SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  does the nat rule supports except feature?

    Posted 07-04-2011 21:47

    here is my problem:

     

    set security nat source rule-set trust-to-untrust rule 1 match source-address 10.0.0.0/8
    set security nat source rule-set trust-to-untrust rule 1 match destination-address any
    set security nat source rule-set trust-to-untrust rule 1 then source-nat pool pool-1

     

    now there is a new request: the traffic access the server 1.1.1.1/32 in untrust zone does not need NAT translation.

    i can not find the exception parameter like this "match destination-address any except 1.1.1.1/32"

     

    so i would like to know how to solve this issue or any workaround? thanks.



  • 2.  RE: does the nat rule supports except feature?
    Best Answer

    Posted 07-04-2011 21:58

     

    Create a new rule before rule 1 which matches 1.1.1.1/32 and does not have a NAT action.

     

    Something like this:

     

    edit security nat source rule-set trust-to-untrust

    rename rule 1 to rule 2

    set rule 1 match source-address 10.0.0.0/8

    set rule 1 match destination-address 1.1.1.1/32

    set rule 1 then source-nat off

    insert rule 1 before rule 2

     

     

     



  • 3.  RE: does the nat rule supports except feature?

    Posted 07-04-2011 22:16

    Hi Kerry,

     

    wonderful, thanks a lot. i love it.