SRX

Hello,

 

When i add a static route through CLI  they are added sussessfully but they are not displayed in WEB interface.??? I hope it is bug for the version but i searched in the release notes for 10.4 SRX gateways there is no such information for this type of issue.

 

Another issue i m facing is  when i add a source address in source NAT i can't add more than 8 IP's i have such situation  that i have to add 20 HOST in the source addresses to a particular destination then only source NAT with the pool specified,

 

Please answer my 2 questions

No clue about web interface, regarding source nat, if your rule is filled with those 8 ip's, just create an identical rule in the same rule-set, which matches another 8 source ip's.

Hello Experts,

 

Anybody can help me for the static route issues, mentioned above

>>>When i add a static route through CLI  they are added sussessfully but they are not displayed in WEB interface.???

Try refreshing the Routing >static routing page by click on the same tab or by moving to different tab. Basically, changes done from cli are not picked up in UI if you are in same page without refresh.

 

#Q2

I am able to add source address more than 8 using Web, can you please share the snapshot and the junos version to that i can help you.

 

 

I tried refreshing the page and also i move to another page and i came to routing TAB but it doesnt show's me the static route

 

And my versionis 10.4, my question is that if i add more than 8 Nos of IP's in source NAT as a source address it does'nt accepts.

And also Adam in above thread gave me solution that  create the identical rule in the same rule-set  that is OK but the SRX wont accepts same rule name i have to create  rule with different name.

With 10.2 release there is a new implementation whereby Juniper no longer limit the number of rules per rule-set and instead provide platform wide limitation of rules.

 

http://kb.juniper.net/InfoCenter/index?page=content&id=KB14149&smlogin=true

Nice to see ur reply,

 

From My 2 question 1 question is solved automatically,

 

• Static routes are seen in GUI when they were added by CLI.

 

For my 2nd question:

 

• I have not mentioned that i have reached to the limit of rule-set or rule, what i m trying to explore is that when i add more than 8 subnet in source addresses or destination address of source NAT rule it gives me error that more than 8 subnets are exceeded.

 

Is it default behaviour of SRX 10.4 OS or there is any commands that after executing it will allow me to add more than 8 subnets

Hi there,

 

This has been default behaviour for a while.  I tested it out on 11.1 R4.4 and found the same issue:

 

pool limit-test {
    ##
    ## Warning: number of elements exceeds limit of 8
    ##
    address {
        10.0.0.0/24;
        10.0.1.0/24;
        10.0.2.0/24;
        10.0.3.0/24;
        10.0.4.0/24;
        10.0.5.0/24;
        10.0.6.0/24;
        10.0.7.0/24;
        10.0.8.0/24;
        10.0.9.0/24;
    }
}

 

What situation would you need such a wide variety of addressing in a Source NAT or Destination NAT pool?  You can split it up by using rule-sets to match on the From address range and NAT according to a pool of 8 address ranges.

 

Hello,

 

I faced a situation that there are different PC more than 8 which are going to extranet by the same ip pool.

 

BUT i did nt understood ur below line??

 

You can split it up by using rule-sets to match on the From address range and NAT according to a pool of 8 address ranges.

Hi there,

 

I assume you mean more than 8 PCs all in multiple ranges?

 

Below is a simple config showing 2 Source Pools with some IP Ranges and 4 internal subnets, 2 being NAT'd out over one and 2 over the other.

 

    nat {
        source {
            pool Public_Range01 {
                address {
                    110.111.165.70/29;
                    111.111.165.70/29;
                    112.111.165.70/29;
                    113.111.165.70/29;
                    114.111.165.70/29;
                    115.111.165.70/29;
                    116.111.165.70/29;
                    117.111.165.70/29;
                }
            }
            pool Public_Range02 {
                address {
                    111.111.165.70/29;
                    121.111.165.70/29;
                    132.111.165.70/29;
                    143.111.165.70/29;
                    154.111.165.70/29;
                    165.111.165.70/29;
                    176.111.165.70/29;
                    187.111.165.70/29;
                }
            }
            rule-set Office-to-Outside {
                from zone Office;
                to zone untrust;
                rule Office_LAN01 {
                    match {
                        source-address [ 10.1.1.0/24 10.1.3.0/24 ];
                    }
                    then {
                        source-nat {
                            pool {
                                Public_Range01;
                            }
                    }
                }
		rule Office_LAN02 {
                    match {
                        source-address [ 10.17.1.0/24 10.18.2.0/24 ];
                    }
                    then {
                        source-nat {
                            pool {
                                Public_Range02;
                            }
                        }
                    }
                }
            }

 

Hello,

 

Yes I know this can be done buy using different name as such you used rule Office_LAN01 and rule Office_LAN02, If suppose i want to occupy 10 subnets in 1 rule (Office_LAN01) is it possible????

 

Tx

Hi there,

 

No sadly 8 elements in each is the limit.  But you can work around this easily I assume.

 

Are all the PCs you want to access the extranet on different subnets and ip ranges?

Hello,

 

Are all the PCs you want to access the extranet on different subnets and ip ranges?

 

yes i have 9 different subnets as a source that want to access extranet  destinations

Hi Jen,

 

Just configure 2 rules referencing the same Range for source NAT or interface if NATing on the outbound interface.

 

The below config shows 9 subnets getting external access on the pool Public_Range01, this could also be made interface based Source NAT.

 

            rule-set Office-to-Outside {
                from zone Office;
                to zone untrust;
                rule Office_LAN01 {
                    match {
                        source-address [ 10.1.1.0/24 10.1.3.0/24 10.1.7.0/24 10.1.9.0/24 ];
                    }
                    then {
                        source-nat {
                            pool {
                                Public_Range01;
                            }
                    }
                }
		rule Office_LAN02 {
                    match {
                        source-address [ 10.17.1.0/24 10.18.2.0/24 10.1.22.0/24 10.1.33.0/24 10.1.83.0/24];
                    }
                    then {
                        source-nat {
                            pool {
                                Public_Range01;
                            }
                        }
                    }
                }

 

 

Hello,

 

Yes i know i can do this but i was expecting some tricks from experts to add more than 8 subnet in the source address.

 

Anyway thanks for ur replies