SRX Services Gateway
SRX Services Gateway

Redundant NAT with two ISP

08.01.11   |  
‎08-01-2011 01:24 PM

Hi Experts

 

I have SRX240 with two internet links from two different ISP. I have one pool for ISP1 and other pool for ISP2. In order to do the source NAT for the LAN traffic goint to internet, I made two rules in the rule set. One rule for the ISP 1 and other rule for the ISP 2. My question is that if ISP1 is down then how come rule 1 in the rule-set for ISP1 is not processed and rule 2 would be in place for source NAT?

 

Thanks

7 REPLIES
SRX Services Gateway

Re: Redundant NAT with two ISP

08.01.11   |  
‎08-01-2011 02:25 PM

I can answer that question but first I need to know if the pool using an address range that is also part of the address space assigned to the interface?

Stefan Fouant
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-SEC, JNCI, CISSP, PCNSE, VCP-DV

Check out my blog at ShortestPathFirst

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: Redundant NAT with two ISP

08.02.11   |  
‎08-02-2011 03:51 AM

Hi

 

The pools are from different than interface IP. But also explain if pools are from the interface IP then how things work.

 

Thanks

SRX Services Gateway

Re: Redundant NAT with two ISP

08.02.11   |  
‎08-02-2011 08:51 AM

Could you kindly post your config?

Stefan Fouant
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-SEC, JNCI, CISSP, PCNSE, VCP-DV

Check out my blog at ShortestPathFirst

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
SRX Services Gateway

Re: Redundant NAT with two ISP

08.02.11   |  
‎08-02-2011 12:14 PM

Here is the my config:

 


[edit security nat source]
admin@NW-SRX240# show
pool ISP-1 {
    address {
        213.83.1.1/32 to 213.83.1.6/29;
    }
}
pool ISP-2 {
    address {
        83.111.48.1/32 to 83.111.48.6/32;
    }
}

rule-set Redundant-NAT {
    from zone Trust-Zone;
    to zone Untrust-Zone;
    rule rule1 {
        match {
            source-address 192.168.1.0/24;
        }
        then {
            source-nat {
                pool {
                    ISP-1;
                }
            }
        }
    }
    rule rule2 {
        match {
            source-address 192.168.1.0/24;
        }
        then {
            source-nat {
                pool {
                    ISP-2;
                }
            }
        }
    }
}

Highlighted
SRX Services Gateway

Re: Redundant NAT with two ISP

08.02.11   |  
‎08-02-2011 02:28 PM

this would be possible if you configure BFD or Track IP feature (ref: http://forums.juniper.net/t5/Junos/Track-IP-functionality-in-Junos/td-p/3421)

 

this would help in powering off the inactive internet gateway specific interface ... subsequently NAT rule will not be applied

 

regards

Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: Redundant NAT with two ISP

08.04.11   |  
‎08-04-2011 01:37 PM

Hi

 

Any body can reply on this?

SRX Services Gateway

Re: Redundant NAT with two ISP

08.06.11   |  
‎08-06-2011 12:07 AM

Hello...

 

Since you are multihoming to different ISP's and I don't know the whole config I'll assume there are separate egress interfaces... in which case you'd be better off using two different rule-sets with "to interface" option instead of one rule set with "to zone" with those two separate sub-rules (which specify the same match criteria anyway so only I imagine you would only ever hit ISP1 rule unless it was out of translations).

 

But this raises the question why not just do "interface nat" i.e. "then source-nat interface" instead of "then source-nat pool ..." is it because you want to do 1:1 nat? In which case the best configuration to use would usually be "static nat" instead source nat...

 

Hope that helps... if not a diagram and full config would be most helpful.