06-10-2009 12:41 PM
My J2320 router with JunOS 9.5 works as a gateway for quite big LAN. Router have one external interface with one IP-address.
The task is to configure destination NAT for couple of incoming services. When I was configuring it I met a limit of rules in single rule-set: J2320 allows only 8 rules. But I need more. Splitting rules into different rule-sets is not valid:commit fails with error "error: Destination NAT rule-set NAT-Prime and NAT-DOM have same context".
Is there a way to solve this? I've read documentation of NAT in 9.5 and found nothing about this limit.
Thanks in advance,
06-10-2009 08:57 PM
The NAT rule limit of 8 rules per rule-set exists on JUNOS 9.5R1. But with 9.5R2 that limit will be increased to 256 rules per rule-set. 9.5R2 is targeted for release probably by the end of this month. So if you cannot wait for 9.5R2 you may want to consider downgrading to 9.4 instead as NAT on J-Series with 9.4 follows older enhanced services method. Note that NAT on 9.4 versus 9.5 is quite different. So be sure to review J-Series documentation for 9.4 before getting into that.
06-10-2009 11:46 PM - edited 06-11-2009 01:31 AM
May I ask about error "error: Destination NAT rule-set NAT-Prime and NAT-DOM have same context"?
If I guess correctly, context of rule-set is defined by 'from' in [edit security nat destination rule-set]. Is it true? If so, why cannot two rule-sets with same 'from' work together? Will this behavior be changed in 9.5R2?
And one more question: under [edit security nat destination rule-set ... rule ...] 'match destination-port' allows only one port number. Why don't allow a list of port numbers? Due to this limitation number of rules in rule-sets increases a lot.
07-23-2009 01:04 PM
But with 9.5R2 that limit will be increased to 256 rules per rule-set. 9.5R2 is targeted for release probably by the end of this month.
Nothing changed to better in 9.5R2:
email@example.com# commit [edit security nat destination rule-set nat-EF] 'rule' number of elements exceeds limit of 8 error: commit failed: (number of elements exceeds limit)
firstname.lastname@example.org# run show version
JUNOS Software Release [9.5R2.7]
07-24-2009 12:20 AM
As I recall the limit of 256 nat rules was for SRX platforms. I thought that J-Series as well would also have the same limit increase. I would recommend opening a JTAC case to report this so that the J-series limitation can be investigated.