Juniper SRX – How to configure Filter Based Forwarding on SRX for a typical dual-ISP scenario

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223

interfaces {                            
    ge-0/0/0 {
        unit 0 {
            description Internal_LAN;
            family inet {
                filter {
                    input FILTER1;
                }
                address 172.30.72.253/23;
            }
        }
    }
    fe-0/0/2 {
        unit 0 {
            description ISP1;
            family inet {
                address 10.1.1.1/24;
            }
        }
    }
    fe-0/0/3 {
        unit 0 {
            description ISP2;
            family inet {
                address 10.2.2.1/24;    
            }
        }
    }
}


routing-options {
    interface-routes {
        rib-group inet IMPORT-PHY;
    }
    static {
        route 0.0.0.0/0 next-hop [ 10.1.1.2 10.2.2.2 ];
    }
    rib-groups {
        IMPORT-PHY {
            import-rib [ inet.0 routing-table-ISP1.inet.0 routing-table-ISP2.inet.0 ];
        }
    }
}

##### This is the filter that decides which traffic is sent to which ISP

firewall {
    filter FILTER1 {                      
        term TERM1 {
            from {
                destination-port [ 22 3389 8080 ];
            }
            then {
                routing-instance routing-table-ISP2;
            }
        }
        term default {
            then {
                routing-instance routing-table-ISP1;
            }
        }
    }
}

routing-instances {
    routing-table-ISP1 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 10.1.1.2;
                    qualified-next-hop 10.2.2.2 {
                        preference 100;
                    }
                }
            }
        }
    }
    routing-table-ISP2 {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop 10.2.2.2;
                    qualified-next-hop 10.1.1.2 {
                        preference 100;
                    }                   
                }
            }
        }
    }
}





security {
    nat {
            rule-set OUTGOING {
                from zone trust;
                to zone untrust;
                rule rule1 {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }

    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {       
                    all;
                }
            }
            interfaces {
                ge-0/0/0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                fe-0/0/2.0;
                fe-0/0/3.0;
            }
        }


    policies {
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }




he configuration can be verified as follows. Two kinds of traffic are sent and checked if they are routed as expected. Traffic with destination ports 22, 3389 or 8080 should go to ISP2 (fe-0/0/3.0) and the rest goes to ISP1 (fe-0/0/2.0).

    • An internal host (172.30.73.129) opens an SSH (port 22) session to 4.4.4.4 (an internet IP address).

The resulting security flow session created in SRX:

root@srx210> show security flow session destination-port 22
Session ID: 4336, Policy name: default-permit/5, Timeout: 1784
In: 172.30.73.129/45893 --> 4.4.4.4/22;tcp, If: ge-0/0/0.0
Out: 4.4.4.4/22 --> 10.2.2.1/7523;tcp, If: fe-0/0/3.0

===> Correct

    • An internal host (172.30.73.129) opens a telnet (port 23) session to 4.4.4.4 (an internet IP address).

The resulting security flow session created in SRX:

root@srx210> show security flow session destination-port 23
Session ID: 4380, Policy name: default-permit/5, Timeout: 1768
In: 172.30.73.129/36448 --> 4.4.4.4/23;tcp, If: ge-0/0/0.0
Out: 4.4.4.4/23 --> 10.1.1.1/8481;tcp, If: fe-0/0/2.0

===> Correct

 

 

 

This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s