SRX Services Gateway
Reply
Visitor
roxana.rojas
Posts: 4
Registered: ‎02-20-2012
0

SRX650 static NAT issue.

Hi Experts,

 

I was configuring static NAT using the document 'junos-security-swconfig-security.pdf', but when I configured the policy:

 

set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address server-1
set security policies from-zone trust to-zone untrust policy Static-NAT-out match destination-address any
set security policies from-zone trust to-zone untrust policy Static-NAT-out match application any
set security policies from-zone trust to-zone untrust policy Static-NAT-out then permit

 

Then, I got the message:

 

Address or address_set (server-1) not found

 

However, if I use 'any' instead of 'server-1' it works OK after performing a 'commit check'

 

Is there a workaround with this?

 

Regards!

Distinguished Expert
MMcD
Posts: 635
Registered: ‎07-20-2010
0

Re: SRX650 static NAT issue.

[ Edited ]

You need to create an trust address book entry for Server1:

 

user@srx#set security zones security-zone trust address-book address Server-1 10.10.10.10/32

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
Visitor
roxana.rojas
Posts: 4
Registered: ‎02-20-2012
0

Re: SRX650 static NAT issue.

Hi MMcD,

 

That is the main issue, the object has been created on the address-book already. Also, I have tried creating it on the global address-book but it says it will disable zone addresses (no way!)

 

Regards!

cy
Contributor
cy
Posts: 75
Registered: ‎09-28-2010
0

Re: SRX650 static NAT issue.

[ Edited ]

this might sound stupid, but are you sure you put the 

"address server-1 x.x.x.x/y" in the right address-book (in security-zone trust)?

 

address name is also case-sensitive (im sure MMcD knows this and just mistyped :smileywink:)

 

 

you can see valid addresses (and address sets) if you type "?", or you can tab-complete addresses.

 

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address ?"

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address s<TAB>"

 

 

you could also post the output of this here:

"show security zones security-zone trust address-book|display set|match server-1"

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.