[j-nsp] SRX FBR and destination nat
Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
I think you are hit by the flow mechanism, this would probably work in pure routing scenario. Please verify my possible explanation with set security flow traceoptions flag basic-datapath. When the first packet is accepted, a flow is set up. It contains both the forward path and the reverse path, all forwarding/routing decisions are made at that point. At this time, nothing is known about the FBR setup. When the return packet enters the FW, the filter action of setting RI to cat is probably noted in the packet meta-data, but when the flow engine then evaluates the packet, an existing flow is found, the fast-path is taken (no routing/forwarding lookup), and the exit path as determined earlier is used. This is the reason why your setup does not work (I think). (This is the place where I would normally suggest a fix, but I'm short on time and would like to try some Junos Cup challenges while I can. If the problem persists, please poke me.) /Per On 26 Jun 2014, at 15:39, Yuriy B. Borysov wrote: Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
There is (probably) a simple solution if pp0.0 is only used by inbound traffic that will be NAT-ed, and never used as backup for pp0.1 outbound. Is this the case? /Per Sent from my iPad, please ignore stupid spelling corrections! 26 jun 2014 kl. 15:39 skrev Yuriy B. Borysov yokod...@yokodzun.kiev.ua: I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben On 26 Jun 2014, at 11:39 pm, Yuriy B. Borysov yokod...@yokodzun.kiev.ua wrote: Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat (Yuriy B. Borysov)
Hi Yuriy, Assuming you have 2 links with SAME ISP and your ISP is doing BGP for you, the only way this would work is if your ISP is also forwarding 10.121.0.101/32 through your secondary link. Best Regards Sinisa Pesa | Senior Network and Security Specialist www.bluecentral.com | an IPMG company -- Message: 2 Date: Thu, 26 Jun 2014 16:39:06 +0300 From: Yuriy B. Borysov yokod...@yokodzun.kiev.ua To: juniper-nsp@puck.nether.net Subject: [j-nsp] SRX FBR and destination nat Message-ID: 20140626133906.ga79...@itsinternet.net Content-Type: text/plain; charset=us-ascii Hello! I have two connections to the ISP on SRX220H (12.1X45-D15.5). ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) Default gateway looks in to pp0.1 I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). First of all, configure FBR for LAN network via pp0.0: routing-options interface-routes { rib-group inet all; } . rib-groups { all { import-rib [ inet.0 cat.inet.0 ]; } . cat { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop pp0.0; } } } .. firewall family inet filter cat term route-to-cat { from { source-address { 10.121.0.0/24; } } then { routing-instance cat; } } term default { then accept; } . interfaces ge-0/0/0.99 description cctv; vlan-id 99; family inet { mtu 1500; filter { input cat; } address 10.121.0.200/24; } . security policies from-zone cctv to-zone untrust policy proxmox-inet { match { source-address any; destination-address any; application any; } then { permit; } } security policies from-zone untrust to-zone cctv policy cctv-access { match { source-address any; destination-address any; application any; } then { permit; } } Everything looks OK, outgoing traffic goes via pp0.0 After that, configure dest nat: pool cctv-rdr { address 10.121.0.101/32; } rule-set cctv-rdr { from interface pp0.0; rule cctv-rdr { match { destination-address 1.1.1.2/32; } then { destination-nat { pool { cctv-rdr; } } } } } Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward (due to uplink urpf). Where I'm wrong in my configuration? Thanks! -- WBR, Yuriy B. Borysov YOKO-UANIC | YOKO-RIPE -- Subject: Digest Footer ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp -- End of juniper-nsp Digest, Vol 139, Issue 21 IMPORTANT NOTICE: This email (and any attachments) is only for the personal use of the intended recipient and may contain information that is confidential to BlueCentral or the intended recipient. If you have received this message by mistake, BlueCentral does not authorize you to act on it and asks you to notify us immediately (at the email address shown above) and delete the message from your system. BlueCentral does not accept responsibility for any loss or damage caused by a computer virus, trojan horse, worm or similar program that may have attached itself to this message. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
If you start by setting up traceoptions as in the excellent article referred to by Ben, you will probably find the problem easily. Then, making the RI cat a virtual-router instead of a forwarding instance (with the ISP ifl in it) and setting up proper policy will probably be a good start to getting everything working. /Per On 27 Jun 2014, at 1:59, Ben Dale wrote: Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp