set security policies from-zone dmz to-zone dmz policy dmz-dmz match source-address any set security policies from-zone dmz to-zone dmz policy dmz-dmz match destination-address any set security policies from-zone dmz to-zone dmz policy dmz-dmz match application any set security policies from-zone dmz to-zone dmz policy dmz-dmz then permit set security zones security-zone dmz host-inbound-traffic system-services ping set security zones security-zone dmz host-inbound-traffic system-services traceroute set security zones security-zone dmz host-inbound-traffic system-services ssh set security zones security-zone dmz host-inbound-traffic system-services snmp set security zones security-zone dmz interfaces reth5.0 set security zones security-zone untrust host-inbound-traffic system-services ping set security zones security-zone untrust host-inbound-traffic system-services traceroute set security zones security-zone untrust host-inbound-traffic system-services ssh set security zones security-zone untrust host-inbound-traffic system-services snmp set security zones security-zone untrust interfaces reth7.0 set interfaces reth5 redundant-ether-options redundancy-group 1 set interfaces reth5 unit 0 family inet filter input internet-B-Route-Filter set interfaces reth5 unit 0 family inet address 192.168.99.1/24 set interfaces reth7 redundant-ether-options redundancy-group 1 set interfaces reth7 unit 0 family inet address 213.121.182.34/27 primary set interfaces reth7 unit 0 family inet address 81.145.243.158/27 set routing-options interface-routes rib-group inet internet-B-rib set routing-options static route 0.0.0.0/0 next-hop 213.121.182.33 set routing-options static route 10.21.0.0/16 next-hop 192.168.99.254 set routing-options rib-groups internet-B-rib import-rib inet.0 set routing-options rib-groups internet-B-rib import-rib internet-B.inet.0 set protocols l2-learning global-mode switching set protocols rstp interface all set firewall family inet filter internet-B-Route-Filter term 1 from source-address 81.145.243.128/27 set firewall family inet filter internet-B-Route-Filter term 1 then routing-instance internet-B.inet.0 set firewall family inet filter internet-B-Route-Filter term 2 then accept set routing-instances internet-B.inet.0 routing-options static route 0.0.0.0/0 next-hop 81.145.243.129
Hi there
I am trying to implement a configuration on our SRX340 firewall cluster that will allow me to have the following...
Untrust side - A aggregated interface ae0.0 with 2 IP adresses on the same VLAN. Primary and Secondary
address.
Two WAN circuits connected to the untrust side each with their own public IP range with an IP of each circuit as the pri/sec address on the firewall untrust interface.
2 untrust side destination NATs configured for a single device on the dmz side, a destination NAT for each WAN circuit IP depending which circuit the traffic goes to based on a round robin DNS return for the dmz device.
I'm trying to get the return traffic from the device on the dmz to source NAT on the way out and only once that is done, use FBF based on NATd Src-IP to route the traffic out to the same circuit that it came in on, bearing in mind that each next hop IP address is on the same VLAN but a different IP as described above.
It seems that all traffic is routing via the next hop that the Primary IP interface is configured on but not the secondary IP interface on that same VLAN.
Could I request some advice on if this is even possible, filter based forwrding determined by a source NAT'd address and if you might think of any way having both of the untrust IP address ranges in the same VLAN may be an issue? They are on the same VLAN as the 2 WAN circuits are running Cisco HSRP between them for both circuits.
I hope this makes some sense to you.
Much appreciated as alwaysa on here.