Hi Yuriy, This exact configuration is documented quite thoroughly in Recipe 12 in the Day One: Juniper Ambassadors' Cookbook for Enterprise found here:
http://www.juniper.net/us/en/community/junos/training-certification/day-one/networking-technologies-series/cookbook-for-enterprise/ Credit for this particular one (and the 5 different solutions provided!) goes to Peter Klimai! Cheers, Ben On 26 Jun 2014, at 11:39 pm, Yuriy B. Borysov <[email protected]> wrote: > Hello! > > I have two connections to the ISP on SRX220H (12.1X45-D15.5). > > ISP1 - 1.1.1.2 on my side, 1.1.1.1 - gw (int pp0.0) > ISP2 - 2.2.2.2 on my side, 2.2.2.1 - gw (int pp0.1) > > Default gateway looks in to pp0.1 > > I need to do destination nat to host in lan PC (10.121.0.101) via non > default ISP1 (int pp0.0). > > First of all, configure FBR for LAN network via pp0.0: > > routing-options > interface-routes { > rib-group inet all; > } > > ..... > > rib-groups { > all { > import-rib [ inet.0 cat.inet.0 ]; > } > > ..... > > cat { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop pp0.0; > } > } > } > > ...... > > firewall family inet filter cat > term route-to-cat { > from { > source-address { > 10.121.0.0/24; > } > } > then { > routing-instance cat; > } > } > term default { > then accept; > } > > ..... > > interfaces ge-0/0/0.99 > description cctv; > vlan-id 99; > family inet { > mtu 1500; > filter { > input cat; > } > address 10.121.0.200/24; > } > > ..... > > security policies from-zone cctv to-zone untrust > policy proxmox-inet { > match { > source-address any; > destination-address any; > application any; > } > then { > permit; > } > } > > security policies from-zone untrust to-zone cctv > policy cctv-access { > match { > source-address any; > destination-address any; > application any; > } > then { > permit; > } > } > > > Everything looks OK, outgoing traffic goes via pp0.0 > > After that, configure dest nat: > > pool cctv-rdr { > address 10.121.0.101/32; > } > > rule-set cctv-rdr { > from interface pp0.0; > rule cctv-rdr { > match { > destination-address 1.1.1.2/32; > } > then { > destination-nat { > pool { > cctv-rdr; > } > } > } > } > } > > > Traffic comes through pp0.0 but returns through pp0.1 > That breaks port forward (due to uplink urpf). > > Where I'm wrong in my configuration? > > Thanks! > > > -- > WBR, Yuriy B. Borysov > YOKO-UANIC | YOKO-RIPE > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
