Example: Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) for NAT and Stateful Firewall

Overview

Table 1 shows the deployment components used in the example.

Table 1: Deployment Details
CSDS Components	Details
Forwarding Layer	MX304 with Junos OS Release 23.4R1 or later
Services Layer	vSRX 3.0 with Junos OS Release 23.4R1 or later
Redundancy	Single MX Series with ECMP based Consistent Hashing for load balancer. SRX Series Firewalls (Standalone)
Features	NAPT44 and stateful firewall (IPv4 Support)
Additional Component	Gateway router for TRUST and UNTRUST networks. The example uses MX Series. You can use any device.

See Table 2 and Table 3 for traffic flow.

Table 2: Traffic Flows for NAT
Feature	Traffic Flow Component	IP Address and Port Number
NAPT44 on SRX Series Firewall (SRX1)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.168.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70
NAPT44 on SRX Series Firewall (SRX2)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.169.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70
NAPT44 on SRX Series Firewall (SRX3)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.170.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70

Table 3: Traffic Flows for Stateful Firewall Services
Feature	Traffic Flow Component	IP Address
Stateful firewall services on SRX Series Firewalls (SRX1, SRX2 and SRX3)	Source data client	141.0.0.0/8
	Destination Internet server	100.1.1.0/24
	SRX Series with stateful firewall - Source	141.0.0.0/8
	SRX Series with stateful firewall - Destination	100.1.1.0/24

See Table 4 and Table 5 for traffic flow.

Table 4: Load Balancer to SRX Series Firewalls for NAT Services
Flow Type	Traffic Flow Component	IP Address
Forward Flow	Source Load Balancer (Route Filter on MX Series)	0.0.0.0/0
Reverse Flow	Destination Load Balancer (Routing-Based)	Based on unique NAT pool IP address range

Table 5: Load Balancer to SRX Series Firewalls for Stateful Firewall Services
Flow Type	Traffic Flow Component	IP Address
Forward Flow	Source Load Balancer (Route Filter on MX Series)	0.0.0.0/0
Reverse Flow	Destination Load Balancer (Route Filter on MX Series)	141.0.0.0/8

Topology Illustration

Figure 1: Single MX Series (ECMP based Consistent Hashing) and Scaled-Out SRX Series Firewalls for NAT and Stateful Firewall Services Network diagram showing SRX Series devices in AS 500 with NAT pools connected to MX Series. MX acts as a hub with TRUST_VR and UNTRUST_VR connections to Gateway Router and Internet Server. Data Clients have stateful firewall and NAT.

Network diagram showing SRX Series devices in AS 500 with NAT pools connected to MX Series. MX acts as a hub with TRUST_VR and UNTRUST_VR connections to Gateway Router and Internet Server. Data Clients have stateful firewall and NAT.

Figure 2: Route Advertisements for Forward Flow for NAPT44 and Stateful Firewall Services Network diagram showing SRX devices in AS 500 with NAT Pools, MX Series as central hub, Gateway Router with TRUST_VR and UNTRUST_VR, Data Clients with NAT and Stateful Firewall, and Internet Server with IP range 100.1.1.0/24.

Network diagram showing SRX devices in AS 500 with NAT Pools, MX Series as central hub, Gateway Router with TRUST_VR and UNTRUST_VR, Data Clients with NAT and Stateful Firewall, and Internet Server with IP range 100.1.1.0/24.

Figure 3: Route Advertisements for Reverse Flow for Stateful Firewall Services Network diagram showing traffic flow in an Autonomous System environment with SRX Series firewalls, MX Series router with virtual routers TRUST_VR and UNTRUST_VR, Gateway Router with similar virtual routers, Data Clients using subnets 140.0.0.0/8 and 141.0.0.0/8, and an Internet Server in subnet 100.1.1.0/24.

Network diagram showing traffic flow in an Autonomous System environment with SRX Series firewalls, MX Series router with virtual routers TRUST_VR and UNTRUST_VR, Gateway Router with similar virtual routers, Data Clients using subnets 140.0.0.0/8 and 141.0.0.0/8, and an Internet Server in subnet 100.1.1.0/24.

Figure 4: Route Advertisements for Reverse Flow for NAT44 Services Network diagram showing data flow between SRX Series in AS 500 with NAT pools, MX Series in AS 2000, and Gateway Router in AS 2500. Data Clients connect via stateful firewall. Internet Server at 100.1.1.0/24 through UNTRUST_VR.

Network diagram showing data flow between SRX Series in AS 500 with NAT pools, MX Series in AS 2000, and Gateway Router in AS 2500. Data Clients connect via stateful firewall. Internet Server at 100.1.1.0/24 through UNTRUST_VR.

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations might vary based on the specific requirements of your environment.

The following items show a list of configuration components for this example:

Configure MX Series
Configure the Gateway router
Configure SRX1
Configure SRX2
Configure SRX3

Configure MX Series

Configure Gateway Router

Configure SRX1

Configure SRX2

Configure SRX3

Verification

The following items highlight a list of show commands used to verify the feature in this example.

Verify MX Series configuration
Verify SRX1 configuration
Verify SRX2 configuration
Verify SRX3 configuration

Verify MX Series Configuration

Verify SRX1 Configuration

Verify SRX2 Configuration

Verify SRX3 Configuration

ON THIS PAGE

Overview

Topology Illustration

Configuration

Verification