[j-nsp] Destination NAT on SRX cluster

Tim Eberhard xmin0s at gmail.com
Tue Mar 20 14:34:24 EDT 2012


I'd agree it seems that you're running into a bug. Trying your config
on my SRX I am able to commit through. Reth's tend to be different
than a normal interface from a code standpoint, but nat isn't a
limitation (thank god).

If you're working in a lab, try to upgrade to my code version perhaps.
If you're in prod, good luck..open up a jtac case and find out which
release fixes it. Sorry Leigh, best of luck.

[edit security nat]
root at Lab-SRX240-11# commit check
configuration check succeeds

[edit security nat]
root at Lab-SRX240-11# show | compare
[edit security nat]
+  destination {
+      pool wilderness {
+          address 172.16.253.10/32 port 22;
+      }
+      rule-set incoming-connections {
+          from interface ge-0/0/0.0;
+          rule port-forard {
+              match {
+                  destination-address 88.94.205.5/32;
+                  destination-port 22;
+              }
+              then {
+                  destination-nat pool wilderness;
+              }
+          }
+      }
+  }
+  proxy-arp {
+      interface ge-0/0/0.0 {
+          address {
+              88.94.205.5/32;
+          }
+      }
+  }

[edit security nat]
root at Lab-SRX240-11# run show version
Hostname: Lab-SRX240-11
Model: srx240h-poe
JUNOS Software Release [11.4R1.6]

Hope this helps,
-Tim Eberhard

On Tue, Mar 20, 2012 at 12:09 PM, Leigh Porter
<leigh.porter at ukbroadband.com> wrote:
>
>
>> From: Ben Dale [mailto:bdale at comlinx.com.au]
>>
>> Hi Leigh,
>>
>> On 20/03/2012, at 10:53 PM, Leigh Porter wrote:
>>
>> >
>> > error: The number of destination NAT pools exceeds limit of 0 [edit
>> > security nat destination rule-set incoming-connections rule
>> > port-forward then destination-nat]  'pool'
>> >     failed to get pool (wilderness)
>> > error: configuration check-out failed
>>
>> It looks like a bug, but try changing the "from interface reth0.352" to
>> "from zone <zone of interface reth0.352>" and see if the issue goes
>> away.  Failing that, upgrade to 11.1R6 and see if that fixes it.
>
> Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm just about to try 11.blah
>
> Thanks,
> Leigh
>
>
> ______________________________________________________________________
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> ______________________________________________________________________
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list