-srx210/...
I have not tested it yet

[edit]
root@srx# show firewall
filter VPN_Forwarding {
    term VPN_A {
        from {
            source-address {
                192.168.100.0/24;
            }
        }
        then {
            routing-instance VR_A;
        }
    }
    term VPN_B {
        from {
            source-address {
                192.168.101.0/24;
            }
        }
        then {
            routing-instance VR_B;
        }
    }
    term allow-any {
        then accept;
    }
}

Source based routing with multiple VRs

Re: Source based routing with multiple VRs