[j-nsp] Destination NAT on SRX cluster
Tim Eberhard
xmin0s at gmail.com
Tue Mar 20 14:34:24 EDT 2012
I'd agree it seems that you're running into a bug. Trying your config
on my SRX I am able to commit through. Reth's tend to be different
than a normal interface from a code standpoint, but nat isn't a
limitation (thank god).
If you're working in a lab, try to upgrade to my code version perhaps.
If you're in prod, good luck..open up a jtac case and find out which
release fixes it. Sorry Leigh, best of luck.
[edit security nat]
root at Lab-SRX240-11# commit check
configuration check succeeds
[edit security nat]
root at Lab-SRX240-11# show | compare
[edit security nat]
+ destination {
+ pool wilderness {
+ address 172.16.253.10/32 port 22;
+ }
+ rule-set incoming-connections {
+ from interface ge-0/0/0.0;
+ rule port-forard {
+ match {
+ destination-address 88.94.205.5/32;
+ destination-port 22;
+ }
+ then {
+ destination-nat pool wilderness;
+ }
+ }
+ }
+ }
+ proxy-arp {
+ interface ge-0/0/0.0 {
+ address {
+ 88.94.205.5/32;
+ }
+ }
+ }
[edit security nat]
root at Lab-SRX240-11# run show version
Hostname: Lab-SRX240-11
Model: srx240h-poe
JUNOS Software Release [11.4R1.6]
Hope this helps,
-Tim Eberhard
On Tue, Mar 20, 2012 at 12:09 PM, Leigh Porter
<leigh.porter at ukbroadband.com> wrote:
>
>
>> From: Ben Dale [mailto:bdale at comlinx.com.au]
>>
>> Hi Leigh,
>>
>> On 20/03/2012, at 10:53 PM, Leigh Porter wrote:
>>
>> >
>> > error: The number of destination NAT pools exceeds limit of 0 [edit
>> > security nat destination rule-set incoming-connections rule
>> > port-forward then destination-nat] 'pool'
>> > failed to get pool (wilderness)
>> > error: configuration check-out failed
>>
>> It looks like a bug, but try changing the "from interface reth0.352" to
>> "from zone <zone of interface reth0.352>" and see if the issue goes
>> away. Failing that, upgrade to 11.1R6 and see if that fixes it.
>
> Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm just about to try 11.blah
>
> Thanks,
> Leigh
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list