[j-nsp] destination nat, 8 rule limit

Christopher M. Hobbs chris at altbit.org
Tue Nov 3 16:45:18 EST 2009 

On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote:
> Upgrade to 9.6.  You can have many more rules per rule-set...
> 
> 
> 
> 
> ________________________________
> From: Christopher M. Hobbs <chris at altbit.org>
> To: juniper-nsp at puck.nether.net
> Sent: Tue, November 3, 2009 10:08:13 AM
> Subject: [j-nsp] destination nat, 8 rule limit
> 
> If I try to set up more than 8 rules per rule-set on our
> SRX240 boxes, Junos gets cranky.  Here's the error I
> receive:
> 
> ---
> chobbs at SS0101# commit check 
> [edit security nat destination rule-set mail]
>   'rule'
>     number of elements exceeds limit of 8
> error: configuration check-out failed: (number of elements exceeds limit)
> ---
> 
> I can't break our rules out into different rule sets because
> it complains of context at that point (which I believe is
> tied to the destination address?):
> 
> ---
> chobbs at SS0101# commit check 
> error: Destination NAT rule-set mail and test have same
> context.
> [edit security nat destination]
>   'rule-set test'
>     Destination NAT rule-set(test) sanity check failed.
> error: configuration check-out failed
> ---
> 
> All of our incoming addresses exist on the same subnet and
> the majority of our destination addresses are on the same
> subnet as well, so I clearly can't split up our rules to
> work around this issue if the context is based on either the
> incoming or destination addresses.
> 
> I've read a couple of threads concerning a similar issue and
> the fix was to upgrade to 9.6, which I did.  The upgrade
> didn't appear to solve anything at all.
> 
> Does anyone know why this restriction is here other than
> just poor programming?  How can I get past this limitation?
> 
> Thanks for your time!
> -- 
> C.M. Hobbs, http://altbit.org

I am running 9.6:

chobbs at SS0101> show version 
Hostname: SS0101
Model: srx240-hm
JUNOS Software Release [9.6R2.11]

-- 
C.M. Hobbs, http://altbit.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20091103/f945bd96/attachment.bin>

More information about the juniper-nsp mailing list