On Thu, May 27, 2010 at 8:38 PM, Ken Gilmour <ken.gilmour@gmail.com> wrote:
Yes I believe that would be the default if the session was initiated on the inside, but if it comes from outside on a particular interface which is not the default route, why would the router then send the packet out another interface? Should the device not route session-based traffic according to where it originated?
Ken, As others have pointed out typically interfaces are not kept track of in state tables. Having said that, I've worked in the past with the ScreenOS based SSG platforms that do this. So if you're coming from an SSG background this makes sense. These devices seem to keep track of source interface in their state tables. For example I've worked on a one-arm'ed Load Balancer with no Source NAT such that one would typically require some policy based routing to get the traffic back to the LB, to be have the Destination NAT handled. However, with a Juniper SSG, as the router, it's state tables kept track of the interfaces and routed traffic correctly without any policy based routing required. When I took over administration of that environment I spent some time trying to figure out how the routing worked since there was no configuration such as policy based routes that would make sense. Having said that, If the JunOS based SRX platform does not do session tracking in the same was as the SSG platform it would seem that the most reasonable solution would be to NAT the traffic as has already been pointed out. Mark -- Cheers! Mark Hermsdorfer