Example: Single MX Series (ECMP Based Consistent Hashing) and Scaled-Out SRX Series Firewalls (Standalone) for NAT and Stateful Firewall

Overview

Table 1 shows the deployment components used in the example.

Table 1: Deployment Details

CSDS Components	Details
Forwarding Layer	MX304 with Junos OS Release 23.4R1 or later
Services Layer	vSRX 3.0 with Junos OS Release 23.4R1 or later
Redundancy	Single MX Series with ECMP based Consistent Hashing for load balancer. SRX Series Firewalls (Standalone)
Features	NAPT44 and stateful firewall (IPv4 Support)
Additional Component	Gateway router for TRUST and UNTRUST networks. The example uses MX Series. You can use any device.

See Table 2 and Table 3 for traffic flow.

Table 2: Traffic Flows for NAT

Feature	Traffic Flow Component	IP Address and Port Number
NAPT44 on SRX Series Firewall (SRX1)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.168.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70
NAPT44 on SRX Series Firewall (SRX2)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.169.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70
NAPT44 on SRX Series Firewall (SRX3)	Original source data client	140.0.0.0/8 and port 22279
	Original destination Internet server	100.1.1.0/24 and port 70
	After NAT source	192.170.64.0/24 and port 2480
	After NAT destination	100.1.1.0/24 and port 70

Table 3: Traffic Flows for Stateful Firewall Services

Feature	Traffic Flow Component	IP Address
Stateful firewall services on SRX Series Firewalls (SRX1, SRX2 and SRX3)	Source data client	141.0.0.0/8
	Destination Internet server	100.1.1.0/24
	SRX Series with stateful firewall - Source	141.0.0.0/8
	SRX Series with stateful firewall - Destination	100.1.1.0/24

See Table 4 and Table 5 for traffic flow.

Table 4: Load Balancer to SRX Series Firewalls for NAT Services

Flow Type	Traffic Flow Component	IP Address
Forward Flow	Source Load Balancer (Route Filter on MX Series)	0.0.0.0/0
Reverse Flow	Destination Load Balancer (Routing-Based)	Based on unique NAT pool IP address range

Table 5: Load Balancer to SRX Series Firewalls for Stateful Firewall Services

Flow Type	Traffic Flow Component	IP Address
Forward Flow	Source Load Balancer (Route Filter on MX Series)	0.0.0.0/0
Reverse Flow	Destination Load Balancer (Route Filter on MX Series)	141.0.0.0/8

Topology Illustration

Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

These configurations are captured from a lab environment and are provided for reference only. Actual configurations might vary based on the specific requirements of your environment.

The following items show a list of configuration components for this example:

• Configure MX Series
• Configure the Gateway router
• Configure SRX1
• Configure SRX2
• Configure SRX3

Verification

The following items highlight a list of show commands used to verify the feature in this example.

• Verify MX Series configuration
• Verify SRX1 configuration
• Verify SRX2 configuration
• Verify SRX3 configuration