Management
Reply
Contributor
kbrookov
Posts: 60
Registered: ‎09-03-2009
0

NAT configuratoin on SRX after NSM update to 10.R2

I'm seeing this on multiple SRX devices running multiple versions of Junos.  This started after an NSM update to 2010R2.  The issue is in NSM under Security | NAT | Source | Rule Set:  

 

"This configuration is not available in Central policy mode."

 

NSM won't import the NAT ruleset, and deletes the NAT rules everytime I update, I then re-add the NAT ruleset locally to the device.  NAT can not be configured in NSM due to the above message.  I do have a ticket open on this (for the last 2 weeks).  Just wondering if anyone else has seen this issue and if you were able to correct it?

 

Thanks,

Contributor
cglanville
Posts: 15
Registered: ‎11-05-2008
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

I think this is a feature in progress. I didn't have the issue with 2010.2 and 10.0r3.10. I just upgraded to a patch though to fix something else and am now having the same issue. I was told their changing the way NAT is managed in NSM on the SRXs. I suspect they're still implementing the import functionality.
Contributor
kbrookov
Posts: 60
Registered: ‎09-03-2009
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

Forgot to mention the re-import part of the issue.  I was re-importing to fix another issue with IKE rekeying and NSM.... 

 

JTAC was able to reproduce the issue in lab, the ticket number is 2010-0702-0249 if anyone else needs for reference.

 

I do like the idea of centrally managing NAT as most of our devices run the same policy.  They just missed a little on the implementation.

Regular Visitor
junipered
Posts: 4
Registered: ‎08-04-2009
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

So, did you have any response from Jtac? I am facing exactly the same issue.

 

-nick

Contributor
dfritz
Posts: 31
Registered: ‎08-18-2009
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

Hi there,

 

this all happend to me too. I have opend a case with problems like this 2010-0422-0983 a long time ago. The advice from JTAC was to change from Central Device Mode to InDev...

 

That worked well. But interrupted our systems for 4 hours because parts of the firewall were not correctly incorporated. So be careful.

 

Br Daniel

Contributor
kbrookov
Posts: 60
Registered: ‎09-03-2009
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

Case 2010-0702-0249 has been open since 07/02.  Advance J-TAC is working the issue along with NSM developement.  The issue isn't necessarily a bug, rather its an imcomplete feature.  The latest note to the case is good news, posted on 10/08:

 

"I'm still testing the NAT settings, but it's looking like you will need to upgrade to
NSM 2010.3.  I will give you a definitive answer once I've been able to test NAT policy
settings on both 2010.2 and 2010.3.  Should you need to upgrade to resolve the other
issue on your other case, I would recommend upgrading to the latest patch of 2010.3,
which I can provide you with.  "

 

 Unfortunately, the issues with NSM and the SRX platfrom have completely destroyed Junipers image within the company.  We have Cisco coming out this week to pitch their VPN platform and will most likely be replacing Juniper.

 

I personally like Juniper and Junos code but I can no longer defend it without damaging my own reputation.

 

Anyway, hopefully the NSM issue is resolved in the newer version of code, I'll update this thread after the issue has been resolved.

 

Side note - central policy mode is the only mode I am willing to manage the devices in.  We have common firewall polices for the vast majority of our devices, it makes policy changes fairly easy.

Trusted Contributor
SomeITGuy
Posts: 330
Registered: ‎01-08-2010
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

In NSM 2010.3 and recent JUNOS 10 versions NAT shows up as a TAB you may have to add to your policy..

 

If you import a device that has its own policy the NAT tab should just appear on the firewall policy named after the device, if you import or UPDATE NSM / a firewall that already has a common policy, the NAT is not automatically created and you need to add the NAT tab to the policy and create the NAT rules in the policy manually.

 

How to use the new NAT tab is covered in the current admin guide for NSM 2010.3 however it never mentions that this a NEW JUNOS device feature.. it sort of just appeared out of the blue.. The release notes simply state something like "support for JUNOS NAT".. It is a rather significant change in how NSM handles it.

Contributor
nicolas@karp.fr
Posts: 11
Registered: ‎08-17-2010
0

Re: NAT configuratoin on SRX after NSM update to 10.R2

Hi,

 

We are facing to the same problem and we are using NSM 2010.3.

We manage our firewalls in "central policy mode" and when we want to configure nat policy, we just have a deny (Security > Nat > Source > Rule-Set)   : 

 

"This configuration is not available in Central policy mode."

 

Are you sure that Juniper add this feature in 2010.3 release ?

 

Any idea to add Nat rule ?

 

Nicolas.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.