Knowledge Search


×
 

Case Study: Internet access through two ISPs on SRX

  [KB24821] Show Article Properties


Summary:

This article provides a sample configuration for a SRX device that is connected to two ISPs simultaneously with two subnets behind the SRX.


Symptoms:

Topology:




Objective:
  1. Server X MUST always use Comcast to send its traffic out.
  2. Server Y MUST always use ATT to send its traffic out. 
  3. Server X and Server Y should be able to talk to each other
  4. Static NAT must be performed between Interface IP address (4.4.4.1) and Server Y (1.1.1.2), such that all the all internet requests  for Server Y MUST be received on 4.4.4.1 and be translated to 1.1.1.2, AND Server Y must use 4.4.4.1 for all outbound communication.
  5. Source Interface NAT should be performed for traffic from DMZ to Untrust-ATT and from Trust to Untrust-Comcast.
Cause:
 
Solution:

Configuration

Interfaces:

Configure interfaces.
    ge-0/0/5 {
        unit 0 {
            family inet {
                address 3.3.3.1/24;  <<<<<<  Part of ISP1
            }
        }
    }
    ge-0/0/6 {
        unit 0 {
            family inet {
                address 4.4.4.1/24;  <<<<<<  Part of ISP2
            }
        }
    }
    ge-0/0/9 {
        unit 0 {
            family inet {
                address 1.1.1.1/24;  <<<<<<  Part of ISP2
            }
        }
    }
    ge-0/0/10 {
        unit 0 {
            family inet {
                address 2.2.2.1/24;  <<<<<<  Part of ISP1
            }

Routing:

Define rib-groups so that two Virtual Routers can share their Routing Tables. This is done to meet the requirement of Objective number 3.
routing-options {
    rib-groups {
        ISP1-ISP2 {
            import-rib [ ISP1.inet.0 ISP2.inet.0 ];
        }
    }
}


Routing Instances:

Create separate Routing Instances so that two ISPs can be communicated separately.
routing-instances {
    ISP2 {
        instance-type virtual-router;
        interface ge-0/0/6.0;
        interface ge-0/0/9.0;
        routing-options {
            interface-routes {
                rib-group inet ISP1-ISP2;      <<<<<<< Export Routes into ISP1 VR. Objective # 3
            }
            static {
                route 0.0.0.0/0 next-hop 4.4.4.4;
            }
        }
    }
    ISP1 {
        instance-type virtual-router;
        interface ge-0/0/5.0;
        interface ge-0/0/10.0;
        routing-options {
            interface-routes {
                rib-group inet ISP1-ISP2;      <<<<<<< Export Routes into ISP2 VR. Objective # 3
            }
            static {
                route 0.0.0.0/0 next-hop 3.3.3.3;
            }
        }
    }
}
Note: If Interface-routes are not shared between the VR Routing-Tables, then DMZ and Trust won't be able to communicate each other.


Security

Source NAT is performed for Objective # 5.

security {
    nat {
        source {
            rule-set trust-to-untrust-ISP1 {
                from zone trust;
                to zone untrust-ISP1;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set dmz-to-untrust-ISP2 {
                from zone dmz;
                to zone untrust-ISP2;
                rule source-nat-ISP2 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }

Static NAT is performed for Objective # 4.

        static {
            rule-set dnat {
                from zone untrust-ISP2;
                rule 1 {
                    match {
                        destination-address 4.4.4.1/32;
                    }
                    then {
                        static-nat {
                            prefix {
                                1.1.1.2/32;
                            }
                        }
                    }
                }
            }
        }
    }
   zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/10.0;
            }
        }
        security-zone untrust-ISP1 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/5.0;
            }
        }
        security-zone dmz {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/9.0;
            }
        }
        security-zone untrust-ISP2 {
            host-inbound-traffic {
                system-services {
                    all;
                }
            }
            interfaces {
                ge-0/0/6.0;
            }
        }
    }

/* Permitting All traffic for simplicity */

    policies {
        default-policy {
            permit-all;
        }
    }
}


Verification:

