Hello again. Recently, I configured remote access to my ESXi servers, which are behind the JSRX 210. I used those commands, and everything works great (x.x.x.x is my public address):
edit security nat destination
set pool dst-nat-pool-esxi1 address 172.16.254.11 port 443
set pool dst-nat-pool-esxi2 address 172.16.254.12 port 443
set rule-set rs1 from zone untrust
set rule-set rs1 rule r1 match destination-address x.x.x.x
set rule-set rs1 rule r1 match destination-port 11443
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-esxi1
set rule-set rs1 rule r2 match destination-address x.x.x.x
set rule-set rs1 rule r2 match destination-port 12443
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-esxi2
exit
edit security nat
set proxy-arp interface ge-0/0/0.0 address x.x.x.x
exit
edit security
set zones security-zone trust address-book address esxi1 172.16.254.11/32
set zones security-zone trust address-book address esxi2 172.16.254.12/32
exit
edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ esxi1 esxi2 ] application any
set policy cloud-access then permit
exit
commit confirmed 120
However, I wanted to add another set of rules, to get into iDRAC interfaces, by doing this:
edit security nat destination
set pool dst-nat-pool-esxi1-idrac6 address 172.16.254.201 port 443
set pool dst-nat-pool-esxi2-idrac6 address 172.16.254.202 port 443
set rule-set rs2 from zone untrust
set rule-set rs2 rule r1 match destination-address x.x.x.x
set rule-set rs2 rule r1 match destination-port 61443
set rule-set rs2 rule r1 then destination-nat pool dst-nat-pool-esxi1-idrac6
set rule-set rs2 rule r2 match destination-address x.x.x.x
set rule-set rs2 rule r2 match destination-port 62443
set rule-set rs2 rule r2 then destination-nat pool dst-nat-pool-esxi2-idrac6
exit
edit security nat
set proxy-arp interface ge-0/0/0.0 address x.x.x.x
exit
edit security
set zones security-zone trust address-book address esxi1-idrac6 172.16.254.11/32
set zones security-zone trust address-book address esxi2-idrac6 172.16.254.12/32
exit
edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ esxi1-idrac6 esxi2-idrac6 ] application any
set policy cloud-access then permit
exit
commit confirmed 120
But it did not work, I got this message:
[edit security nat destination]
'rule-set rs2'
rule-set rs1 and rule-set rs2 have same context.
error: configuration check-out failed
Which I do not understand. Does it mean that I can't add more rules? But why?
How should I add (append) another rules?