SRX Services Gateway
Highlighted
SRX Services Gateway

Clustering and NAT -- Multiple ISPs

[ Edited ]
‎12-03-2014 10:47 AM

Hi,

 

Can anyone lead me to the best way for nat'ing in a cluster with multiple ISPs?

 

192.168.0.1 -> 1.1.1.1 if RG1 if operating on node0

 

192.168.0.1->2.2.2.2 if RG1 if operating on node1

 

Thanks!

 

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Clustering and NAT -- Multiple ISPs

‎12-03-2014 11:51 PM

Hi s.dotson,

 

With cluster configuration , you will be configuring Reth interfaces for each ISP connections.

 

so you need 2 links ( one for node0 , another for Node1) from ISP-1 and similarly 2 links for ISP-2

 

for example :

 

Reth1 is ISP-1

Take one interface ge-0/0/0 from Node0 and configure it as part of Reth1
Taken one interface ge-8/0/0 from Node1 and configure it as part of Reth1


connect a switch and configure 3 ports in one vlan.

 

connect ISP-1 link to one port.
Connect 2nd switch vlan port to Node0 physical interface ( ge-0/0/0) of SRX belonging to Reth1
connect 3rd switch vlan port to Node1 Physical Interface ( ge-8/0/0) of SRX belonging to Reth1

 

Similar configuration for ISP-2

Reth2 is ISP-2

 

Take one interface ge-0/0/1 from Node0 and configure it as part of Reth2
Taken one interface ge-8/0/1 from Node1 and configure it as part of Reth2


connect a switch and configure 3 ports in one vlan.

 

connect ISP-2 link to one port.
Connect 2nd switch vlan port to Node0 physical interface ( ge-0/0/1) of SRX belonging to Reth2
connect 3rd switch vlan port to Node1 Physical Interface ( ge-8/0/1) of SRX belonging to Reth2


Now Reth1 and Reth2 ISP connections.

 

Keep Reth1 and Reth2 as part of same Redundancy-group 1

 

Now configure static nat or destination nat :

 

192.168.0.1 -> 1.1.1.1

192.168.0.1->2.2.2.2

 

so in this method , server can be accessed using the both ISP ip addresses at the same time even if RG1 is on Node0 or Node1.

 

Following KB articles will be useful to setup this up:

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22052

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

http://kb.juniper.net/InfoCenter/index?page=content&id=TN260&actp=RSS

http://www.juniper.net/documentation/en_US/junos12.1/topics/example/nat-security-destination-single-...

 

Regards,
rparthi

 

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

Highlighted
SRX Services Gateway

Re: Clustering and NAT -- Multiple ISPs

[ Edited ]
‎12-04-2014 07:30 AM

Hi 

 

 

 

 

 

EX:

 

rule-set rs-example-1 {


from zone trust;

 

to zone untrust;

 

rule r-example-1{

 

match {

 

source-address 192.168.1.0/24;

 

destination-address 0.0.0.0/0;
}

 

then {

 

source-nat {

 

external-isp-1; 

}

 

Now, what happens if I need to use ISP-2 as the Source Pool?

 

Thanks!

Highlighted
SRX Services Gateway

Re: Clustering and NAT -- Multiple ISPs

[ Edited ]
‎12-05-2014 11:19 AM

Alright, I was able to fix source nat issues with source-nat "interface" which uses either egress interface -- awesome!

 

Destination NAT is still a large issue.

 

Question:

 

ruler-test {
     match {
          destination-address 1.1.1.1/32;
          destination-port 5000;
     }
     then {
          destination-nat pool dmz-pool;
}

 

I have two ISPs so using a static address for "destination-address" only works for one ISP. Is there a way to dynamically assign a destination address?

 

**Also tried using a dns address book entry -- dns doing the resolve work and replying with active ip. NOT SUPPORTED FOR NAT. Gotta be an easier way; Juniper can't be this far behind?

 

Thanks!

Highlighted
SRX Services Gateway

Re: Clustering and NAT -- Multiple ISPs

‎12-05-2014 12:13 PM

@s.dotson wrote:

Alright, I was able to fix source nat issues with source-nat "interface" which uses either egress interface -- awesome!

 

Destination NAT is still a large issue.

 

Question:

 

ruler-test {
     match {
          destination-address 1.1.1.1/32;
          destination-port 5000;
     }
     then {
          destination-nat pool dmz-pool;
}

 

I have two ISPs so using a static address for "destination-address" only works for one ISP. Is there a way to dynamically assign a destination address?

 

**Also tried using a dns address book entry -- dns doing the resolve work and replying with active ip. NOT SUPPORTED FOR NAT. Gotta be an easier way; Juniper can't be this far behind?

 

Thanks!


How's your clustering configured? It will only work for one ISP as long as your SRX are in Active/Passive clustering. If you are using active/active, i believe it should work.

JNCIE-SEC #240, JNCIE-ENT #557, CCIE-RS #51416
Feedback