API tools faq
paste
Advertisement
Guest User

Configuration Example: Configure J-Series/SRX for dual ISP without dynamic routing protocols.

a guest
Sep 5th, 2010
3,217
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 12.04 KB | None | 0 0
raw download clone embed print report
  1. Configuration Example: Configure J-Series/SRX for dual ISP without dynamic routing protocols.
  2. Knowledge Base ID: KB15545
  3. Version: 1.0
  4. Published: 16 Oct 2009
  5. Categories: . J-series
  6. . SRX Series
  7.  
  8. Summary:
  9. This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.
  10.  
  11. Problem or Goal:
  12. Topology Assumptions
  13.  
  14. Note that SRX210 running 9.6R2 was used for this example.
  15.  
  16. Trust zone network is 192.168.1.0/24 on ge-0/0/0
  17. DMZ zone network is 10.10.10.0/24 on ge-0/0/1
  18.  
  19. ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
  20. ISP2 zone network is 2.2.2.0/29 on fe-0/0/7
  21.  
  22. Requirements
  23.  
  24. * Trust and DMZ zones should egress out ISP1 with source-nat.
  25. * If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
  26. * If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
  27. * ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
  28. * ISP2 also has destination NAT for same web and mail servers.
  29. * When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.
  30.  
  31. Solution:
  32. This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.
  33.  
  34. interfaces {
  35. ge-0/0/0 {
  36. unit 0 {
  37. family inet {
  38. address 192.168.1.254/24;
  39. }
  40. }
  41. }
  42. ge-0/0/1 {
  43. unit 0 {
  44. family inet {
  45. address 10.10.10.254/24;
  46. }
  47. }
  48. }
  49. fe-0/0/6 {
  50. unit 0 {
  51. family inet {
  52. filter {
  53. input isp1-in;
  54. }
  55. address 1.1.1.2/29;
  56. }
  57. }
  58. }
  59. fe-0/0/7 {
  60. unit 0 {
  61. family inet {
  62. filter {
  63. input isp2-in;
  64. }
  65. address 2.2.2.2/29;
  66. }
  67. }
  68. }
  69. }
  70. routing-options {
  71. interface-routes {
  72. rib-group inet inside;
  73. }
  74. static {
  75. route 0.0.0.0/0 {
  76. next-hop 1.1.1.1;
  77. qualified-next-hop 2.2.2.1 {
  78. preference 10;
  79. }
  80. }
  81. }
  82. rib-groups {
  83. inside {
  84. import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
  85. }
  86. }
  87. }
  88. security {
  89. nat {
  90. source {
  91. rule-set interface-nat-out {
  92. from routing-instance INSIDE;
  93. to routing-instance [ ISP2 default ];
  94. rule interface-nat-out {
  95. match {
  96. source-address 0.0.0.0/0;
  97. destination-address 0.0.0.0/0;
  98. }
  99. then {
  100. source-nat {
  101. interface;
  102. }
  103. }
  104. }
  105. }
  106. }
  107. destination {
  108. pool web-server-trust {
  109. address 192.168.1.5/32 port 80;
  110. }
  111. pool mail-server-dmz {
  112. address 10.10.10.5/32 port 25;
  113. }
  114. rule-set isp1-to-trust {
  115. from interface fe-0/0/6.0;
  116. rule isp1-http-in {
  117. match {
  118. source-address 0.0.0.0/0;
  119. destination-address 1.1.1.5/32;
  120. destination-port 80;
  121. }
  122. then {
  123. destination-nat pool web-server-trust;
  124. }
  125. }
  126. rule isp1-mail-in {
  127. match {
  128. source-address 0.0.0.0/0;
  129. destination-address 1.1.1.5/32;
  130. destination-port 25;
  131. }
  132. then {
  133. destination-nat pool mail-server-dmz;
  134. }
  135. }
  136. }
  137. rule-set isp2-to-dmz {
  138. from interface fe-0/0/7.0;
  139. rule isp2-http-in {
  140. match {
  141. source-address 0.0.0.0/0;
  142. destination-address 2.2.2.5/32;
  143. destination-port 80;
  144. }
  145. then {
  146. destination-nat pool web-server-trust;
  147. }
  148. }
  149. rule isp2-mail-in {
  150. match {
  151. source-address 0.0.0.0/0;
  152. destination-address 2.2.2.5/32;
  153. destination-port 25;
  154. }
  155. then {
  156. destination-nat pool mail-server-dmz;
  157. }
  158. }
  159. }
  160. }
  161. proxy-arp {
  162. interface fe-0/0/6.0 {
  163. address {
  164. 1.1.1.5/32;
  165. }
  166. }
  167. interface fe-0/0/7.0 {
  168. address {
  169. 2.2.2.5/32;
  170. }
  171. }
  172. }
  173. }
  174. zones {
  175. security-zone trust {
  176. address-book {
  177. address web-server 192.168.1.5/32;
  178. }
  179. interfaces {
  180. ge-0/0/0.0 {
  181. host-inbound-traffic {
  182. system-services {
  183. all;
  184. }
  185. }
  186. }
  187. }
  188. }
  189. security-zone dmz {
  190. address-book {
