Hi Everyone,
When I am trying to set a policy based on an IP I am having the following error:
policy domain_com {
match {
source-address any;
destination-address x.y.z.226/32;
application junos-http;
}
then {
permit;
}
}
# commit
[edit security policies from-zone untrust to-zone trust]
'policy domain_com'
Address or address_set (x.y.z.226/32) not found.
error: configuration check-out failed
How could I avoid this error ? (please note that x.y.z are valid and working public internet ips)
This is my full configuration:
## Last changed: 2013-09-02 14:00:00 UTC
version 11.4R7.5;
groups {
node0 {
system {
host-name trunks;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.20.1/24;
}
}
}
}
}
node1 {
system {
host-name goten;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 172.16.20.2/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$"; ## SECRET-DATA
}
name-server {
208.67.222.222;
208.67.220.220;
}
services {
ssh;
xnm-clear-text;
dns {
forwarders {
8.8.8.8;
}
}
}
syslog {
archive size 100k files 3;
user * {
any emergency;
}
file messages {
any critical;
authorization info;
}
file interactive-commands {
interactive-commands error;
}
}
max-configurations-on-flash 5;
max-configuration-rollbacks 5;
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
chassis {
cluster {
reth-count 2;
redundancy-group 0 {
node 0 priority 100;
node 1 priority 1;
}
redundancy-group 1 {
node 0 priority 100;
node 1 priority 1;
interface-monitor {
ge-0/0/5 weight 255;
ge-5/0/5 weight 255;
ge-0/0/6 weight 255;
ge-5/0/6 weight 255;
}
}
}
}
interfaces {
ge-0/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/6 {
gigether-options {
redundant-parent reth0;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/4;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/4;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 172.17.1.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.26.1.90/30;
address 10.26.1.94/30;
}
}
}
}
routing-options {
static {
route x.y.z.224/27 discard;
}
autonomous-system 65400;
}
protocols {
bgp {
export public-to-bgp;
group external-peers {
type external;
peer-as 65300;
neighbor 10.26.1.89;
neighbor 10.26.1.93;
}
}
stp;
}
policy-options {
policy-statement public-to-bgp {
from {
protocol static;
route-filter x.y.z.224/27 exact;
}
then accept;
}
}
security {
nat {
source {
pool pool-pat {
address {
x.y.z.225/32;
}
}
rule-set nat-trust-to-untrust {
from zone trust;
to zone untrust;
rule pat-interface {
match {
source-address 172.17.1.0/24;
destination-address 0.0.0.0/0;
}
then {
source-nat {
pool {
pool-pat;
}
}
}
}
}
}
static {
rule-set nat-public-ip {
from zone untrust;
rule backup-ssh {
match {
destination-address x.y.z.252/32;
}
then {
static-nat {
prefix {
172.17.1.252/32;
}
}
}
}
rule domain1_com {
match {
destination-address x.y.z.226/32;
}
then {
static-nat {
prefix {
172.17.1.226/32;
}
}
}
}
rule domain2_com {
match {
destination-address x.y.z.227/32;
}
then {
static-nat {
prefix {
172.17.1.227/32;
}
}
}
}
rule tmp-ssh-gateway {
match {
destination-address x.y.z.235/32;
}
then {
static-nat {
prefix {
172.17.1.235/32;
}
}
}
}
}
}
proxy-arp {
interface reth1.0 {
address {
x.y.z.224/27;
}
}
}
}
policies {
from-zone trust to-zone untrust {
policy from-trust-to-untrust {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone untrust to-zone trust {
policy from-untrust-to-trust {
match {
source-address any;
destination-address any;
application [ junos-ssh junos-http junos-https ];
}
then {
permit;
}
}
}
}
zones {
security-zone untrust {
interfaces {
reth1.0 {
host-inbound-traffic {
system-services {
ping;
}
protocols {
all;
}
}
}
}
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
ping;
traceroute;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
ssh;
ping;
dns;
}
}
}
}
}
}
}