So, right now, we have two ISP connections on our Juniper SRX260H2. Both connections provide us with a range of public IP addresses, and the Juniper differentiates between them to connect various internal servers. We're trying to slowly transition traffic over to the second connection, as we will eventually be getting rid of the first one.
With what I've got so far, I'm able to configure devices to send out over the second connection successfully. Full internet access that way.
However, I can't seem to figure out the proper configuration for the incoming traffic. Though I believe everything matches up with what's already in place and working on the current primary connection, I can't seem to be able to receive traffic initiated from the outside.
I'm certain I'm missing something simple, would anyone be able to shed some light on this for me, and point me in the right direction?
Here's some of my configuration, that I believe would be relevant to this.
First, the interfaces:
ge-0/0/0 {
unit 0 {
family inet {
address 40.128.239.98/28;
}
}
}
ge-0/0/2 {
unit 0 {
family inet {
address 206.40.37.178/28;
}
}
}
ge-0/0/12 {
unit 0 {
family inet {
filter {
input output-isp;
}
address 192.168.1.3/24;
}
}
}0 is the current, fully working ISP connection; 2 is the connection to the second ISP, that works outbound; and 12 is the connection to our internal LAN.
Routing options and routing instances:
show routing-options
interface-routes {
rib-group inet isp;
}
static {
route 0.0.0.0/0 next-hop 40.128.239.97;
}
rib-groups {
isp {
import-rib [ inet.0 isp1.inet.0 isp2.inet.0 ];
}
}
show routing-instances
isp1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 40.128.239.97;
}
}
}
isp2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 206.40.37.177;
}
}
}The output-isp filter(right now configured to send traffic from my test computer out over the second ISP connection)
filter output-isp {
term to-isp-2 {
from {
source-address {
192.168.1.238/32;
}
}
then {
routing-instance isp2;
}
}
term default-allow {
then accept;
}
}Security zones:
security-zone Internal {
address-book {
address MyPC 192.168.1.238/32;
}
interfaces {
ge-0/0/12.0 {
host-inbound-traffic {
system-services {
ping;
https;
http;
ssh;
}
}
}
}
}
security-zone Internet {
interfaces {
ge-0/0/0.0;
ge-0/0/2.0;
}
}Destination NAT configuration:
pool MyPC {
address 192.168.1.238/32 port 443;
}
rule-set rules {
from zone Internet;
rule TESTSITENEW {
match {
destination-address 206.40.37.185/32;
destination-port 443;
}
then {
destination-nat {
pool {
MyPC;
}
}
}
}
}
Firewall policy:
show security policies from-zone Internet to-zone Internal
policy TESTSITE-MyPC {
match {
source-address any;
destination-address MyPC;
application junos-https;
}
then {
permit;
log {
session-init;
session-close;
}
count;
}
}As far as I can tell, this should take traffic sent to IP address 206.40.37.185, port 443, and send it to my test computer, but that isn't happening.
If I adjust the destination NAT rule to be an IP address based on the first ISP's range, it works.
Any assistance would be appreciated. Thanks!