  191. address mail-server 10.10.10.5/32;
  192. }
  193. interfaces {
  194. ge-0/0/1.0 {
  195. host-inbound-traffic {
  196. system-services {
  197. all;
  198. }
  199. }
  200. }
  201. }
  202. }
  203. security-zone isp1 {
  204. interfaces {
  205. fe-0/0/6.0 {
  206. host-inbound-traffic {
  207. system-services {
  208. ssh;
  209. https;
  210. ping;
  211. }
  212. }
  213. }
  214. }
  215. }
  216. security-zone isp2 {
  217. interfaces {
  218. fe-0/0/7.0 {
  219. host-inbound-traffic {
  220. system-services {
  221. ssh;
  222. https;
  223. ping;
  224. }
  225. }
  226. }
  227. }
  228. }
  229. }
  230. policies {
  231. from-zone trust to-zone dmz {
  232. policy allow-trust-to-dmz {
  233. match {
  234. source-address any;
  235. destination-address any;
  236. application any;
  237. }
  238. then {
  239. permit;
  240. }
  241. }
  242. }
  243. from-zone trust to-zone isp1 {
  244. policy allow-trust-out-isp1 {
  245. match {
  246. source-address any;
  247. destination-address any;
  248. application any;
  249. }
  250. then {
  251. permit;
  252. }
  253. }
  254. }
  255. from-zone trust to-zone isp2 {
  256. policy allow-trust-out-isp2 {
  257. match {
  258. source-address any;
  259. destination-address any;
  260. application any;
  261. }
  262. then {
  263. permit;
  264. }
  265. }
  266. }
  267. from-zone dmz to-zone trust {
  268. policy allow-dmz-to-trust {
  269. match {
  270. source-address any;
  271. destination-address any;
  272. application any;
  273. }
  274. then {
  275. permit;
  276. }
  277. }
  278. }
  279. from-zone dmz to-zone isp1 {
  280. policy allow-dmz-out-isp1 {
  281. match {
  282. source-address any;
  283. destination-address any;
  284. application any;
  285. }
  286. then {
  287. permit;
  288. }
  289. }
  290. }
  291. from-zone dmz to-zone isp2 {
  292. policy allow-dmz-out-isp2 {
  293. match {
  294. source-address any;
  295. destination-address any;
  296. application any;
  297. }
  298. then {
  299. permit;
  300. }
  301. }
  302. }
  303. from-zone isp1 to-zone trust {
  304. policy isp1-http-incoming {
  305. match {
  306. source-address any;
  307. destination-address web-server;
  308. application junos-http;
  309. }
  310. then {
  311. permit;
  312. }
  313. }
  314. }
  315. from-zone isp1 to-zone dmz {
  316. policy isp1-mail-incoming {
  317. match {
  318. source-address any;
  319. destination-address mail-server;
  320. application junos-mail;
  321. }
  322. then {
  323. permit;
  324. }
  325. }
  326. }
  327. from-zone isp2 to-zone trust {
  328. policy isp2-http-incoming {
  329. match {
  330. source-address any;
  331. destination-address web-server;
  332. application junos-http;
  333. }
  334. then {
  335. permit;
  336. }
  337. }
  338. }
  339. from-zone isp2 to-zone dmz {
  340. policy isp2-mail-incoming {
  341. match {
  342. source-address any;
  343. destination-address mail-server;
  344. application junos-mail;
  345. }
  346. then {
  347. permit;
  348. }
  349. }
  350. }
  351. }
  352. }
  353. firewall {
  354. filter isp1-in {
  355. term 1 {
  356. from {
  357. destination-address {
  358. 1.1.1.0/29;
  359. }
  360. }
  361. then {
  362. routing-instance TRUST-VRF;
  363. }
  364. }
  365. term 2 {
  366. then {
  367. accept;
  368. }
  369. }
  370. }
  371. filter isp2-in {
  372. term 1 {
  373. from {
  374. destination-address {
  375. 2.2.2.0/29;
  376. }
  377. }
  378. then {
  379. routing-instance TRUST-VRF;
  380. }
  381. }
  382. term 2 {
  383. then {
  384. accept;
  385. }
  386. }
  387. }
  388. }
  389. routing-instances {
  390. TRUST-VRF {
  391. instance-type forwarding;
  392. routing-options {
  393. static {
  394. route 192.168.1.0/24 next-hop 192.168.1.1;
  395. route 10.10.10.0/24 next-hop 10.10.10.1;
  396. }
  397. }
  398. }
  399. INSIDE {
  400. instance-type virtual-router;
  401. interface ge-0/0/0.0;
  402. interface ge-0/0/1.0;
  403. routing-options {
  404. interface-routes {
  405. rib-group inet inside;
  406. }
  407. static {
  408. route 0.0.0.0/0 next-table inet.0;
  409. }
  410. }
  411. }
  412. ISP2 {
  413. instance-type virtual-router;
  414. interface fe-0/0/7.0;
  415. routing-options {
  416. interface-routes {
  417. rib-group inet inside;
  418. }
  419. static {
  420. route 0.0.0.0/0 {
  421. next-hop 2.2.2.1;
  422. qualified-next-hop 1.1.1.1 {
  423. preference 10;
  424. }
  425. }
  426. }
  427. }
  428. }
  429. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!