Configuration Destination NAT with 2 ISP



  • Hello,I have the following scenario:

    Juniper SRX110
    -I have 2 internet links with fixed ip ISP1 189.x.x.x and ISP2 187.x.x.x
    -2 different subnets (Data1) 192.168.1.x (Data2) 192.168.2.x
    -The Data1 network is required to exit through ISP1 and Data through ISP2
    The problem is that the destination NAT “HTTPS (443)” does not work when I set up the rib-group, everything else works correctly.
    Any solution for this?

    My configuration is as follows:

    Last changed: 2017-03-15 16:51:50 GMT

    version 12.1X44-D35.5;
    services {
    ssh;
    telnet;
    web-management {
    https {
    port 9443;
    system-generated-certificate;
    }
    session {
    idle-timeout 60;
    }
    }
    }
    syslog {
    archive size 100k files 3;
    user * {
    any emergency;
    }
    file messages {
    any critical;
    authorization info;
    }
    file interactive-commands {
    interactive-commands error;
    }
    }
    max-configurations-on-flash 5;
    max-configuration-rollbacks 5;
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    interfaces {
    fe-0/0/0 {
    unit 0 {
    family inet {
    address 189.x.x.170/28;
    }
    }
    }
    fe-0/0/1 {
    unit 0 {
    family inet {
    address 192.168.1.252/24;
    }
    }
    }
    fe-0/0/2 {
    unit 0 {
    family inet {
    address 192.168.2.252/24;
    }
    }
    }
    fe-0/0/7 {
    unit 0 {
    family inet {
    address 187.x.x.194/28;
    }
    }
    }
    }
    routing-options {
    static {
    route 0.0.0.0/0 {
    next-hop [ 189.x.x.169 187.x.x.193 ];
    qualified-next-hop 187.x.x.193;
    }
    }
    rib-groups {
    ISP1-ISP2 {
    import-rib [ ISP1.inet.0 ISP2.inet.0 ];
    }
    }
    }
    protocols {
    stp;
    }
    security {
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    timeout 20;
    }
    land;
    }
    }
    }
    nat {
    source {
    rule-set nsw_srcnat {
    from zone REDVERACRUZ;
    to zone Internet;
    rule nsw-src-interface {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set ISP2 {
    from zone REDVERACRUZ2;
    to zone INTERNET2;
    rule ISP2 {
    match {
    source-address 0.0.0.0/0;
    destination-address 0.0.0.0/0;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }
    destination {
    pool Barracuda {
    routing-instance {
    default;
    }
    address 192.168.1.20/32 port 25;
    }
    pool HTTP80 {
    description “HTTP(80)”;
    address 192.168.1.3/32 port 80;
    }
    pool Cliente_Citrix {
    address 192.168.1.3/32 port 1494;
    }
    pool HTTPS {
    description “HTTPS(443)”;
    routing-instance {
    default;
    }
    address 192.168.1.38/32 port 443;
    }
    rule-set VIPs {
    description “Regla para Vips”;
    from zone Internet;
    rule Rule_HTTP {
    description “HTTP(80)”;
    match {
    destination-address 189.x…x.170/32;
    destination-port 80;
    }
    then {
    destination-nat pool HTTP80;
    }
    }
    rule Rule_Citrix {
    description “Cleinte Citrix”;
    match {
    destination-address 189.x…x.170/32;
    destination-port 1494;
    }
    then {
    destination-nat pool Cliente_Citrix;
    }
    }
    rule Rule_HTTPS {
    description “HTTPS(443)”;
    match {
    destination-address 189.x…x.170/32;
    destination-port 443;
    }
    then {
    destination-nat pool HTTPS
    }
    }
    }
    }
    }
    policies {
    from-zone REDVERACRUZ to-zone Internet {
    policy AccesoInternet {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone Internet to-zone REDVERACRUZ {
    policy AccesoInternet {
    match {
    source-address any;
    destination-address [ Server_192.168.1.20 Server_192.168.1.30 Server_192.168.1.10 Server_192.168.1.38 Server_192.168.1.3 ];
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone REDVERACRUZ2 to-zone INTERNET2 {
    policy REDVER2 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone REDVERACRUZ to-zone REDVERACRUZ2 {
    policy RED_LOCAL {
    description “COMUNICACION AMBAS REDES”;
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone REDVERACRUZ2 to-zone REDVERACRUZ {
    policy RED_LOCAL2 {
    description “COMUNICACION AMBAS REDES”;
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone REDVERACRUZ to-zone INTERNET2 {
    policy AccesoInt2 {
    description “Acceso red 1 a internet de Telmex”;
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone REDVERACRUZ2 to-zone Internet {
    policy REDVER1 {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone REDVERACRUZ {
    address-book {
    address LptGama 192.168.1.5/32;
    address Server_192.168.1.20 192.168.1.20/32;
    address Server_192.168.1.30 192.168.1.30/32;
    address Server_192.168.1.21 192.168.1.21/32;
    address Server_192.168.1.3 192.168.1.3/32;
    address Server_192.168.1.7 192.168.1.7/32;
    address Server_192.168.1.10 192.168.1.10/32;
    address Server_192.168.1.29 192.168.1.29/32;
    address Server_192.168.1.38 192.168.1.38/32;
    }
    interfaces {
    fe-0/0/1.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    http;
    ssh;
    telnet;
    }
    }
    }
    }
    }
    security-zone Internet {
    description METROCARRIER;
    interfaces {
    fe-0/0/0.0 {
    host-inbound-traffic {
    system-services {
    ping;
    https;
    ssh;
    }
    }
    }
    }
    }
    security-zone REDVERACRUZ2 {
    interfaces {
    fe-0/0/2.0;
    }
    }
    security-zone INTERNET2 {
    description TELMEX;
    interfaces {
    fe-0/0/7.0 {
    host-inbound-traffic {
    system-services {
    https;
    ping;
    }
    }
    }
    }
    }
    }
    }
    routing-instances {
    ISP1 {
    instance-type virtual-router;
    interface fe-0/0/0.0;
    interface fe-0/0/1.0;
    routing-options {
    interface-routes {
    rib-group inet ISP1-ISP2;
    }
    static {
    route 0.0.0.0/0 next-hop 189.x.x.169;
    }
    }
    }
    ISP2 {
    instance-type virtual-router;
    interface fe-0/0/2.0;
    interface fe-0/0/7.0;
    routing-options {
    interface-routes {
    rib-group inet ISP1-ISP2;
    }
    static {
    route 0.0.0.0/0 next-hop 187.x.x.193;
    }
    }
    }
    }

    Regards!
    Miguel Rodriguez



  • Hi miguelrdz,

    Could you please run the following test and configure traceoptions as follows:
    -Try to open the https site on x.x.x.70 address, verify the IP address of the PC where you will run the test.
    -Traceoptions config:

    set security flow traceoptions file D_Nat_HTTPS

    set security flow traceoptions flag basic-datapath

    set security flow traceoptions packet-filter F1 source-prefix <your-test-pc-ip>destination-prefix 189.x.x.170

    set security flow traceoptions packet-filter F2 source-prefix 192.168.1.38 destination-prefix <your-test-pc-ip># commit

    Please attach the file to the reply.</your-test-pc-ip></your-test-pc-ip>


 

29
Online

38.4k
Users

12.7k
Topics

44.5k
Posts