[j-nsp] destination nat, 8 rule limit

Alexander Shikoff minotaur at crete.org.ua
Tue Nov 3 19:32:20 EST 2009 

On Tue, Nov 03, 2009 at 03:45:18PM -0600, Christopher M. Hobbs wrote:
> On Tue, Nov 03, 2009 at 08:39:02AM -0800, Derick Winkworth wrote:
> > Upgrade to 9.6.  You can have many more rules per rule-set...
> > 
> > 
> > 
> > 
> > ________________________________
> > From: Christopher M. Hobbs <chris at altbit.org>
> > To: juniper-nsp at puck.nether.net
> > Sent: Tue, November 3, 2009 10:08:13 AM
> > Subject: [j-nsp] destination nat, 8 rule limit
> > 
> > If I try to set up more than 8 rules per rule-set on our
> > SRX240 boxes, Junos gets cranky.  Here's the error I
> > receive:
> > 
> > ---
> > chobbs at SS0101# commit check 
> > [edit security nat destination rule-set mail]
> >   'rule'
> >     number of elements exceeds limit of 8
> > error: configuration check-out failed: (number of elements exceeds limit)
> > ---
> > 
> > I can't break our rules out into different rule sets because
> > it complains of context at that point (which I believe is
> > tied to the destination address?):
> > 
> > ---
> > chobbs at SS0101# commit check 
> > error: Destination NAT rule-set mail and test have same
> > context.
> > [edit security nat destination]
> >   'rule-set test'
> >     Destination NAT rule-set(test) sanity check failed.
> > error: configuration check-out failed
> > ---
> > 
> > All of our incoming addresses exist on the same subnet and
> > the majority of our destination addresses are on the same
> > subnet as well, so I clearly can't split up our rules to
> > work around this issue if the context is based on either the
> > incoming or destination addresses.
> > 
> > I've read a couple of threads concerning a similar issue and
> > the fix was to upgrade to 9.6, which I did.  The upgrade
> > didn't appear to solve anything at all.
> > 
> > Does anyone know why this restriction is here other than
> > just poor programming?  How can I get past this limitation?
> > 
> > Thanks for your time!
> > -- 
> > C.M. Hobbs, http://altbit.org
> 
> I am running 9.6:
I have the same issue. Guys from JTAC told to wait for version 10:
"
08/17/09 05:21:01 I am not sure of the exact time, but I know that It should be in version
10 of Junos.
"

-- 
MINO-RIPE

More information about the juniper-nsp mailing list