SRX Services Gateway
Highlighted
SRX Services Gateway

2 isp and nat

‎03-21-2016 10:29 PM

Hello! I have new ISP and want to test it, so I configured routing instance and additional security zone. Everything seems fine so far, but I cant switch nat to second isp.

Security zone for second ISP

 

show security zones security-zone isp2 
host-inbound-traffic {
    system-services {
        ping;
        ssh;
        ike;
    }
}
interfaces {
    fe-0/0/4.0;
}

show security policies from-zone trust to-zone isp2

Security policy for second ISP:

policy trust-to-isp2 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

Source NAT rules:

 

pool default-ip {
    address {
        62.176.7.74/32;
    }
}
pool MX {
    address {
        62.176.7.61/32;
    }
}
pool cifra1 {
    address {
        79.134.86.54/32;
    }
}
rule-set nsw_srcnat {
    from zone trust;
    to zone untrust;
    rule MX {
        match {
            source-address 192.168.70.253/32;
            destination-address 0.0.0.0/0;
        }
        then {
            source-nat {
                pool {
                    MX;
                }
            }
        }                               
    }                                   
    rule isp1 {            
        match {                         
            source-address 0.0.0.0/0;   
            destination-address 0.0.0.0/0;
        }                               
        then {                          
            source-nat {                
                pool {                  
                    default-ip;         
                }                       
            }                           
        }                               
    }                                   
}   
inactive: rule-set isp2-nat {           
    from zone trust;                    
    to zone isp2;                       
    rule ALL-NAT {                      
        match {                         
            source-address 0.0.0.0/0;   
            destination-address 0.0.0.0/0;
        }                               
        then {                          
            source-nat {                
                pool {                  
                    cifra1;             
                }                       
            }                           
        }                               
    }                                   
}   

If I switch default rule for nat from ISP1 to ISP2 users wont have access to internet. Whats wrong?

 

2 REPLIES 2
SRX Services Gateway

Re: 2 isp and nat

‎03-23-2016 07:44 AM

#1
If you are really creating another routing instance for ISP2, then LAN interface also should be within that instance.
Unless you're using policy based filtering.

#2
Explain pool "cifra1" (79.134.86.54/32), is it routed to your isp2 wan interface or resides within the same subnet.
If it is within the same subnet, you should configure proxy arp for that.


It could help if you paste the full config once it is configured to run over ISP2 (hide all the sensitive info)

SRX Services Gateway

Re: 2 isp and nat

[ Edited ]
‎03-24-2016 06:36 AM

Hi, thnak you for your reply.

#1

I tried to add separate vlan to routing instance - it didnt helped.

#2

it is routed to ISP2.

 

There is only one routing instance, for isp2. Services like ipsec vpn works perfectly wtih such setup. But still cant get nat to work

show routing-instances 
cifra1 {
    instance-type virtual-router;
    interface fe-0/0/4.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 212.152.36.217;
        }
    }
}