  • When traffic is initiated from Trust to Untrust-ISP1
  • Session ID: 12602, Policy name: default-policy/2, Timeout: 4, Valid
    In: 2.2.2.2/6 --> 6.6.6.6/45299;icmp, If: ge-0/0/10.0, Pkts: 1, Bytes: 84
    Out: 6.6.6.6/45299 --> 3.3.3.1/5605;icmp, If: ge-0/0/5.0, Pkts: 1, Bytes: 84


  • When traffic is initiated from DMZ to Untrust-ISP2
  • Session ID: 12784, Policy name: default-policy/2, Timeout: 2, Valid
    In: 1.1.1.2/0 --> 5.5.5.5/29977;icmp, If: ge-0/0/9.0, Pkts: 1, Bytes: 84
    Out: 5.5.5.5/29977 --> 4.4.4.1/0;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 84


  • When traffic is initiated from ISP2 to Server-Y
  • Session ID: 12806, Policy name: default-policy/2, Timeout: 2, Valid
    In: 5.5.5.5/1 --> 4.4.4.1/2689;icmp, If: ge-0/0/6.0, Pkts: 1, Bytes: 84
    Out: 1.1.1.2/2689 --> 5.5.5.5/1;icmp, If: ge-0/0/9.0, Pkts: 1, Bytes: 84


  • When traffic is initiated from Server-X to Server-Y
  • Session ID: 13058, Policy name: default-policy/2, Timeout: 4, Valid
    In: 2.2.2.2/2 --> 1.1.1.2/45309;icmp, If: ge-0/0/10.0, Pkts: 1, Bytes: 84
    Out: 1.1.1.2/45309 --> 2.2.2.2/2;icmp, If: ge-0/0/9.0, Pkts: 1, Bytes: 84


  • When traffic is initiated from Server-Y to Server-X
  • Session ID: 13116, Policy name: default-policy/2, Timeout: 4, Valid
    In: 1.1.1.2/2 --> 2.2.2.2/29994;icmp, If: ge-0/0/9.0, Pkts: 1, Bytes: 84
    Out: 2.2.2.2/29994 --> 1.1.1.2/2;icmp, If: ge-0/0/10.0, Pkts: 1, Bytes: 84


root@SRX240> show route


inet.0: 4 destinations, 4 routes (2 active, 0 holddown, 2 hidden)

+ = Active Route, - = Last Active, * = Both

192.168.1.0/24 *[Direct/0] 1w0d 01:54:27
> via vlan.0
192.168.1.1/32 *[Local/0] 1w5d 18:09:01
Local via vlan.0

ISP1.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1w0d 00:59:07
> to 3.3.3.3 via ge-0/0/5.0
1.1.1.0/24 *[Direct/0] 01:03:07
> via ge-0/0/9.0
1.1.1.1/32 *[Local/0] 01:03:07
Local via ge-0/0/9.0
2.2.2.0/24 *[Direct/0] 1w0d 01:14:10
> via ge-0/0/10.0
2.2.2.1/32 *[Local/0] 1w0d 01:14:10
Local via ge-0/0/10.0
3.3.3.0/24 *[Direct/0] 1w0d 01:14:10
> via ge-0/0/5.0
3.3.3.1/32 *[Local/0] 1w0d 01:14:10
Local via ge-0/0/5.0
4.4.4.0/24 *[Direct/0] 01:03:07
> via ge-0/0/6.0
4.4.4.1/32 *[Local/0] 01:03:07
Local via ge-0/0/6.0

ISP2.inet.0
: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 01:10:02
> to 4.4.4.4 via ge-0/0/6.0
1.1.1.0/24 *[Direct/0] 01:10:02
> via ge-0/0/9.0
1.1.1.1/32 *[Local/0] 01:10:02
Local via ge-0/0/9.0
2.2.2.0/24 *[Direct/0] 01:10:03
> via ge-0/0/10.0
2.2.2.1/32 *[Local/0] 01:10:03
Local via ge-0/0/10.0
3.3.3.0/24 *[Direct/0] 01:10:03
> via ge-0/0/5.0
3.3.3.1/32 *[Local/0] 01:10:03
Local via ge-0/0/5.0
4.4.4.0/24 *[Direct/0] 01:10:02
> via ge-0/0/6.0
4.4.4.1/32 *[Local/0] 01:10:02
Local via ge-0/0/6.0
Related Links: