[j-nsp] destination nat, 8 rule limit
Derick Winkworth
dwinkworth at att.net
Tue Nov 3 11:39:02 EST 2009
Upgrade to 9.6. You can have many more rules per rule-set...
________________________________
From: Christopher M. Hobbs <chris at altbit.org>
To: juniper-nsp at puck.nether.net
Sent: Tue, November 3, 2009 10:08:13 AM
Subject: [j-nsp] destination nat, 8 rule limit
If I try to set up more than 8 rules per rule-set on our
SRX240 boxes, Junos gets cranky. Here's the error I
receive:
---
chobbs at SS0101# commit check
[edit security nat destination rule-set mail]
'rule'
number of elements exceeds limit of 8
error: configuration check-out failed: (number of elements exceeds limit)
---
I can't break our rules out into different rule sets because
it complains of context at that point (which I believe is
tied to the destination address?):
---
chobbs at SS0101# commit check
error: Destination NAT rule-set mail and test have same
context.
[edit security nat destination]
'rule-set test'
Destination NAT rule-set(test) sanity check failed.
error: configuration check-out failed
---
All of our incoming addresses exist on the same subnet and
the majority of our destination addresses are on the same
subnet as well, so I clearly can't split up our rules to
work around this issue if the context is based on either the
incoming or destination addresses.
I've read a couple of threads concerning a similar issue and
the fix was to upgrade to 9.6, which I did. The upgrade
didn't appear to solve anything at all.
Does anyone know why this restriction is here other than
just poor programming? How can I get past this limitation?
Thanks for your time!
--
C.M. Hobbs, http://altbit.org
More information about the juniper-nsp
mailing list