SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

Destination NAT, JSRX210, rule-set rs1 and rule-set rs2 have same context. error: configuration check-out failed

  • 1.  Destination NAT, JSRX210, rule-set rs1 and rule-set rs2 have same context. error: configuration check-out failed

    Posted 01-30-2017 08:44

    Hello again. Recently, I configured remote access to my ESXi servers, which are behind the JSRX 210. I used those commands, and everything works great (x.x.x.x is my public address):

     

    edit security nat destination
set pool dst-nat-pool-esxi1 address 172.16.254.11 port 443
set pool dst-nat-pool-esxi2 address 172.16.254.12 port 443

set rule-set rs1 from zone untrust

set rule-set rs1 rule r1 match destination-address x.x.x.x
set rule-set rs1 rule r1 match destination-port 11443
set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-esxi1

set rule-set rs1 rule r2 match destination-address x.x.x.x
set rule-set rs1 rule r2 match destination-port 12443
set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-esxi2
exit

edit security nat
set proxy-arp interface ge-0/0/0.0 address x.x.x.x
exit

edit security
set zones security-zone trust address-book address esxi1 172.16.254.11/32
set zones security-zone trust address-book address esxi2 172.16.254.12/32
exit

edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ esxi1 esxi2 ] application any
set policy cloud-access then permit
exit

commit confirmed 120

     However, I wanted to add another set of rules, to get into iDRAC interfaces, by doing this:

     

    edit security nat destination
set pool dst-nat-pool-esxi1-idrac6 address 172.16.254.201 port 443
set pool dst-nat-pool-esxi2-idrac6 address 172.16.254.202 port 443

set rule-set rs2 from zone untrust

set rule-set rs2 rule r1 match destination-address x.x.x.x
set rule-set rs2 rule r1 match destination-port 61443
set rule-set rs2 rule r1 then destination-nat pool dst-nat-pool-esxi1-idrac6

set rule-set rs2 rule r2 match destination-address x.x.x.x
set rule-set rs2 rule r2 match destination-port 62443
set rule-set rs2 rule r2 then destination-nat pool dst-nat-pool-esxi2-idrac6
exit

edit security nat
set proxy-arp interface ge-0/0/0.0 address x.x.x.x
exit

edit security
set zones security-zone trust address-book address esxi1-idrac6 172.16.254.11/32
set zones security-zone trust address-book address esxi2-idrac6 172.16.254.12/32
exit

edit security policies from-zone untrust to-zone trust
set policy cloud-access match source-address any destination-address [ esxi1-idrac6 esxi2-idrac6 ] application any
set policy cloud-access then permit
exit

commit confirmed 120

    But it did not work, I got this message:

     

    [edit security nat destination]
  'rule-set rs2'
    rule-set rs1 and rule-set rs2 have same context.
error: configuration check-out failed

    Which I do not understand. Does it mean that I can't add more rules? But why?

     

    How should I add (append) another rules?



  • 2.  RE: Destination NAT, JSRX210, rule-set rs1 and rule-set rs2 have same context. error: configuration check-out failed

    Posted 01-30-2017 16:52

    You almost have it.  There is only one rule set per context for zone to zone transit.  Within the rule set you can have multiple rules.

     

    Change your additions as follows:

    set rule-set rs1 rule r3 match destination-address x.x.x.x
set rule-set rs1 rule r3 match destination-port 61443
set rule-set rs1 rule r3 then destination-nat pool dst-nat-pool-esxi1-idrac6

set rule-set rs1 rule r4 match destination-address x.x.x.x
set rule-set rs1 rule r4 match destination-port 62443
set rule-set rs1 rule r4 then destination-nat pool dst-nat-pool-esxi2-idrac6
exit