Hi guys, I need to guide me...
I have this scenary:
Topology Assumptions
TASA zone ge-0/0/0: 200.55.93.210/29, 200.55.93.211/29, 200.55.93.212/29, 200.55.93.211/29
IPLAN zone ge-0/0/1: 200.61.125.149/24, 200.61.153.149/24, 200.61.125.154/24, 200.61.125.156/24, 200.61.125.222/24,
DMZ zone ge-0/0/2: 172.16.0.254/24
TASA zone gateway: 200.55.93.209
IPLAN zone gateway: 200.61.125.254
DMZ/PROXY is a proxy web server w/auth
DMZ/RELAY is a mail relay server
DMZ/REVERSO is a http reverse proxy
DMZ/WEBSRV is a web server
DMZ/APPSRV is a multiple application server
Requirements
- DMZ/WEBSRV should egress out TASA/200.55.93.210 with source-nat. Failover IPLAN/200.61.125.149
- DMZ/RELAY should egress out TASA/200.55.93.211 with source-nat. Failover IPLAN/200.61.125.153
- DMZ/PROXY should egress out TASA/200.55.93.212 with source-nat. Failover IPLAN/200.61.125.154
- DMZ/REVERSO should egress out TASA/200.55.93.213 with source-nat. Failover IPLAN/200.61.125.156
- DMZ/APPSRV should egress out IPLAN/200.61.125.222 with source-nat. No Failover
- If TASA interface goes down, then DMZ zones should egress out IPLAN instead with source-nat.
- If TASA interface returns, then DMZ zones should revert back to using TASA again.
- TASA must allow destination NAT for:
DMZ/WEBSRV ports 80, 443 tcp from TASA/200.55.93.210. Same rules from IPLAN/200.61.125.149
DMZ/RELAY ports 25, 80, 143, 445, 587 tcp from TASA/200.55.93.211. Same rules from IPLAN/200.61.125.153
DMZ/PROXY port 1194 udp from TASA/200.55.93.212. Same rules from IPLAN/200.61.125.156
DMZ/REVERSO port 53 udp/tcp and 80, 443 tcp from TASA/200.55.93.213. Same rules from IPLAN/200.61.125.153
DMZ/APPSRV ports 25, 80, 143 tcp and 53 udp/tcp from IPLAN/200.61.125.222. No other ISP incomming. - When both ISPs are up, destination NAT addresses should be available from both ISPs for both servers.
- I don't require Load Balance, but if used, out rules must be respected.
I have this configuration:
------------------------------------------------------------------------------------------------
### Iface config
set interfaces ge-0/0/0 description "TASA"
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.210/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.211/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.212/29
set interfaces ge-0/0/0 unit 0 family inet address 200.55.93.213/29
set interfaces ge-0/0/1 description "IPLAN"
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.149/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.153/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.154/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.156/24
set interfaces ge-0/0/1 unit 0 family inet address 200.61.125.222/24
set interfaces ge-0/0/2 description "DMZ"
set interfaces ge-0/0/2 unit 0 family inet address 172.16.0.254/24
### Static Route with preference
set routing-options static route 0.0.0.0/0 next-hop 200.55.93.209 preference 5
set routing-options static route 0.0.0.0/0 qualified-next-hop 200.61.125.254 preference 7
### Addresses books
set security zones security-zone DMZ address-book address APPSRV 172.16.0.57/32
set security zones security-zone DMZ address-book address PROXY 172.16.0.253/32
set security zones security-zone DMZ address-book address WEBSRV 172.16.0.1/32
set security zones security-zone DMZ address-book address REVERSO 172.16.0.250/32
set security zones security-zone DMZ address-book address RELAY 172.16.0.251/32
### Security Nat pool for TASA
set security nat source pool IP210 address 200.55.93.210/32
set security nat source pool IP211 address 200.55.93.211/32
set security nat source pool IP212 address 200.55.93.212/32
set security nat source pool IP213 address 200.55.93.213/32
### Security Nat pool for IPLAN
set security nat source pool IP149 address 200.61.125.149/32
set security nat source pool IP153 address 200.61.125.153/32
set security nat source pool IP154 address 200.61.125.154/32
set security nat source pool IP156 address 200.61.125.156/32
set security nat source pool IP222 address 200.61.125.222/32
### Set security zones
set security zones security-zone TASA interfaces ge-0/0/0.0
set security zones security-zone IPLAN interfaces ge-0/0/1.0
set security zones security-zone DMZ interfaces ge-0/0/2.0
### Set rule set DMZ to TASA
set security nat source rule-set DMZ-to-TASA from zone DMZ
set security nat source rule-set DMZ-to-TASA to zone TASA
### Set rule set DMZ to IPLAN
set security nat source rule-set DMZ-to-IPLAN from zone DMZ
set security nat source rule-set DMZ-to-IPLAN to zone IPLAN
### Seteo rule set egress out TASA
set security nat source rule-set DMZ-to-TASA rule R-IP211 match source-address 172.16.0.250/32
set security nat source rule-set DMZ-to-TASA rule R-IP211 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP211 then source-nat pool IP211
set security nat source rule-set DMZ-to-TASA rule R-IP211 match source-address 172.16.0.251/32
set security nat source rule-set DMZ-to-TASA rule R-IP211 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP211 then source-nat pool IP211
set security nat source rule-set DMZ-to-TASA rule R-IP212 match source-address 172.16.0.253/32
set security nat source rule-set DMZ-to-TASA rule R-IP212 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-TASA rule R-IP212 then source-nat pool IP212
### Set rule set egress out IPLAN
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 match source-address 172.16.0.56/32
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 match destination-address 0.0.0.0/0
set security nat source rule-set DMZ-to-IPLAN rule R-IP222 then source-nat pool IP222
### Security Policy from DMZ to TASA:
# RELAY
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match source-address RELAY
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match destination-address any
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-dns-tcp
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-dns-udp
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-http
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-https
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-ping
set security policies from-zone DMZ to-zone TASA policy permit-RELAY match application junos-mail
set security policies from-zone DMZ to-zone TASA policy permit-RELAY then permit
# REVERSO
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match source-address REVERSO
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match destination-address any
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match application junos-dns-tcp
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match application junos-dns-udp
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match application junos-http
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match application junos-https
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO match application junos-ping
set security policies from-zone DMZ to-zone TASA policy permit-REVERSO then permit
# PROXY
set applications application custom-rdp term TCP protocol tcp
set applications application custom-rdp term TCP destination-port 3389
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match source-address PROXY
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match destination-address any
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application junos-dns-tcp
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application junos-dns-udp
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application junos-http
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application junos-https
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application junos-ping
set security policies from-zone DMZ to-zone TASA policy permit-PROXY match application custom-ssh
set security policies from-zone DMZ to-zone TASA policy permit-PROXY then permit
### Security policy from DMZ to IPLAN:
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match source-address APPSRV
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match destination-address any
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match application junos-dns-tcp
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match application junos-dns-udp
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match application junos-http
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match application junos-https
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV match application junos-ping
set security policies from-zone DMZ to-zone IPLAN policy permit-APPSRV then permit
### DNAT OpenVPN to PROXY
# Set custom app
set applications application custom-ovpn term UDP protocol udp
set applications application custom-ovpn term UDP destination-port 1194
# DNAT Pool
set security nat destination pool DNATPOOL-PROXY-OVPN address 172.16.0.253/32
set security nat destination pool DNATPOOL-PROXY-OVPN address port 1194
# DNAT rule
set security nat destination rule-set DNAT-FROM-TASA from zone TASA
set security nat destination rule-set DNAT-FROM-TASA rule R-PROXY-OVPN match destination-address 200.55.93.213/32
set security nat destination rule-set DNAT-FROM-TASA rule R-PROXY-OVPN match destination-port 1194
set security nat destination rule-set DNAT-FROM-TASA rule R-PROXY-OVPN match protocol udp
set security nat destination rule-set DNAT-FROM-TASA rule R-PROXY-OVPN then destination-nat pool DNATPOOL-PROXY-OVPN
# Security Polices
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match source-address any
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match destination-address PROXY
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match application custom-ovpn
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ then permit
### DNAT OpenVPN to WEBSRV
# DNAT Pool
set security nat destination pool DNATPOOL-WEBSRV address 172.16.0.1/32
set security nat destination pool DNATPOOL-WEBSRV address port 80
# DNAT rule
set security nat destination rule-set DNAT-FROM-TASA from zone TASA
set security nat destination rule-set DNAT-FROM-TASA rule R-WEBSRV match destination-address 200.55.93.212/32
set security nat destination rule-set DNAT-FROM-TASA rule R-WEBSRV match destination-port 80
set security nat destination rule-set DNAT-FROM-TASA rule R-WEBSRV match protocol tcp
set security nat destination rule-set DNAT-FROM-TASA rule R-WEBSRV then destination-nat pool DNATPOOL-WEBSRV
# Security Polices
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match source-address any
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match destination-address WEBSRV
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ match application junos-http
set security policies from-zone TASA to-zone DMZ policy TASA-to-DMZ then permit
### DNAT OpenVPN to WEBSRV
# DNAT Pool
set security nat destination pool DNATPOOL-APPSRV address 172.16.0.56/32
set security nat destination pool DNATPOOL-APPSRV address port 80
# DNAT rule
set security nat destination rule-set DNAT-FROM-IPLAN from zone IPLAN
set security nat destination rule-set DNAT-FROM-IPLAN rule R-APPSRV match destination-address 200.51.125.222/32
set security nat destination rule-set DNAT-FROM-IPLAN rule R-APPSRV match destination-port 80
set security nat destination rule-set DNAT-FROM-IPLAN rule R-APPSRV match protocol tcp
set security nat destination rule-set DNAT-FROM-IPLAN rule R-APPSRV then destination-nat pool DNATPOOL-APPSRV
# Security Polices
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match source-address any
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match destination-address WEBSRV
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ match application junos-http
set security policies from-zone IPLAN to-zone DMZ policy IPLAN-to-DMZ then permit
(...)
------------------------------- AND OTHER RULES -----------------------------------
What should I do? I was reading about Virtual Router and Routing Instances with FBF, but I'm not sure what I should do!
Tanks 4 the help! 
