SRX Services Gateway
Reply
Ash
Contributor
Ash
Posts: 14
Registered: ‎06-13-2009
0
Accepted Solution

destination-NAT query

is it possible to implement destination-NAT from one external address to several internal addresses with PAT then number of internal services is more then 8?

If it is needed for translation connection to internal servers for example? Then 8 rules limitation will be increased?

 

--ash

Distinguished Expert
Raheel
Posts: 414
Registered: ‎06-18-2008

Re: destination-NAT query


You can do destination NAT with port translation but you'll hit the same limitation (i.e. max # of rules per rule-set). That said, since we do support many rule-sets you can configure multiple different rule-sets each with up to 8 rules.

The trick is that, since rule-sets must be different (they must have different matching conditions) you'll have to find combinations of matching actions that all match to your traffic.

For destination NAT each rule-set can match on source interface, zone or routing instance. So a possibility would be to do:

rule-set 1, matching on the ingress interface
rule-set 2, matching on the ingress zone
rule-set 3, matching on the ingress routing-instance

That will extend the number of rules to about 24 (since each rule-sets  supports up to 8 rules, needless to say there will be some performance impact in the CPS).

If you still need more rules, an easy solution is to create fake zones. Say, for instance, you create the zones fake1, fake2 and fake3.

Then you can combine them with your "real" ingress zone to create multiple rule-sets

rule-set 1, matches on ingress zones trust
rule-set 2, matches on ingress zones [ trust, fake1 ]
rule-set 3, matches on ingress zones [ trust, fake2 ]
rule-set 4, matches on ingress zones [ trust, fake3 ]
rule-set 5, matches on ingress zones [ trust, fake1, fake2 ]
...

remember, the limits are platform dependent. some of these restrictions already liftted from 9.6 (starting with static nat) and in future releases it will improve more.

 

thanks

raheel anwar

Follow me on Twitter @anwar_raheel

--
If this post was helpful, please mark this post as an "Accepted Solution".
Kudos are always appreciated!
Contributor
jantkowiak
Posts: 19
Registered: ‎10-09-2009
0

Re: destination-NAT query

fake zones?  how would you go about getting traffic to match the condition of originating from one of the fake zones then?

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.