10-23-2009 02:10 PM
is it possible to implement destination-NAT from one external address to several internal addresses with PAT then number of internal services is more then 8?
If it is needed for translation connection to internal servers for example? Then 8 rules limitation will be increased?
Solved! Go to Solution.
10-23-2009 02:15 PM
You can do destination NAT with port translation but you'll hit the same limitation (i.e. max # of rules per rule-set). That said, since we do support many rule-sets you can configure multiple different rule-sets each with up to 8 rules.
The trick is that, since rule-sets must be different (they must have different matching conditions) you'll have to find combinations of matching actions that all match to your traffic.
For destination NAT each rule-set can match on source interface, zone or routing instance. So a possibility would be to do:
rule-set 1, matching on the ingress interface
rule-set 2, matching on the ingress zone
rule-set 3, matching on the ingress routing-instance
That will extend the number of rules to about 24 (since each rule-sets supports up to 8 rules, needless to say there will be some performance impact in the CPS).
If you still need more rules, an easy solution is to create fake zones. Say, for instance, you create the zones fake1, fake2 and fake3.
Then you can combine them with your "real" ingress zone to create multiple rule-sets
rule-set 1, matches on ingress zones trust
rule-set 2, matches on ingress zones [ trust, fake1 ]
rule-set 3, matches on ingress zones [ trust, fake2 ]
rule-set 4, matches on ingress zones [ trust, fake3 ]
rule-set 5, matches on ingress zones [ trust, fake1, fake2 ]
remember, the limits are platform dependent. some of these restrictions already liftted from 9.6 (starting with static nat) and in future releases it will improve more.