Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Two ISPs with MIP translation on each

    Posted 02-17-2010 22:53
      |   view attached

    Please refer to the diagram.

     

    My question is regarding routing issue on the left hand SSG.

    I have two ISPs terminating on SSG, Primary static route is out ISP1 with ip 1.1.1.1 as gateway.All traffic destined for internet uses this route.A secondary route out ISP2 with 2.2.2.1 as gateway and higher metric.

    All the connected LANs and RemoteLAN access the servers through their actual private IPs.

    I want SERVER2(192.168.1.2) traffic to go out ISP2 and get translated to interface ip through MIP.I have no confusion in configuring MIP.

    I have tried Source based routing for SERVER2 but with that in place , the ping from SERVER2 to Local LAN and Remote LAN also goes out the ISP2 link ,which i dont want.

    so in summary , just the internet traffic ,from SERVER2 needs special routing and for local and remote LANs ,same usual destination routing applies to SERVER2.

    I hope i am able to explain my problem.

    Thanks in advance for you kind help.



  • 2.  RE: Two ISPs with MIP translation on each
    Best Answer

    Posted 02-18-2010 12:06

    you can use policy based routing ( PBR )

    PBR allows routing based on : src ip , dst ip , src port , dst port

    so , you ca do the following

    if src ip : server 2  & dst ip is remote lan or local lan : use next hop X

     



  • 3.  RE: Two ISPs with MIP translation on each

    Posted 02-19-2010 19:53

    yes, sure ,tried it with pbr , since traffic from SERVER2 should only override request to the internet, and for connected and remote LAN, already defined destination routes must be used, but since pbr is in action ,through  SERVER2 to ANY ip routing it will throw anything (also SERVER2 to LAN connection) to internet2 , so to overide this , we will need to define each and every specific route in pbr before the SERVER2 to ANY ip,definining all those static routes and connected networks doesnot take time in a small network, but what about a very large network , and to add more complexity to the mix where we have routing protocol in action, defining each and every route should be a nightmare,  Is there a smarter way to do it.

    Thanks

     



  • 4.  RE: Two ISPs with MIP translation on each

    Posted 02-22-2010 21:32
    Any thoughts ??? anyone.


  • 5.  RE: Two ISPs with MIP translation on each

    Posted 02-23-2010 10:45

    i have an idea that i wanted to share with you ( i hope it may help )

     

    at pbr you mentioned , you can add the following :

    src : any   dst : remote lan      :  next hop is the interface connected to the remote lan

    src : any   dst : local lan          : next hop is the interface connected to the local lan