Author Topic: Configuration Destination NAT with 2 ISP  (Read 651 times)

miguelrdz

  • Newbie
  • *
  • Posts: 1
  • Karma: +0/-0
    • View Profile
Configuration Destination NAT with 2 ISP
« on: March 30, 2017, 11:57:21 am »
Hello,I have the following scenario:

Juniper SRX110
-I have 2 internet links with fixed ip ISP1 189.x.x.x and ISP2 187.x.x.x
-2 different subnets (Data1) 192.168.1.x (Data2) 192.168.2.x
-The Data1 network is required to exit through ISP1 and Data through ISP2
The problem is that the destination NAT "HTTPS (443)" does not work when I set up the rib-group, everything else works correctly.
Any solution for this?

My configuration is as follows:


## Last changed: 2017-03-15 16:51:50 GMT
version 12.1X44-D35.5;
services {
ssh;
telnet;
web-management {
https {
port 9443;
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 189.x.x.170/28;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.1.252/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.2.252/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 187.x.x.194/28;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop [ 189.x.x.169 187.x.x.193 ];
qualified-next-hop 187.x.x.193;
}
}
rib-groups {
ISP1-ISP2 {
import-rib [ ISP1.inet.0 ISP2.inet.0 ];
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone REDVERACRUZ;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set ISP2 {
from zone REDVERACRUZ2;
to zone INTERNET2;
rule ISP2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool Barracuda {
routing-instance {
default;
}
address 192.168.1.20/32 port 25;
}
pool HTTP80 {
description "HTTP(80)";
address 192.168.1.3/32 port 80;
}
pool Cliente_Citrix {
address 192.168.1.3/32 port 1494;
}
pool HTTPS {
description "HTTPS(443)";
routing-instance {
default;
}
address 192.168.1.38/32 port 443;
}
rule-set VIPs {
description "Regla para Vips";
from zone Internet;
rule Rule_HTTP {
description "HTTP(80)";
match {
destination-address 189.x..x.170/32;
destination-port 80;
}
then {
destination-nat pool HTTP80;
}
}
rule Rule_Citrix {
description "Cleinte Citrix";
match {
destination-address 189.x..x.170/32;
destination-port 1494;
}
then {
destination-nat pool Cliente_Citrix;
}
}
rule Rule_HTTPS {
description "HTTPS(443)";
match {
destination-address 189.x..x.170/32;
destination-port 443;
}
then {
destination-nat pool HTTPS
}
}
}
}
}
policies {
from-zone REDVERACRUZ to-zone Internet {
policy AccesoInternet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone REDVERACRUZ {
policy AccesoInternet {
match {
source-address any;
destination-address [ Server_192.168.1.20 Server_192.168.1.30 Server_192.168.1.10 Server_192.168.1.38 Server_192.168.1.3 ];
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone INTERNET2 {
policy REDVER2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone REDVERACRUZ2 {
policy RED_LOCAL {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone REDVERACRUZ {
policy RED_LOCAL2 {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone INTERNET2 {
policy AccesoInt2 {
description "Acceso red 1 a internet de Telmex";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone Internet {
policy REDVER1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone REDVERACRUZ {
address-book {
address LptGama 192.168.1.5/32;
address Server_192.168.1.20 192.168.1.20/32;
address Server_192.168.1.30 192.168.1.30/32;
address Server_192.168.1.21 192.168.1.21/32;
address Server_192.168.1.3 192.168.1.3/32;
address Server_192.168.1.7 192.168.1.7/32;
address Server_192.168.1.10 192.168.1.10/32;
address Server_192.168.1.29 192.168.1.29/32;
address Server_192.168.1.38 192.168.1.38/32;
}
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
http;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
description METROCARRIER;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone REDVERACRUZ2 {
interfaces {
fe-0/0/2.0;
}
}
security-zone INTERNET2 {
description TELMEX;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
https;
ping;
}
}
}
}
}
}
}
routing-instances {
ISP1 {
instance-type virtual-router;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 189.x.x.169;
}
}
}
ISP2 {
instance-type virtual-router;
interface fe-0/0/2.0;
interface fe-0/0/7.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 187.x.x.193;
}
}
}
}


Regards!
Miguel Rodriguez

glm07

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: Configuration Destination NAT with 2 ISP
« Reply #1 on: September 09, 2017, 08:46:35 pm »
Hi miguelrdz,

Could you please run the following test and configure traceoptions as follows:
-Try to open the https site on x.x.x.70 address, verify the IP address of the PC where you will run the test.
-Traceoptions config:
# set security flow traceoptions file D_Nat_HTTPS
# set security flow traceoptions flag basic-datapath
# set security flow traceoptions packet-filter F1 source-prefix <your-test-pc-IP> destination-prefix 189.x.x.170
# set security flow traceoptions packet-filter F2 source-prefix 192.168.1.38 destination-prefix <your-test-pc-IP>
# commit

Please attach the file to the reply.