SRX

I have an SRX100, running 10.0r1.8, and I have one IP address from an ISP.  I would like to setup a destination NAT for a range of ports.  I have heard there are limits to rules within rule-sets, however, I don't know what the limits are for my current hardware/software.

 

If I have a range of 500 contiguous ports, what is the best way to implement this?

 

Based on my hardware/software combination, what are my limits?

 

If I upgrade my software to a newer version, will my limits increase?

 

Thank you,

T.J.

#NAT

As of 10.2 the branch SRX is able to do 8192 rules total, without a limit on contexts.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14149

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB17290

 

http://www.juniper.net/techpubs/software/junos-security/junos-security10.2/junos-security-swconfig-security/topic-42804.html?searchid=1300825652366

Will the upgrade to 10.2 fix the issue below?

 

My current configuration will not allow me to add more rule-sets with the same "from interface fe-0/0/0.0" context. 

 

Current:

        destination {
            pool RDC-server {
                address 192.168.1.203/32 port 3389;
            }
            rule-set RDC-NAT {
                from interface fe-0/0/0.0;
                rule RDC-portforward {
                    match {
                        destination-address xx.xx.xx.xx/32;
                        destination-port 3389;
                    }
                    then {
                        destination-nat pool RDC-server;
                    }
                }
            }
        }

 

Proposed:

 

 +     rule-set Digium-signal {
+         from interface fe-0/0/0.0;
+         rule Digium-4569 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 4569;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+         rule Digium-5060 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 5060;
+             }    
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+     }
+     rule-set Digium-access {
+         from interface fe-0/0/0.0;
+         rule Digium-80 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 80;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+         rule Digium-443 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 443;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+         rule Digium-5222 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 5222;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+         rule Digium-843 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 843;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+         rule Digium-5269 {
+             match {
+                 destination-address xx.xx.xx.xx/32;
+                 destination-port 5269;
+             }
+             then {
+                 destination-nat pool Digium-server;
+             }
+         }
+     }

 

Problem:

I receive the following error when I run a commit check:

 

error: Destination NAT rule-set RDC-NAT and Digium-signal have same context.
[edit security nat destination]
  'rule-set Digium-signal'
    Destination NAT rule-set(Digium-signal) sanity check failed.
error: Destination NAT rule-set RDC-NAT and Digium-access have same context.
[edit security nat destination]
  'rule-set Digium-access'
    Destination NAT rule-set(Digium-access) sanity check failed.
error: configuration check-out failed

[edit]

I currently have 1 single outside IP and my goal is:

 

Traffic received on outside interface with destination port of 3389 - forward to RDP server - 192.168.1.203

Traffic received on outside interface with destination ports of 80,443,843,4569,5060,5222,5269,10000-10500 - forward to VoIP server - 196.168.2.200

 

Thanks,

T.J.

Don't use multiple rule-sets. As the commit check message states, you cannot have overlapping contexts between rule-sets (from interface fe-0/0/0.0 in your case). Instead add all your rules to same rule-set. Upgrading to 10.2 or later release will increase max number of rules per rule-set to accommodate the number of rules you have. I would recommend either 10.2R3 or 10.4R3 depending on what other features you may need.

-Richard