Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Configuration Example: Configure J-Series/SRX for dual ISP without dynamic routing protocols.
- Knowledge Base ID: KB15545
- Version: 1.0
- Published: 16 Oct 2009
- Categories: . J-series
- . SRX Series
- Summary:
- This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.
- Problem or Goal:
- Topology Assumptions
- Note that SRX210 running 9.6R2 was used for this example.
- Trust zone network is 192.168.1.0/24 on ge-0/0/0
- DMZ zone network is 10.10.10.0/24 on ge-0/0/1
- ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
- ISP2 zone network is 2.2.2.0/29 on fe-0/0/7
- Requirements
- * Trust and DMZ zones should egress out ISP1 with source-nat.
- * If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
- * If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
- * ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
- * ISP2 also has destination NAT for same web and mail servers.
- * When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.
- Solution:
- This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.
- interfaces {
- ge-0/0/0 {
- unit 0 {
- family inet {
- address 192.168.1.254/24;
- }
- }
- }
- ge-0/0/1 {
- unit 0 {
- family inet {
- address 10.10.10.254/24;
- }
- }
- }
- fe-0/0/6 {
- unit 0 {
- family inet {
- filter {
- input isp1-in;
- }
- address 1.1.1.2/29;
- }
- }
- }
- fe-0/0/7 {
- unit 0 {
- family inet {
- filter {
- input isp2-in;
- }
- address 2.2.2.2/29;
- }
- }
- }
- }
- routing-options {
- interface-routes {
- rib-group inet inside;
- }
- static {
- route 0.0.0.0/0 {
- next-hop 1.1.1.1;
- qualified-next-hop 2.2.2.1 {
- preference 10;
- }
- }
- }
- rib-groups {
- inside {
- import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ];
- }
- }
- }
- security {
- nat {
- source {
- rule-set interface-nat-out {
- from routing-instance INSIDE;
- to routing-instance [ ISP2 default ];
- rule interface-nat-out {
- match {
- source-address 0.0.0.0/0;
- destination-address 0.0.0.0/0;
- }
- then {
- source-nat {
- interface;
- }
- }
- }
- }
- }
- destination {
- pool web-server-trust {
- address 192.168.1.5/32 port 80;
- }
- pool mail-server-dmz {
- address 10.10.10.5/32 port 25;
- }
- rule-set isp1-to-trust {
- from interface fe-0/0/6.0;
- rule isp1-http-in {
- match {
- source-address 0.0.0.0/0;
- destination-address 1.1.1.5/32;
- destination-port 80;
- }
- then {
- destination-nat pool web-server-trust;
- }
- }
- rule isp1-mail-in {
- match {
- source-address 0.0.0.0/0;
- destination-address 1.1.1.5/32;
- destination-port 25;
- }
- then {
- destination-nat pool mail-server-dmz;
- }
- }
- }
- rule-set isp2-to-dmz {
- from interface fe-0/0/7.0;
- rule isp2-http-in {
- match {
- source-address 0.0.0.0/0;
- destination-address 2.2.2.5/32;
- destination-port 80;
- }
- then {
- destination-nat pool web-server-trust;
- }
- }
- rule isp2-mail-in {
- match {
- source-address 0.0.0.0/0;
- destination-address 2.2.2.5/32;
- destination-port 25;
- }
- then {
- destination-nat pool mail-server-dmz;
- }
- }
- }
- }
- proxy-arp {
- interface fe-0/0/6.0 {
- address {
- 1.1.1.5/32;
- }
- }
- interface fe-0/0/7.0 {
- address {
- 2.2.2.5/32;
- }
- }
- }
- }
- zones {
- security-zone trust {
- address-book {
- address web-server 192.168.1.5/32;
- }
- interfaces {
- ge-0/0/0.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- }
- }
- }
- }
- security-zone dmz {
- address-book {
- address mail-server 10.10.10.5/32;
- }
- interfaces {
- ge-0/0/1.0 {
- host-inbound-traffic {
- system-services {
- all;
- }
- }
- }
- }
- }
- security-zone isp1 {
- interfaces {
- fe-0/0/6.0 {
- host-inbound-traffic {
- system-services {
- ssh;
- https;
- ping;
- }
- }
- }
- }
- }
- security-zone isp2 {
- interfaces {
- fe-0/0/7.0 {
- host-inbound-traffic {
- system-services {
- ssh;
- https;
- ping;
- }
- }
- }
- }
- }
- }
- policies {
- from-zone trust to-zone dmz {
- policy allow-trust-to-dmz {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone isp1 {
- policy allow-trust-out-isp1 {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone trust to-zone isp2 {
- policy allow-trust-out-isp2 {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone dmz to-zone trust {
- policy allow-dmz-to-trust {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone dmz to-zone isp1 {
- policy allow-dmz-out-isp1 {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone dmz to-zone isp2 {
- policy allow-dmz-out-isp2 {
- match {
- source-address any;
- destination-address any;
- application any;
- }
- then {
- permit;
- }
- }
- }
- from-zone isp1 to-zone trust {
- policy isp1-http-incoming {
- match {
- source-address any;
- destination-address web-server;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone isp1 to-zone dmz {
- policy isp1-mail-incoming {
- match {
- source-address any;
- destination-address mail-server;
- application junos-mail;
- }
- then {
- permit;
- }
- }
- }
- from-zone isp2 to-zone trust {
- policy isp2-http-incoming {
- match {
- source-address any;
- destination-address web-server;
- application junos-http;
- }
- then {
- permit;
- }
- }
- }
- from-zone isp2 to-zone dmz {
- policy isp2-mail-incoming {
- match {
- source-address any;
- destination-address mail-server;
- application junos-mail;
- }
- then {
- permit;
- }
- }
- }
- }
- }
- firewall {
- filter isp1-in {
- term 1 {
- from {
- destination-address {
- 1.1.1.0/29;
- }
- }
- then {
- routing-instance TRUST-VRF;
- }
- }
- term 2 {
- then {
- accept;
- }
- }
- }
- filter isp2-in {
- term 1 {
- from {
- destination-address {
- 2.2.2.0/29;
- }
- }
- then {
- routing-instance TRUST-VRF;
- }
- }
- term 2 {
- then {
- accept;
- }
- }
- }
- }
- routing-instances {
- TRUST-VRF {
- instance-type forwarding;
- routing-options {
- static {
- route 192.168.1.0/24 next-hop 192.168.1.1;
- route 10.10.10.0/24 next-hop 10.10.10.1;
- }
- }
- }
- INSIDE {
- instance-type virtual-router;
- interface ge-0/0/0.0;
- interface ge-0/0/1.0;
- routing-options {
- interface-routes {
- rib-group inet inside;
- }
- static {
- route 0.0.0.0/0 next-table inet.0;
- }
- }
- }
- ISP2 {
- instance-type virtual-router;
- interface fe-0/0/7.0;
- routing-options {
- interface-routes {
- rib-group inet inside;
- }
- static {
- route 0.0.0.0/0 {
- next-hop 2.2.2.1;
- qualified-next-hop 1.1.1.1 {
- preference 10;
- }
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement