This article contains a sample configuration for J-Series and SRX Branch with dual ISP connection. This will allow for ISP failover without dynamic routing protocols such as OSPF or BGP.
Topology Assumptions
Trust zone network is 192.168.1.0/24 on ge-0/0/0
DMZ zone network is 10.10.10.0/24 on ge-0/0/1
ISP1 zone network is 1.1.1.0/29 on fe-0/0/6
ISP2 zone network is 2.2.2.0/29 on fe-0/0/7
Note: ISP1 is in the default routing instance. ISP2 is in the ISP2 routing instance.
Requirements
- Trust and DMZ zones should egress out ISP1 with source-nat.
- If ISP1 interface goes down, then Trust and DMZ zones should egress out ISP2 instead with source-nat.
- If ISP1 interface returns, then Trust and DMZ zones should revert back to using ISP1 again.
- ISP1 must allow destination NAT for web server in Trust zone and mail server in DMZ zone.
- ISP2 also has destination NAT for same web and mail servers.
- When both ISPs are up, destination NAT addresses should be available from both ISPs for both web and mail servers.
This is possible using a combination of multiple routing-instance with filter-based forwarding and qualified-next-hop on the default route. Below is a sample working configurations for above scenario.
interfaces { ge-0/0/0 { unit 0 { family inet { address 192.168.1.254/24; } } } ge-0/0/1 { unit 0 { family inet { address 10.10.10.254/24; } } } fe-0/0/6 { unit 0 { family inet { filter { input isp1-in; } address 1.1.1.2/29; } } } fe-0/0/7 { unit 0 { family inet { filter { input isp2-in; } address 2.2.2.2/29; } } } } routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 1.1.1.1; qualified-next-hop 2.2.2.1 { preference 10; } } } rib-groups { inside { import-rib [ inet.0 TRUST-VRF.inet.0 INSIDE.inet.0 ISP2.inet.0 ]; } } } security { nat { source { rule-set interface-nat-out { from routing-instance INSIDE; to routing-instance [ ISP2 default ]; rule interface-nat-out { match { source-address 0.0.0.0/0; destination-address 0.0.0.0/0; } then { source-nat { interface; } } } } } destination { pool web-server-trust { address 192.168.1.5/32 port 80; } pool mail-server-dmz { address 10.10.10.5/32 port 25; } rule-set isp1-to-trust { from interface fe-0/0/6.0; rule isp1-http-in { match { source-address 0.0.0.0/0; destination-address 1.1.1.5/32; destination-port 80; } then { destination-nat pool web-server-trust; } } rule isp1-mail-in { match { source-address 0.0.0.0/0; destination-address 1.1.1.5/32; destination-port 25; } then { destination-nat pool mail-server-dmz; } } } rule-set isp2-to-dmz { from interface fe-0/0/7.0; rule isp2-http-in { match { source-address 0.0.0.0/0; destination-address 2.2.2.5/32; destination-port 80; } then { destination-nat pool web-server-trust; } } rule isp2-mail-in { match { source-address 0.0.0.0/0; destination-address 2.2.2.5/32; destination-port 25; } then { destination-nat pool mail-server-dmz; } } } } proxy-arp { interface fe-0/0/6.0 { address { 1.1.1.5/32; } } interface fe-0/0/7.0 { address { 2.2.2.5/32; } } } } zones { security-zone trust { address-book { address web-server 192.168.1.5/32; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } } } } } security-zone dmz { address-book { address mail-server 10.10.10.5/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } } } } } security-zone isp1 { interfaces { fe-0/0/6.0 { host-inbound-traffic { system-services { ssh; https; ping; } } } } } security-zone isp2 { interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { ssh; https; ping; } } } } } } policies { from-zone trust to-zone dmz { policy allow-trust-to-dmz { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone isp1 { policy allow-trust-out-isp1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone trust to-zone isp2 { policy allow-trust-out-isp2 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone trust { policy allow-dmz-to-trust { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone isp1 { policy allow-dmz-out-isp1 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone dmz to-zone isp2 { policy allow-dmz-out-isp2 { match { source-address any; destination-address any; application any; } then { permit; } } } from-zone isp1 to-zone trust { policy isp1-http-incoming { match { source-address any; destination-address web-server; application junos-http; } then { permit; } } } from-zone isp1 to-zone dmz { policy isp1-mail-incoming { match { source-address any; destination-address mail-server; application junos-mail; } then { permit; } } } from-zone isp2 to-zone trust { policy isp2-http-incoming { match { source-address any; destination-address web-server; application junos-http; } then { permit; } } } from-zone isp2 to-zone dmz { policy isp2-mail-incoming { match { source-address any; destination-address mail-server; application junos-mail; } then { permit; } } } } } firewall { filter isp1-in { term 1 { from { destination-address { 1.1.1.0/29; } } then { routing-instance TRUST-VRF; } } term 2 { then { accept; } } } filter isp2-in { term 1 { from { destination-address { 2.2.2.0/29; } } then { routing-instance TRUST-VRF; } } term 2 { then { accept; } } } } routing-instances { TRUST-VRF { instance-type forwarding; routing-options { static { route 192.168.1.0/24 next-hop 192.168.1.1; route 10.10.10.0/24 next-hop 10.10.10.1; } } } INSIDE { instance-type virtual-router; interface ge-0/0/0.0; interface ge-0/0/1.0; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 next-table inet.0; } } } ISP2 { instance-type virtual-router; interface fe-0/0/7.0; routing-options { interface-routes { rib-group inet inside; } static { route 0.0.0.0/0 { next-hop 2.2.2.1; qualified-next-hop 1.1.1.1 { preference 10; } } } } } }