Configuration Destination NAT with 2 ISP

Hello,I have the following scenario:

Juniper SRX110
I have 2 internet links with fixed ip ISP1 189.x.x.x and ISP2 187.x.x.x
2 different subnets (Data1) 192.168.1.x (Data2) 192.168.2.x
The Data1 network is required to exit through ISP1 and Data through ISP2

The problem is that the destination NAT "HTTPS (443)" does not work when I set up the rib-group, everything else works correctly.
Any solution for this?

My configuration is as follows:

## Last changed: 2017-03-15 16:51:50 GMT
version 12.1X44-D35.5;
services {
ssh;
telnet;
web-management {
https {
port 9443;
system-generated-certificate;
}
session {
idle-timeout 60;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
address 189.x.x.170/28;
}
}
}
fe-0/0/1 {
unit 0 {
family inet {
address 192.168.1.252/24;
}
}
}
fe-0/0/2 {
unit 0 {
family inet {
address 192.168.2.252/24;
}
}
}
fe-0/0/7 {
unit 0 {
family inet {
address 187.x.x.194/28;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop [ 189.x.x.169 187.x.x.193 ];
qualified-next-hop 187.x.x.193;
}
}
rib-groups {
ISP1-ISP2 {
import-rib [ ISP1.inet.0 ISP2.inet.0 ];
}
}
}
protocols {
stp;
}
security {
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
timeout 20;
}
land;
}
}
}
nat {
source {
rule-set nsw_srcnat {
from zone REDVERACRUZ;
to zone Internet;
rule nsw-src-interface {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
rule-set ISP2 {
from zone REDVERACRUZ2;
to zone INTERNET2;
rule ISP2 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
destination {
pool Barracuda {
routing-instance {
default;
}
address 192.168.1.20/32 port 25;
}
pool HTTP80 {
description "HTTP(80)";
address 192.168.1.3/32 port 80;
}
pool Cliente_Citrix {
address 192.168.1.3/32 port 1494;
}
pool ODRSAAM {
address 192.168.1.30/32 port 8900;
}
pool SMTP-OUT {
address 192.168.1.20/32 port 587;
}
pool HTTP8080 {
description "HTTP(8080)Ã‚Â Ã‚Â ";
address 192.168.1.30/32 port 8080;
}
pool WebInsyc {
routing-instance {
default;
}
address 192.168.1.29/32 port 442;
}
pool Insync_srv {
address 192.168.1.21/32 port 6065;
}
pool MAIL {
description "MAIL(25)Ã‚Â ";
routing-instance {
default;
}
address 192.168.1.20/32 port 25;
}
pool POP3 {
description "POP3(110)";
address 192.168.1.20/32 port 110;
}
pool Escritorio_Remoto {
address 192.168.1.29/32 port 3389;
}
pool IMAP-SECUR {
address 192.168.1.20/32 port 993;
}
pool HTTPS {
description "HTTPS(443)";
routing-instance {
default;
}
address 192.168.1.38/32 port 443;
}
pool EXCHANGE {
description "MAIL(4443)";
routing-instance {
default;
}
address 192.168.1.20/32 port 4443;
}
pool EXCHANGEIMAP {
description "EXCHANGEIMAP(143)";
address 192.168.1.20/32 port 143;
}
pool EXCHANGEIMAPSSL {
description "EXCHANGEIMAPSSL(993)";
routing-instance {
default;
}
address 192.168.1.20/32 port 993;
}
pool SMTP587 {
description "SMTP(587)";
address 192.168.1.20/32 port 587;
}
pool FTP21 {
description "Srvcitrix FTP";
routing-instance {
default;
}
address 192.168.1.3/32 port 21;
}
rule-set VIPs {
description "Regla para Vips";
from zone Internet;
rule Rule_IMAP-Secure {
description "IMAP-SECURE 993";
match {
destination-address 189.x.x.170/32;
destination-port 993;
}
then {
destination-nat pool IMAP-SECUR;
}
}
rule Rule_ODRSAAM {
match {
destination-address 189.x.x.170/32;
destination-port 8900;
}
then {
destination-nat pool ODRSAAM;
}
}
rule Rule_SMTP_OUT {
match {
destination-address 189.x.x.170/32;
destination-port 587;
}
then {
destination-nat pool SMTP-OUT;
}
}
rule Rule_HTTP_8080 {
description "HTTP(8080)";
match {
destination-address 189.x..x.170/32;
destination-port 8080;
}
then {
destination-nat pool HTTP8080;
}
}
rule Rule_WebInsync {
match {
destination-address 189.x..x.170/32;
destination-port 442;
}
then {
destination-nat pool WebInsyc;
}
}
rule Rule_Insync {
description "Insync(srv)";
match {
destination-address 189.x..x.170/32;
destination-port 6065;
}
then {
destination-nat pool Insync_srv;
}
}
rule Rule_Mail {
