Re: Query abaut 2 ISP actives with SNAT and DNAT rules and failover

I could make a config with virtual routing for both ISP and forwarding instance for DMZ!! It work!

Maybe someone needs, here it is:

### Interfaces
set interfaces ge-0/0/0 description "TASA"
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.210/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.211/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.212/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.213/29
set interfaces ge-0/0/0 unit 0 family inet filter input TASA-IN-FILTER
set interfaces ge-0/0/1 description "IPLAN"
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.149/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.153/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.154/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.156/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.222/24
set interfaces ge-0/0/1 unit 0 family inet filter input IPLAN-IN-FILTER
set interfaces ge-0/0/2 description "DMZ"
set interfaces ge-0/0/2 unit 0 family inet address 172.16.0.234/24
set interfaces ge-0/0/2 unit 0 family inet filter input DMZ-IN-FILTER

### Ruting options
# Set default routing option to IPLAN
set routing-options static route 0.0.0.0/0 next-table IPLAN.inet.0
# Set rib-group 4 all tables
set routing-options interface-routes rib-group inside
set routing-options rib-groups inside import-rib [ inet.0 DMZ-VRF.inet.0 TASA.inet.0 IPLAN.inet.0 ]

# Filters for DMZ
set firewall filter DMZ-IN-FILTER term 1 from source-address 172.16.0.56/32
set firewall filter DMZ-IN-FILTER term 1 from source-address 172.16.0.57/32
set firewall filter DMZ-IN-FILTER term 1 from destination-address 0.0.0.0/0
set firewall filter DMZ-IN-FILTER term 1 then routing-instance IPLAN
set firewall filter DMZ-IN-FILTER term 2 from source-address 172.16.0.250/32
set firewall filter DMZ-IN-FILTER term 2 from source-address 172.16.0.251/32
set firewall filter DMZ-IN-FILTER term 2 from source-address 172.16.0.253/32
set firewall filter DMZ-IN-FILTER term 2 from destination-address 0.0.0.0/0
set firewall filter DMZ-IN-FILTER term 2 then routing-instance TASA
set firewall filter DMZ-IN-FILTER term 3 then accept

# Filters for IPLAN

set firewall filter IPLAN-IN-FILTER term 1 from destination-address 200.61.125.0/24
set firewall filter IPLAN-IN-FILTER term 1 then routing-instance DMZ-VRF
set firewall filter IPLAN-IN-FILTER term 2 then accept

# Filters for TASA

set firewall filter TASA-IN-FILTER term 1 from destination-address 200.55.93.0/29
set firewall filter TASA-IN-FILTER term 1 then routing-instance DMZ-VRF
set firewall filter TASA-IN-FILTER term 2 then accept

# Routing instances
set routing-instances TASA instance-type virtual-router
set routing-instances TASA routing-options static route 0.0.0.0/0 next-hop 200.55.93.209
set routing-instances TASA routing-options static route 0.0.0.0/0 qualified-next-hop 200.61.125.254 preference 100

set routing-instances IPLAN instance-type virtual-router
set routing-instances IPLAN routing-options static route 0.0.0.0/0 next-hop 200.61.125.254
set routing-instances IPLAN routing-options static route 0.0.0.0/0 qualified-next-hop 200.55.93.209 preference 100

set routing-instances DMZ-VRF instance-type forwarding

# Set security zones
set security zones security-zone DMZ tcp-rst host-inbound-traffic system-services all
set security zones security-zone DMZ interfaces ge-0/0/2
set security zones security-zone TASA interfaces ge-0/0/0
set security zones security-zone IPLAN interfaces ge-0/0/1

# Security Nat pool para TASA
set security nat source pool IP210 address 200.55.93.210/32
set security nat source pool IP211 address 200.55.93.211/32
set security nat source pool IP212 address 200.55.93.212/32
set security nat source pool IP213 address 200.55.93.213/32

# Security Nat pool para IPLAN
set security nat source pool IP149 address 200.61.125.149/32
set security nat source pool IP153 address 200.61.125.153/32
set security nat source pool IP154 address 200.61.125.154/32
set security nat source pool IP156 address 200.61.125.156/32
set security nat source pool IP222 address 200.61.125.222/32

# Set rule-set DMZ to TASA
set security nat source rule-set DMZ-to-TASA from zone DMZ
set security nat source rule-set DMZ-to-TASA to zone TASA

# set rule-set DMZ to IPLAN
set security nat source rule-set DMZ-to-IPLAN from zone DMZ
set security nat source rule-set DMZ-to-IPLAN to zone IPLAN

# Set nat source to TASA
set security nat source rule-set DMZ-to-TASA rule R-IP211 match source-address 172.16.0.250/32
set security nat source rule-set DMZ-to-TASA rule R-IP211 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP211 then source-nat pool IP211
set security nat source rule-set DMZ-to-TASA rule R-IP211 match source-address 172.16.0.251/32
set security nat source rule-set DMZ-to-TASA rule R-IP211 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP211 then source-nat pool IP211
set security nat source rule-set DMZ-to-TASA rule R-IP212 match source-address 172.16.0.253/32
set security nat source rule-set DMZ-to-TASA rule R-IP212 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP212 then source-nat pool IP212

# Set nat source to IPLAN
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 match source-address 172.16.0.56/32
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 then source-nat pool IP222

set security nat source rule-set DMZ-to-IPLAN rule R-IP222-2 match source-address 172.16.0.57/32
set security nat source rule-set DMZ-to-IPLAN rule R-IP222-2 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-IPLAN rule R-IP222-2 then source-nat pool IP222

# Addresses books
set security zones security-zone DMZ address-book address CLIENTE2 172.16.0.57/32
set security zones security-zone DMZ address-book address DEBTEST1 172.16.0.56/32
set security zones security-zone DMZ address-book address PROXY 172.16.0.253/32
set security zones security-zone DMZ address-book address WEBSRV 172.16.0.1/32
set security zones security-zone DMZ address-book address REVERSO 172.16.0.250/32
set security zones security-zone DMZ address-book address RELAY 172.16.0.251/32

# POOL CLIENTE2
set security nat destination pool DNATPOOL-CLIENTE2 address 172.16.0.57/32
set security nat destination pool DNATPOOL-CLIENTE2 address port 25

# SET NAT POLICY
set security nat destination rule-set DNAT-FROM-IPLAN from zone IPLAN
set security nat destination rule-set DNAT-FROM-IPLAN rule R-CLIENTE2-SMTP match destination-address 200.61.125.222/32
set security nat destination rule-set DNAT-FROM-IPLAN rule R-CLIENTE2-SMTP match destination-port 25
set security nat destination rule-set DNAT-FROM-IPLAN rule R-CLIENTE2-SMTP match protocol tcp
set security nat destination rule-set DNAT-FROM-IPLAN rule R-CLIENTE2-SMTP then destination-nat pool DNATPOOL-CLIENTE2

# Security Polices
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match source-address any
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match destination-address CLIENTE2
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match application junos-smtp
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match application junos-http
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match application junos-ping
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ then permit

-------------- AND SOME OTHER RULES --------------