SRX Services Gateway
Reply
Visitor
vanandel@ucar.edu
Posts: 1
Registered: ‎01-31-2011

enhancement request - use address book aliases for destination-address in destination nat

When configuring destination nat
[edit security nat destination]

I would like the ability to use an address book address for the destination address when I specify a rule, e.g.:

rule-set Virtual-IP {
from zone Internet;
rule HTTP-gate1 {
match {
destination-address 128.117.161.25/32;
destination-port 80;
}
then {
destination-nat pool dnat-gate1-http;
}
}
}

I want to use an symbolic name for 128.117.161.25/32, since I need to use this address repeatedly for multiple rules. I can't seem to use an address defined by
zone->security-zone->Internet->address-book. In our application, the network address can change, when we move our computers to a new internet connection.


Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: enhancement request - use address book aliases for destination-address in destination nat

Hi,

 

I want the same thing for source nat

Super Contributor
billp
Posts: 120
Registered: ‎05-01-2008
0

Re: enhancement request - use address book aliases for destination-address in destination nat

Prepare to do a little happy dance. From the 11.2 release notes:

Address books are now defined under the [security] hierarchy level. Instead of defining address books under zones (zone-defined configuration), you now attach zones to address books (zone-attached configuration) This enhancement makes configuring your network simpler by allowing you to share the IP address books or pools when configuring features such as security policies and NAT. You can create addresses once in an address book and then use them in multiple configurations. Moreover, you can attach a single address book to multiple zones.

Trusted Contributor
jozef.klacko
Posts: 142
Registered: ‎07-19-2010
0

Re: enhancement request - use address book aliases for destination-address in destination nat

Hi billp,

 

And can you show example configuration for that vananedl's destination-address (or destination-address-name) that works? I am trying to do that, but after commit it just screams someting on me.

 

It is only working with address-book "global"

 

root@srx-1# show security nat source                                        
pool pool-snat-131 {                                                            
    address {                                                                   
        x.x.x.x/32;                                                      
    }                                                                           
}

[edit security nat source rule-set trust-to-untrust]      
root@srx-1# show                                                            
from zone trust;                                                           
to zone untrust;
rule snat-131 {                                                                 
    match {                                                                     
        source-address-name snat-131; # i have to add this manually and unfortunately it didn't work
    }                                                                           
    then {                                                                      
        source-nat {                                                            
            pool {                                                              
                pool-snat-131;                                                  
            }                                                                   
        }                                                                       
    }                                                                           
}                                                                   
rule source-nat-rule {                                                          
    match {                                                                     
        source-address 0.0.0.0/0;                                               
    }                                                                           
    then {                                                                      
        source-nat {                                                            
            interface;                                                          
        }                                                                       
    }                                                                           
}                                                                               



root@srx-1# show security address-book                                      
trust-add {                                                                    
    address jozo1 192.168.123.123/32;                                             
    address jozo2 192.168.123.124/32;                                             
    address-set snat-131 {                                                    
        address jozo1;                                                      
        address jozo2;                                                
    }                                                                                                                                                
    attach {                                                                    
        zone trust;                                                        
    }                                                                           
} 

root@srx-1# commit                                                          
[edit security nat source rule-set trust-to-untrust rule snat-131 match]   
  'source-address-name snat-131'                                                
    Can not find address/address-set(snat-131) in default global address book   
error: configuration check-out failed                                           

Example: Configuring Address Books and Address Sets

 http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone-address-book-configuring-cli.htm...

 

Super Contributor
billp
Posts: 120
Registered: ‎05-01-2008
0

Re: enhancement request - use address book aliases for destination-address in destination nat

Hmm... on testing, I can't get it working with anything but global either. I'll check around and see if I can find an answer - maybe non-global got pushed out, maybe there's a magic knob that I'm missing, or maybe it's just a bug (11.4 is still beta code). I'll get back if/when I find anything.

Super Contributor
billp
Posts: 120
Registered: ‎05-01-2008
0

Re: enhancement request - use address book aliases for destination-address in destination nat

Looks like the release notes are unclear. Turns out that shared address books apply to policy, but only global address book applies to NAT rules. It still gives you the ability to use global objects in NAT rules, but doesn't offer quite the same flexibility as shared address books.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.