SRX Services Gateway
SRX Services Gateway

SRX650 static NAT issue.

04.26.12   |  
‎04-26-2012 12:29 PM

Hi Experts,

 

I was configuring static NAT using the document 'junos-security-swconfig-security.pdf', but when I configured the policy:

 

set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address server-1
set security policies from-zone trust to-zone untrust policy Static-NAT-out match destination-address any
set security policies from-zone trust to-zone untrust policy Static-NAT-out match application any
set security policies from-zone trust to-zone untrust policy Static-NAT-out then permit

 

Then, I got the message:

 

Address or address_set (server-1) not found

 

However, if I use 'any' instead of 'server-1' it works OK after performing a 'commit check'

 

Is there a workaround with this?

 

Regards!

3 REPLIES
SRX Services Gateway

Re: SRX650 static NAT issue.

[ Edited ]
04.26.12   |  
‎04-26-2012 02:39 PM

You need to create an trust address book entry for Server1:

 

user@srx#set security zones security-zone trust address-book address Server-1 10.10.10.10/32

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: SRX650 static NAT issue.

04.27.12   |  
‎04-27-2012 07:21 AM

Hi MMcD,

 

That is the main issue, the object has been created on the address-book already. Also, I have tried creating it on the global address-book but it says it will disable zone addresses (no way!)

 

Regards!

SRX Services Gateway

Re: SRX650 static NAT issue.

[ Edited ]
04.30.12   |  
‎04-30-2012 07:24 AM

this might sound stupid, but are you sure you put the 

"address server-1 x.x.x.x/y" in the right address-book (in security-zone trust)?

 

address name is also case-sensitive (im sure MMcD knows this and just mistyped Smiley Wink)

 

 

you can see valid addresses (and address sets) if you type "?", or you can tab-complete addresses.

 

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address ?"

"set security policies from-zone trust to-zone untrust policy Static-NAT-out match source-address s<TAB>"

 

 

you could also post the output of this here:

"show security zones security-zone trust address-book|display set|match server-1"

--

You can also find me on Freenode IRC in #juniper, my handle is "cy[]"