SRX Services Gateway
Highlighted
SRX Services Gateway

There is issue when impletement static NAT + FBF in SRX240

[ Edited ]
‎04-29-2020 01:21 AM

Hi all JUNOS experts,

I meet a problem when implement static NAT and FBF in SRX240.

Before we only have ISP1 connect to SRX240, the default route to ISP1, the static NAT addresses are also in same segment with ISP1 interface. They are working well.

Now we add connection to ISP2 and we want to communicate with few servers only through ISP2. So I changed static NAT address in same segment with ISP2 interface. Then I created FBF on server interface.

Then I try to access this server but failed. Checked log, the traffic in coming from ISP2, NAT also ok, but outgoing traffic through ISP1. Seems the FBF not take effect.

Appreciated for anybody can help me.

 

reth4 to server, in trust zone;

reth13 to ISP2, in untrust zone;

reth15 to ISP1, in untrust zone;

The related configuration as below:

Spoiler

set interfaces reth4 unit 0 family inet filter input ISP2
set interfaces reth4 unit 0 family inet address 192.168.1.1/24
set interfaces reth13 unit 0 family inet address 2.2.2.1/24
set interfaces reth15 unit 0 family inet address 1.1.1.1/24

set routing-options interface-routes rib-group inet PBR_Group
set routing-options static route 192.168.2.0/24 next-hop 192.168.1.254
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.254
set routing-options rib-groups PBR_Group import-rib inet.0
set routing-options rib-groups PBR_Group import-rib PBR1.inet.0

set routing-instances PBR1 instance-type forwarding
set routing-instances PBR1 routing-options static route 0.0.0.0/0 next-hop 2.2.2.254

set firewall family inet filter ISP2 term 1 from source-address 192.168.2.2/32
set firewall family inet filter ISP2 term 1 then routing-instance PBR1
set firewall family inet filter ISP2 term 2 then accept

set security nat static rule-set ruleset1 from interface reth13.0
set security nat static rule-set ruleset1 rule rule1 match destination-address 2.2.2.2/32
set security nat static rule-set ruleset1 rule rule1 then static-nat prefix 192.168.2.2/32

set security nat proxy-arp interface reth13.0 address 2.2.2.2/32

 

 

2 REPLIES 2
Highlighted
SRX Services Gateway

Re: There is issue when impletement static NAT + FBF in SRX240

‎04-30-2020 10:00 AM

Hello Gao_YN,

 

Check out the following solution with Dual ISP. This may give you some ideas to make it work.

 

https://kb.juniper.net/InfoCenter/index?page=content&id=KB15545&actp=search&viewlocale=en_US&IQ_SESS...

 

Thanks!

Highlighted
SRX Services Gateway

Re: There is issue when impletement static NAT + FBF in SRX240

‎04-30-2020 09:57 PM

Hi Gao,

 

Can you please share the output of the command "show security flow session destination-prefix 2.2.2.2/32" after you initiate the connection. And also the output of "show route <x.x.x.x>" where x.x.x.x is the source IP address from which you are trying to access the server.

 

I see this issue similar to the one explained in the KB article https://kb.juniper.net/InfoCenter/index?page=content&id=KB27946 where FBF doesn't perform a route lookup for the return traffic as a everse route lookup is already performed during initial session creation.

 

Hope this helps.

 

Thanks and Regards,

Pradeep Kumar M

 

|| If this solves your problem, please mark this post as "Accepted Solution" so we can help others too ||