description "MAIL(25)";
match {
destination-address 189.x..x.170/32;
destination-port 25;
}
then {
destination-nat pool MAIL;
}
}
rule Rule_POP3 {
description "POP3(110)";
match {
destination-address 189.x..x.170/32;
destination-port 110;
}
then {
destination-nat pool POP3;
}
}
rule Rule_HTTP {
description "HTTP(80)";
match {
destination-address 189.x..x.170/32;
destination-port 80;
}
then {
destination-nat pool HTTP80;
}
}
rule Rule_Citrix {
description "Cleinte Citrix";
match {
destination-address 189.x..x.170/32;
destination-port 1494;
}
then {
destination-nat pool Cliente_Citrix;
}
}
rule Rule_Esc_Remoto {
description "Escritorio Remoto";
match {
destination-address 189.x..x.170/32;
destination-port 3389;
}
then {
destination-nat pool Escritorio_Remoto;
}
}
rule Rule_HTTPS {
description "HTTPS(443)";
match {
destination-address 189.x..x.170/32;
destination-port 443;
}
then {
destination-nat pool HTTPS;
}
}
rule Rule_Exchange {
match {
destination-address 189.x..x.170/32;
destination-port 4443;
}
then {
destination-nat pool EXCHANGE;
}
}
rule Rule_ExchangeIMAP {
match {
destination-address 189.x..x.170/32;
destination-port 143;
}
then {
destination-nat pool EXCHANGEIMAP;
}
}
rule Rule_ExchangeIMAPSSL {
match {
destination-address 189.x..x.170/32;
destination-port 993;
}
then {
destination-nat pool EXCHANGEIMAPSSL;
}
}
rule Rule_SMTP587 {
match {
destination-address 189.x..x.170/32;
destination-port 587;
}
then {
destination-nat pool SMTP587;
}
}
rule Rule_FTP {
description "FTP Srvcitrix";
match {
destination-address 189.x..x.170/32;
destination-port 21;
}
then {
destination-nat pool FTP21;
}
}
}
}
}
policies {
from-zone REDVERACRUZ to-zone Internet {
policy AccesoInternet {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone Internet to-zone REDVERACRUZ {
policy AccesoInternet {
match {
source-address any;
destination-address [ Server_192.168.1.20 Server_192.168.1.30 Server_192.168.1.10 Server_192.168.1.38 Server_192.168.1.3 ];
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone INTERNET2 {
policy REDVER2 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone REDVERACRUZ2 {
policy RED_LOCAL {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone REDVERACRUZ {
policy RED_LOCAL2 {
description "COMUNICACION AMBAS REDES";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ to-zone INTERNET2 {
policy AccesoInt2 {
description "Acceso red 1 a internet de Telmex";
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone REDVERACRUZ2 to-zone Internet {
policy REDVER1 {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone REDVERACRUZ {
address-book {
address LptGama 192.168.1.5/32;
address Server_192.168.1.20 192.168.1.20/32;
address Server_192.168.1.30 192.168.1.30/32;
address Server_192.168.1.21 192.168.1.21/32;
address Server_192.168.1.3 192.168.1.3/32;
address Server_192.168.1.7 192.168.1.7/32;
address Server_192.168.1.10 192.168.1.10/32;
address Server_192.168.1.29 192.168.1.29/32;
address Server_192.168.1.38 192.168.1.38/32;
}
interfaces {
fe-0/0/1.0 {
host-inbound-traffic {
system-services {
ping;
https;
http;
ssh;
telnet;
}
}
}
}
}
security-zone Internet {
description METROCARRIER;
interfaces {
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
ping;
https;
ssh;
}
}
}
}
}
security-zone REDVERACRUZ2 {
interfaces {
fe-0/0/2.0;
}
}
security-zone INTERNET2 {
description TELMEX;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
https;
ping;
}
}
}
}
}
}
}
routing-instances {
ISP1 {
instance-type virtual-router;
interface fe-0/0/0.0;
interface fe-0/0/1.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 189.x.x.169;
}
}
}
ISP2 {
instance-type virtual-router;
interface fe-0/0/2.0;
interface fe-0/0/7.0;
routing-options {
interface-routes {
rib-group inet ISP1-ISP2;
}
static {
route 0.0.0.0/0 next-hop 187.x.x.193;
}
}
}
}

Regards!
Miguel Rodriguez

Configuration Destination NAT with 2 ISP

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112