There is issue when impletement static NAT + FBF in SRX240
[ Edited ]
Hi all JUNOS experts,
I meet a problem when implement static NAT and FBF in SRX240.
Before we only have ISP1 connect to SRX240, the default route to ISP1, the static NAT addresses are also in same segment with ISP1 interface. They are working well.
Now we add connection to ISP2 and we want to communicate with few servers only through ISP2. So I changed static NAT address in same segment with ISP2 interface. Then I created FBF on server interface.
Then I try to access this server but failed. Checked log, the traffic in coming from ISP2, NAT also ok, but outgoing traffic through ISP1. Seems the FBF not take effect.
set interfaces reth4 unit 0 family inet filter input ISP2 set interfaces reth4 unit 0 family inet address 192.168.1.1/24 set interfaces reth13 unit 0 family inet address 18.104.22.168/24 set interfaces reth15 unit 0 family inet address 22.214.171.124/24
set routing-options interface-routes rib-group inet PBR_Group set routing-options static route 192.168.2.0/24 next-hop 192.168.1.254 set routing-options static route 0.0.0.0/0 next-hop 126.96.36.199 set routing-options rib-groups PBR_Group import-rib inet.0 set routing-options rib-groups PBR_Group import-rib PBR1.inet.0
set routing-instances PBR1 instance-type forwarding set routing-instances PBR1 routing-options static route 0.0.0.0/0 next-hop 188.8.131.52
set firewall family inet filter ISP2 term 1 from source-address 192.168.2.2/32 set firewall family inet filter ISP2 term 1 then routing-instance PBR1 set firewall family inet filter ISP2 term 2 then accept
set security nat static rule-set ruleset1 from interface reth13.0 set security nat static rule-set ruleset1 rule rule1 match destination-address 184.108.40.206/32 set security nat static rule-set ruleset1 rule rule1 then static-nat prefix 192.168.2.2/32
set security nat proxy-arp interface reth13.0 address 220.127.116.11/32
Re: There is issue when impletement static NAT + FBF in SRX240
Can you please share the output of the command "show security flow session destination-prefix 18.104.22.168/32" after you initiate the connection. And also the output of "show route <x.x.x.x>" where x.x.x.x is the source IP address from which you are trying to access the server.