Dual ISP with destination NAT



  • Hello,

    Some other topics have quite the same subject but even with those I wasn’t able to solve my issue.

    We have two ISP’s eb-qual (192.168.26.0/24) and gaga (10.0.2.0/24) and the users are coming from the zone gogol (10.0.1.0/24). The goal is the following:

    • Everyone from the zone gogol must use the path through the zone gaga.
    • Except the server (10.0.1.2) must use the path through the zone eb-qual. Also the external server IP is 192.168.26.209.

    The traffic is able to reach the server but the reply does not select the correct path. Here the current configuration:

    Last changed: 2010-02-12 14:16:30 UTC

    version 10.0R2.10;
    interfaces {
       ge-0/0/0 {
           unit 0 {
               family inet {
                   filter {
                       output eb-qual;
                   }
                   address 192.168.26.208/24;
               }
           }
       }
       ge-0/0/1 {
           unit 0 {
               family inet {
                   filter {
                       input gogol-server;
                   }
                   address 10.0.1.1/24;
               }
           }
       }
       fe-0/0/2 {
           unit 0 {
               family inet {
                   filter {
                       output gaga;
                   }
                   address 10.0.2.1/24;
               }
           }
       }
    }                  
    routing-options {
       interface-routes {
           rib-group inet common;
       }
       rib-groups {
           common {
               import-rib [ inet.0 eb-qual.inet.0 gaga.inet.0 ];
           }
       }
    }
    security {
       nat {
           source {
               rule-set interface-nat-out {
                   from interface ge-0/0/1.0;
                   to interface [ ge-0/0/0.0 fe-0/0/2.0 ];
                   rule interface-nat-out {
                       match {
                           source-address 10.0.1.0/24;
                           destination-address 0.0.0.0/0;
                       }
                       then {
                           source-nat {
                               interface;
                           }
                       }
                   }
               }
           }
           static {
               rule-set server-nat {
                   from zone eb-qual;
                   rule server-nat {
                       match {
                           destination-address 192.168.26.209/32;
                       }
                       then {
                           static-nat prefix 10.0.1.2/32;
                       }
                   }
               }
           }
           proxy-arp {
               interface ge-0/0/0.0 {
                   address {
                       192.168.26.209/32;
                   }
               }
           }
       }
       zones {        
           security-zone eb-qual {
               tcp-rst;
               interfaces {
                   ge-0/0/0.0 {
                       host-inbound-traffic {
                           system-services {
                               all;
                           }
                       }
                   }
               }
           }
           security-zone gogol {
               tcp-rst;
               interfaces {
                   ge-0/0/1.0 {
                       host-inbound-traffic {
                           system-services {
                               all;
                           }
                       }
                   }
               }
           }
           security-zone gaga {
               tcp-rst;
               interfaces {
                   fe-0/0/2.0 {
                       host-inbound-traffic {
                           system-services {
                               all;
                           }
                       }
                   }
               }
           }
       }
    }
    firewall {
       filter gogol-server {
           term 1 {
               from {
                   source-address {
                       10.0.1.2/32;
                   }
               }
               then {
                   routing-instance eb-qual;
               }
           }
           term 2 {
               from {
                   source-address {
                       10.0.1.0/24;
                   }
               }
               then {
                   routing-instance gaga;
               }
           }
           term 3 {
               then accept;
           }
       }
       filter eb-qual {
           term 1 {
               then {
                   count eb-qual;
                   log;
                   accept;
               }
           }
       }
       filter gaga {
           term 1 {
               then {
                   count gaga;
                   log;
                   accept;
               }
           }
       }
    }
    routing-instances {
       eb-qual {
           instance-type forwarding;
           routing-options {
               static {
                   route 0.0.0.0/0 next-hop 192.168.26.1;
               }
           }
       }
       gaga {
           instance-type forwarding;
           routing-options {
               static {
                   route 0.0.0.0/0 next-hop 10.0.2.254;
               }
           }
       }
    }

    Have you any idea what may create this issue?

