SRX

Source NAT | set match destination address limitation

I want to configure a source NAT to 11 different destination networks and send them to a pool.

When I add the individual networks in the set match destination address I do not see the option to use an address book entry. I also get a maximum of 8 networks warning message.

Is there a way to overcome this limitation?

Basic requirements

Source network 1

Destination network 11 or address set group

NAT’ed to a pool address

Thanks,

JR

Possibly not the smartest ways, but I usually do it using one of the two approaches.

One method I use - Just make an additional rule for source nat translation

Second approach

1. permit NAT to any destination from “source network1”
rule-set source {
from zone trust;

    to zone untrust;

    rule r1 {

        match {

            source-address x.x.x.x/xx;

             }

        then {

            source-nat {

                pool {

                    NAT_pool_X;

                }

            }

        }

    }

2. enforce access to those desired 11 destinations via security policies from trust to untrust – where you don’t have 8 destination limit. Also you can use address-set within security policies

Hi thanks for the reply.

I also was looking on the threads and seen that anything before 10.2 has this limitation and guess what I’m running code before 10.2 so time to upgrade.

Thanks for the quick respond and I will try your approach.

The only catch is I will have other destinations that I will need to NAT to another pool. I guess I will have to place the more specific NATS at the top of the list and the least specific at the bottom.

Thanks again.

JR