SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
roxana.rojas
Visitor
roxana.rojas
Posts: 4
Registered: ‎02-20-2012
0

SRX650 static NAT issue.

Options

‎04-26-2012 12:29 PM

Hi Experts,

 

I was configuring static NAT using the document 'junos-security-swconfig-security.pdf', but when I configured the policy:

 

set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address server-1
set security policies from-zone trust to-zone untrust policy Static-NAT-out match destination-address any
set security policies from-zone trust to-zone untrust policy Static-NAT-out match application any
set security policies from-zone trust to-zone untrust policy Static-NAT-out then permit

 

Then, I got the message:

 

Address or address_set (server-1) not found

 

However, if I use 'any' instead of 'server-1' it works OK after performing a 'commit check'

 

Is there a workaround with this?

 

Regards!

Message 1 of 4 (256 Views)
 
Reply
Distinguished Expert
Distinguished Expert
MMcD
Posts: 513
Registered: ‎07-20-2010
0

Re: SRX650 static NAT issue.

[ Edited ]
Options

‎04-26-2012 02:39 PM - edited ‎04-26-2012 02:43 PM

You need to create an trust address book entry for Server1:

 

user@srx#set security zones security-zone trust address-book address Server-1 10.10.10.10/32

 

MMcD [JNCIS-SEC, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Message 2 of 4 (254 Views)
 
Reply
roxana.rojas
Visitor
roxana.rojas
Posts: 4
Registered: ‎02-20-2012
0

Re: SRX650 static NAT issue.

Options

‎04-27-2012 07:21 AM

Hi MMcD,

 

That is the main issue, the object has been created on the address-book already. Also, I have tried creating it on the global address-book but it says it will disable zone addresses (no way!)

 

Regards!

Message 3 of 4 (239 Views)
 
Reply
cy
Contributor
cy
Posts: 73
Registered: ‎09-28-2010
0

Re: SRX650 static NAT issue.

[ Edited ]
Options

‎04-30-2012 07:24 AM - edited ‎04-30-2012 07:26 AM

this might sound stupid, but are you sure you put the 

"address server-1 x.x.x.x/y" in the right address-book (in security-zone trust)?

 

address name is also case-sensitive (im sure MMcD knows this and just mistyped :smileywink:)

 

 

you can see valid addresses (and address sets) if you type "?", or you can tab-complete addresses.

 

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address ?"

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address s<TAB>"

 

 

you could also post the output of this here:

"show security zones security-zone trust address-book|display set|match server-1"

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"
Message 4 of 4 (222 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.