Hi all -
I am trying to get static NAT working in a dual ISP configuration for a SRX240 HA cluster. Static NAT has been working for years for the default routing instance connected to reth0. Recently we added a new circuit for redundancy and availability of email services behind the firewall. I added a routing instance for this new circuit and connected to reth7.
Below are the relevant parts of my current config, although I have tried many, many different configurations. I have studied many, many kb articles and forum posts that are similar. Every time I get something different in traceoptions.
- route lookup failed
- packet dropped, denied by policy
- denied by policy default-policy
- failed to install nsp2
- packet dropped, first pak not sync
- reject route in make_nsp_ready_no_resolve
- zone mismatch
Is there any way to get static NAT working with dual ISPs?
interfaces {
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
}
address 1.1.1.3/28;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 2;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
output access-traffic-control-filter;
}
address 10.10.1.1/29;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 2;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
output access-traffic-control-filter;
}
address 10.10.2.1/29;
}
}
}
reth3 {
redundant-ether-options {
redundancy-group 2;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
output access-traffic-control-filter;
}
address 10.10.3.1/29;
}
}
}
reth4 {
redundant-ether-options {
redundancy-group 2;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
output access-traffic-control-filter;
}
address 10.10.4.1/29;
}
}
}
reth7 {
redundant-ether-options {
redundancy-group 5;
}
unit 0 {
family inet {
filter {
input access-traffic-control-filter;
}
address 2.2.2.3/28;
}
}
}
}
routing-options {
interface-routes {
rib-group inet access-rib-group;
}
static {
route 10.1.50.0/24 next-hop [ 10.10.3.2 10.10.4.2 ];
route 0.0.0.0/0 next-hop 1.1.1.1;
}
rib-groups {
access-rib-group {
import-rib [ inet.0 my-routing-instance.inet.0 ];
}
}
router-id 10.10.1.1;
}
protocols {
ospf {
rib-group access-rib-group;
area 0.0.0.1 {
interface reth1.0 {
priority 255;
}
interface reth2.0 {
priority 255;
}
interface reth3.0 {
priority 255;
}
interface reth4.0 {
priority 255;
}
}
}
}
policy-options {
prefix-list mailserver-list {
10.1.50.31/32;
1.1.1.2/32;
}
prefix-list mailserver-2-list {
10.1.50.27/32;
2.2.2.2/32;
}
policy-statement copy-int-net {
term copy {
from {
instance master;
route-filter 10.1.50.0/24 exact accept;
}
}
term else {
then reject;
}
}
}
security {
nat {
source {
rule-set internet-access-local-nets {
from zone trust;
to zone untrust;
rule nat-local-net {
match {
source-address [ 10.1.50.0/24 ];
}
then {
source-nat {
interface;
}
}
}
}
}
static {
rule-set public-server-2 {
from interface [ reth1.0 reth2.0 reth3.0 reth4.0 reth7.0 ];
rule nat-mailserver-2 {
match {
destination-address 2.2.2.2/32;
}
then {
static-nat {
prefix {
10.1.50.27/32;
}
}
}
}
}
rule-set public-server-1 {
from interface [ reth0.0 reth1.0 reth2.0 reth3.0 reth4.0 ];
rule nat-mailserver-1 {
match {
destination-address 1.1.1.2/32;
}
then {
static-nat {
prefix {
10.1.50.31/32;
}
}
}
}
}
}
proxy-arp {
interface reth0.0 {
address {
1.1.1.2/32;
}
}
interface reth7.0 {
address {
2.2.2.2/32;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy internet-access-local-net {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy internet-access-utm-policy;
application-firewall {
rule-set internet-access-application-firewall;
}
}
}
log {
session-close;
}
}
}
}
from-zone untrust to-zone trust {
policy mailserver-access-outlookanywhere {
match {
source-address any;
destination-address mailserver-1;
application junos-https;
}
then {
permit {
application-services {
idp;
}
}
log {
session-close;
}
}
}
from-zone trust to-zone untrust-2 {
policy untrust-2-internet-access-local-net {
match {
source-address any;
destination-address any;
application any;
}
then {
permit {
application-services {
utm-policy internet-access-utm-policy;
application-firewall {
rule-set internet-access-application-firewall;
}
}
}
log {
session-close;
}
}
}
}
from-zone untrust-2 to-zone trust {
policy untrust-2-mailserver-access-outlookanywhere {
match {
source-address any;
destination-address mailserver-2;
application junos-https;
}
then {
permit;
log {
session-close;
}
}
}
}
default-policy {
deny-all;
}
}
zones {
security-zone untrust {
host-inbound-traffic {
system-services {
all;
ike;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
ike;
https;
ping;
}
}
}
}
application-tracking;
}
security-zone trust {
address-book {
address mailserver-2 10.1.50.27/32;
address mailserver-1 10.1.50.31/32;
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
reth2.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
reth3.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
reth4.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone untrust-2 {
host-inbound-traffic {
system-services {
all;
ike;
}
}
interfaces {
reth7.0 {
host-inbound-traffic {
system-services {
ike;
https;
ping;
}
}
}
}
application-tracking;
}
}
}
firewall {
family inet {
filter access-traffic-control-filter {
term mailserver-2-traffic {
from {
source-address {
10.1.50.27/32;
}
}
then {
count mailserver-2-traffic-count;
routing-instance my-routing-instance;
}
}
term outlookanywhere-traffic {
from {
prefix-list {
mailserver-list;
}
protocol tcp;
port https;
}
then {
count outlookanywhere-traffic-count;
forwarding-class af-assured-forwarding;
accept;
}
}
term best-effort-traffic {
then {
count best-effort-traffic-count;
forwarding-class best-effort;
accept;
}
}
}
}
}
routing-instances {
my-routing-instance {
instance-type virtual-router;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.1;
}
instance-import copy-int-net;
}
}
}