Hi all / BigRedShark.
After reading countless documents/getting nowhere with Juniper IRC's I thought I'd disturb your weekend in a last ditch attempt for answers (apologies!).
Situation Brief is as follows:
SRX 240
2 WAN Connections, 1 internet, one private WAN using 10.0.0.0/8 range.
1 LAN
1 DMZ
DMZ only ever needs DNAT inbound translations from the internet WAN (WAN1). However, the LAN needs inbound DNAT translations from the private WAN (WAN2).
The LAN also needs access to both WAN1 for normal internet traffic and WAN2 access simultaneously.
Have set this up using two routing instances. The default has the internet WAN as it's default gateway and the second routing table has WAN2 as it's default gateway.
There is then a firewall filter on the input of the 'LAN' L3 VLAN that states 'if dest is 10.0.0.0/8' punt to the secondary routing table, else permit'
There are then source NAT pools on both WAN1 and WAN2.
This works perfectly outbound, with clients able to browse the web via the WAN1 and access 10.0.0.0/8 resources via WAN2.
DMZ DNAT's from WAN1 also translate perfectly to DMZ based hosts.
HOWEVER [here's the problem]
inbound DNAT's from WAN2 to the LAN never reach the internal LAN host (as shown by wireshark).
The only difference in the configuration (apart from addresses obviously and source zones) is that the LAN interface has this routing decision firewall filter.
Don't see why this wouldn't work. Google shows up nothing useful.
Any chance you have seen something like this or could take a look at the config?
Thanks,
//TrX
After reading countless documents/getting nowhere with Juniper IRC's I thought I'd disturb your weekend in a last ditch attempt for answers (apologies!).
Situation Brief is as follows:
SRX 240
2 WAN Connections, 1 internet, one private WAN using 10.0.0.0/8 range.
1 LAN
1 DMZ
DMZ only ever needs DNAT inbound translations from the internet WAN (WAN1). However, the LAN needs inbound DNAT translations from the private WAN (WAN2).
The LAN also needs access to both WAN1 for normal internet traffic and WAN2 access simultaneously.
Have set this up using two routing instances. The default has the internet WAN as it's default gateway and the second routing table has WAN2 as it's default gateway.
There is then a firewall filter on the input of the 'LAN' L3 VLAN that states 'if dest is 10.0.0.0/8' punt to the secondary routing table, else permit'
There are then source NAT pools on both WAN1 and WAN2.
This works perfectly outbound, with clients able to browse the web via the WAN1 and access 10.0.0.0/8 resources via WAN2.
DMZ DNAT's from WAN1 also translate perfectly to DMZ based hosts.
HOWEVER [here's the problem]
inbound DNAT's from WAN2 to the LAN never reach the internal LAN host (as shown by wireshark).
The only difference in the configuration (apart from addresses obviously and source zones) is that the LAN interface has this routing decision firewall filter.
Don't see why this wouldn't work. Google shows up nothing useful.
Any chance you have seen something like this or could take a look at the config?
Thanks,
//TrX
