Hi all JUNOS experts,
I meet a problem when implement static NAT and FBF in SRX240.
Before we only have ISP1 connect to SRX240, the default route to ISP1, the static NAT addresses are also in same segment with ISP1 interface. They are working well.
Now we add connection to ISP2 and we want to communicate with few servers only through ISP2. So I changed static NAT address in same segment with ISP2 interface. Then I created FBF on server interface.
Then I try to access this server but failed. Checked log, the traffic in coming from ISP2, NAT also ok, but outgoing traffic through ISP1. Seems the FBF not take effect.
Appreciated for anybody can help me.
reth4 to server, in trust zone;
reth13 to ISP2, in untrust zone;
reth15 to ISP1, in untrust zone;
The related configuration as below:
set interfaces reth4 unit 0 family inet filter input ISP2
set interfaces reth4 unit 0 family inet address 192.168.1.1/24
set interfaces reth13 unit 0 family inet address 2.2.2.1/24
set interfaces reth15 unit 0 family inet address 1.1.1.1/24
set routing-options interface-routes rib-group inet PBR_Group
set routing-options static route 192.168.2.0/24 next-hop 192.168.1.254
set routing-options static route 0.0.0.0/0 next-hop 1.1.1.254
set routing-options rib-groups PBR_Group import-rib inet.0
set routing-options rib-groups PBR_Group import-rib PBR1.inet.0
set routing-instances PBR1 instance-type forwarding
set routing-instances PBR1 routing-options static route 0.0.0.0/0 next-hop 2.2.2.254
set firewall family inet filter ISP2 term 1 from source-address 192.168.2.2/32
set firewall family inet filter ISP2 term 1 then routing-instance PBR1
set firewall family inet filter ISP2 term 2 then accept
set security nat static rule-set ruleset1 from interface reth13.0
set security nat static rule-set ruleset1 rule rule1 match destination-address 2.2.2.2/32
set security nat static rule-set ruleset1 rule rule1 then static-nat prefix 192.168.2.2/32
set security nat proxy-arp interface reth13.0 address 2.2.2.2/32