    Here debugging output for a ping from IP 192.168.40.30 coming from the zone eb-qual to the address 192.168.26.206 (NAT to 10.0.1.2):
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:<192.168.40.30/2048->192.168.26.209/11100;1> matched filter f0:
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:packet [60] ipid = 11485, @42380c9e
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:–-- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x42380b00
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: flow process pak fast ifl 70 in_ifp ge-0/0/0.0
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  ge-0/0/0.0:192.168.40.30->192.168.26.209, icmp, (8/0)
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: find flow: table 0x4d5c8238, hash 46214(0xffff), sa 192.168.40.30, da 192.168.26.209, sp 7936, dp 768, proto 1, tok 384
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  no session found, start first path. in_tunnel - 0, from_cp_flag - 0
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow_first_create_session
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow_first_in_dst_nat: in <ge-0 0="" 0.0="">, out <n a="">dst_adr 192.168.26.209, sp 7936, dp 768
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  chose interface ge-0/0/0.0 as incoming nat if.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_rule_dst_xlate: packet 192.168.40.30->192.168.26.209 nsp2 0.0.0.0->10.0.1.2.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_routing: call flow_route_lookup(): src_ip 192.168.40.30, x_dst_ip 10.0.1.2, in ifp ge-0/0/0.0, out ifp N/A sp 7936, dp 768, ip_proto 1, tos 0
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Doing DESTINATION addr route-lookup
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  routed (x_dst_ip 10.0.1.2) from eb-qual (ge-0/0/0.0 in 0) to ge-0/0/1.0, Next-hop: 10.0.1.2
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  policy search from zone eb-qual-> zone gogol
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  app 0, timeout 60s, curr ageout 60s
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_src_xlate: 192.168.40.30/7936 -> 192.168.26.209/768 | 10.0.1.2/768 -> 0.0.0.0/7936: nat_src_xlated: False, nat_src_xlate_failed: False
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_src_xlate: src nat 0.0.0.0(7936) to 10.0.1.2(768) returns status: 0, rule/pool id: 0/0, pst_nat: False.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  dip id = 0/0, 192.168.40.30/7936->192.168.40.30/7936
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_get_out_ifp: 1000 -> cone nat test
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  choose interface ge-0/0/1.0 as outgoing phy if
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:is_loop_pak: No loop: on ifp: ge-0/0/1.0, addr: 10.0.1.2, rtt_idx:0
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:policy is NULL (wx/pim scenario)
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:sm_flow_interest_check: app_id 0, policy 5, app_svc_en 0, flags 0x2. not interested
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:sm_flow_interest_check: app_id 1, policy 5, app_svc_en 0, flags 0x2. not interested
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_service_lookup(): natp(0x4b5d5628): app_id, 0(0).
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  service lookup identified service 0.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow_first_final_check: in <ge-0 0="" 0.0="">, out <ge-0 0="" 1.0="">Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:flow_first_final_check: flow_set_xlate_vector.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  existing vector list 1200-45771548.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  Session (id:136) created for first pak 1200
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow_first_install_session======> 0x4b5d5628
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: nsp 0x4b5d5628, nsp2 0x4b5d5694
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  make_nsp_ready_no_resolve()
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  route lookup: dest-ip 192.168.40.30 orig ifp ge-0/0/0.0 output_ifp N/A orig-zone 6 out-zone 65535 vsd 0
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Installing c2s NP session wing
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:Installing s2c NP session wing
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow got session.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  flow session id 136
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:  post addr xlation: 192.168.40.30->10.0.1.2.
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT:mbuf 0x42380b00, exit nh 0x80010
    Feb 12 13:59:23 13:59:22.1045859:CID-0:RT: ----- flow_process_pkt rc 0x0 (fp rc 0)
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:<10.0.1.2/0->192.168.40.30/13148;1> matched filter f1:
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:packet [60] ipid = 489, @4238509e
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:–-- flow_process_pkt: (thd 1): flow_ctxt type 13, common flag 0x0, mbuf 0x42384f00
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: flow process pak fast ifl 71 in_ifp ge-0/0/1.0
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:  ge-0/0/1.0:10.0.1.2->192.168.40.30, icmp, (0/0)
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: find flow: table 0x4d5c8238, hash 28983(0xffff), sa 10.0.1.2, da 192.168.40.30, sp 768, dp 7936, proto 1, tok 448
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:  flow got session.
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:  flow session id 136
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:  route lookup failed: dest-ip 192.168.40.30 orig ifp ge-0/0/0.0 output_ifp N/A fto 0x0 orig-zone 6 out-zone 65535 vsd 0
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT:  packet dropped,   pak dropped since re-route failed
    Feb 12 13:59:23 13:59:22.1048107:CID-0:RT: ----- flow_process_pkt rc 0x7 (fp rc -1)</ge-0></ge-0></n></ge-0>


 

21
Online

38.4k
Users

12.7k
Topics

44.5k
Posts