[j-nsp] SRX FBR and destination nat
Hello!
I have two connections to the ISP on SRX220H (12.1X45-D15.5).
ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
Default gateway looks in to pp0.1
I need to do destination nat to host in lan PC (10.121.0.101) via non
default ISP1 (int pp0.0).
First of all, configure FBR for LAN network via pp0.0:
routing-options
interface-routes {
rib-group inet all;
}
.
rib-groups {
all {
import-rib [ inet.0 cat.inet.0 ];
}
.
cat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
..
firewall family inet filter cat
term route-to-cat {
from {
source-address {
10.121.0.0/24;
}
}
then {
routing-instance cat;
}
}
term default {
then accept;
}
.
interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
mtu 1500;
filter {
input cat;
}
address 10.121.0.200/24;
}
.
security policies from-zone cctv to-zone untrust
policy proxmox-inet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
security policies from-zone untrust to-zone cctv
policy cctv-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Everything looks OK, outgoing traffic goes via pp0.0
After that, configure dest nat:
pool cctv-rdr {
address 10.121.0.101/32;
}
rule-set cctv-rdr {
from interface pp0.0;
rule cctv-rdr {
match {
destination-address 1.1.1.2/32;
}
then {
destination-nat {
pool {
cctv-rdr;
}
}
}
}
}
Traffic comes through pp0.0 but returns through pp0.1
That breaks port forward (due to uplink urpf).
Where I'm wrong in my configuration?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
I think you are hit by the flow mechanism, this would probably work in
pure routing scenario.
Please verify my possible explanation with set security flow
traceoptions flag basic-datapath.
When the first packet is accepted, a flow is set up. It contains both
the forward path and the reverse path, all forwarding/routing decisions
are made at that point. At this time, nothing is known about the FBR
setup.
When the return packet enters the FW, the filter action of setting RI to
cat is probably noted in the packet meta-data, but when the flow engine
then evaluates the packet, an existing flow is found, the fast-path is
taken (no routing/forwarding lookup), and the exit path as determined
earlier is used.
This is the reason why your setup does not work (I think).
(This is the place where I would normally suggest a fix, but I'm short
on time and would like to try some Junos Cup challenges while I can. If
the problem persists, please poke me.)
/Per
On 26 Jun 2014, at 15:39, Yuriy B. Borysov wrote:
Hello!
I have two connections to the ISP on SRX220H (12.1X45-D15.5).
ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
Default gateway looks in to pp0.1
I need to do destination nat to host in lan PC (10.121.0.101) via non
default ISP1 (int pp0.0).
First of all, configure FBR for LAN network via pp0.0:
routing-options
interface-routes {
rib-group inet all;
}
.
rib-groups {
all {
import-rib [ inet.0 cat.inet.0 ];
}
.
cat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
..
firewall family inet filter cat
term route-to-cat {
from {
source-address {
10.121.0.0/24;
}
}
then {
routing-instance cat;
}
}
term default {
then accept;
}
.
interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
mtu 1500;
filter {
input cat;
}
address 10.121.0.200/24;
}
.
security policies from-zone cctv to-zone untrust
policy proxmox-inet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
security policies from-zone untrust to-zone cctv
policy cctv-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Everything looks OK, outgoing traffic goes via pp0.0
After that, configure dest nat:
pool cctv-rdr {
address 10.121.0.101/32;
}
rule-set cctv-rdr {
from interface pp0.0;
rule cctv-rdr {
match {
destination-address 1.1.1.2/32;
}
then {
destination-nat {
pool {
cctv-rdr;
}
}
}
}
}
Traffic comes through pp0.0 but returns through pp0.1
That breaks port forward (due to uplink urpf).
Where I'm wrong in my configuration?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
There is (probably) a simple solution if pp0.0 is only used by inbound traffic that will be NAT-ed, and never used as backup for pp0.1 outbound. Is this the case? /Per Sent from my iPad, please ignore stupid spelling corrections! 26 jun 2014 kl. 15:39 skrev Yuriy B. Borysov yokod...@yokodzun.kiev.ua: I need to do destination nat to host in lan PC (10.121.0.101) via non default ISP1 (int pp0.0). ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
Hi Yuriy,
This exact configuration is documented quite thoroughly in Recipe 12 in the Day
One: Juniper Ambassadors' Cookbook for Enterprise found here:
http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/
Credit for this particular one (and the 5 different solutions provided!) goes
to Peter Klimai!
Cheers,
Ben
On 26 Jun 2014, at 11:39 pm, Yuriy B. Borysov yokod...@yokodzun.kiev.ua wrote:
Hello!
I have two connections to the ISP on SRX220H (12.1X45-D15.5).
ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
Default gateway looks in to pp0.1
I need to do destination nat to host in lan PC (10.121.0.101) via non
default ISP1 (int pp0.0).
First of all, configure FBR for LAN network via pp0.0:
routing-options
interface-routes {
rib-group inet all;
}
.
rib-groups {
all {
import-rib [ inet.0 cat.inet.0 ];
}
.
cat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
..
firewall family inet filter cat
term route-to-cat {
from {
source-address {
10.121.0.0/24;
}
}
then {
routing-instance cat;
}
}
term default {
then accept;
}
.
interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
mtu 1500;
filter {
input cat;
}
address 10.121.0.200/24;
}
.
security policies from-zone cctv to-zone untrust
policy proxmox-inet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
security policies from-zone untrust to-zone cctv
policy cctv-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Everything looks OK, outgoing traffic goes via pp0.0
After that, configure dest nat:
pool cctv-rdr {
address 10.121.0.101/32;
}
rule-set cctv-rdr {
from interface pp0.0;
rule cctv-rdr {
match {
destination-address 1.1.1.2/32;
}
then {
destination-nat {
pool {
cctv-rdr;
}
}
}
}
}
Traffic comes through pp0.0 but returns through pp0.1
That breaks port forward (due to uplink urpf).
Where I'm wrong in my configuration?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat (Yuriy B. Borysov)
Hi Yuriy,
Assuming you have 2 links with SAME ISP and your ISP is doing BGP for you, the
only way this would work is if your ISP is also forwarding 10.121.0.101/32
through your secondary link.
Best Regards
Sinisa Pesa | Senior Network and Security Specialist
www.bluecentral.com | an IPMG company
--
Message: 2
Date: Thu, 26 Jun 2014 16:39:06 +0300
From: Yuriy B. Borysov yokod...@yokodzun.kiev.ua
To: juniper-nsp@puck.nether.net
Subject: [j-nsp] SRX FBR and destination nat
Message-ID: 20140626133906.ga79...@itsinternet.net
Content-Type: text/plain; charset=us-ascii
Hello!
I have two connections to the ISP on SRX220H (12.1X45-D15.5).
ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0)
ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1)
Default gateway looks in to pp0.1
I need to do destination nat to host in lan PC (10.121.0.101) via non default
ISP1 (int pp0.0).
First of all, configure FBR for LAN network via pp0.0:
routing-options
interface-routes {
rib-group inet all;
}
.
rib-groups {
all {
import-rib [ inet.0 cat.inet.0 ];
}
.
cat {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop pp0.0;
}
}
}
..
firewall family inet filter cat
term route-to-cat {
from {
source-address {
10.121.0.0/24;
}
}
then {
routing-instance cat;
}
}
term default {
then accept;
}
.
interfaces ge-0/0/0.99
description cctv;
vlan-id 99;
family inet {
mtu 1500;
filter {
input cat;
}
address 10.121.0.200/24;
}
.
security policies from-zone cctv to-zone untrust policy proxmox-inet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
security policies from-zone untrust to-zone cctv
policy cctv-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
Everything looks OK, outgoing traffic goes via pp0.0
After that, configure dest nat:
pool cctv-rdr {
address 10.121.0.101/32;
}
rule-set cctv-rdr {
from interface pp0.0;
rule cctv-rdr {
match {
destination-address 1.1.1.2/32;
}
then {
destination-nat {
pool {
cctv-rdr;
}
}
}
}
}
Traffic comes through pp0.0 but returns through pp0.1 That breaks port forward
(due to uplink urpf).
Where I'm wrong in my configuration?
Thanks!
--
WBR, Yuriy B. Borysov
YOKO-UANIC | YOKO-RIPE
--
Subject: Digest Footer
___
juniper-nsp mailing list
juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
End of juniper-nsp Digest, Vol 139, Issue 21
IMPORTANT NOTICE: This email (and any attachments) is only for the personal use
of the intended recipient and may contain information that is confidential to
BlueCentral or the intended recipient. If you have received this message by
mistake, BlueCentral does not authorize you to act on it and asks you to notify
us immediately (at the email address shown above) and delete the message from
your system. BlueCentral does not accept responsibility for any loss or damage
caused by a computer virus, trojan horse, worm or similar program that may have
attached itself to this message.
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX FBR and destination nat
If you start by setting up traceoptions as in the excellent article referred to by Ben, you will probably find the problem easily. Then, making the RI cat a virtual-router instead of a forwarding instance (with the ISP ifl in it) and setting up proper policy will probably be a good start to getting everything working. /Per On 27 Jun 2014, at 1:59, Ben Dale wrote: Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here: http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
