SRX

Where can I find the options for this command set?
set security nat source rule-set xxx rule xxx match protocol ?????

To find options on any Junos command just use one ? at the command string.

 

In your particular case:

admin@yourSRX# set security nat source rule-set xxx rule xxx match protocol ?

Possible completions:

  <number>             Numeric protocol value (0 .. 255)

  [                    Open a set of values

  ah                   IP Security authentication header

  egp                  Exterior gateway protocol

  esp                  IPSec Encapsulating Security Payload

  gre                  Generic routing encapsulation

  icmp                 Internet Control Message Protocol

  icmp6                Internet Control Message Protocol Version 6

  igmp                 Internet Group Management Protocol

  ipip                 IP in IP

  ospf                 Open Shortest Path First

  pim                  Protocol Independent Multicast

  rsvp                 Resource Reservation Protocol

  sctp                 Stream Control Transmission Protocol

  tcp                  Transmission Control Protocol

  udp                  User Datagram Protocol.

 

 

Regards

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

Anyone know if there is an "all" option?

If you do not want to match particular protocol in the nat rule just do not mention it.

Example:

rule example {

        match {

            source-address 10.0.0.0/8;

            destination-address 8.8.8.8/8;

        }

        then {

            source-nat {

                interface;

            }

        }

    }

 

Regards

 

Leon Smirnov

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too

I want to include all protocols, I need a list of all of them.

As Leon mentioned if you want all you simply don't include any match for protocol and all will be implied.

 

I want faster convergence. I want to include these to test if it will do as asked. Is the number per some spec. Maybe similar to numbering for protocols in routing and remote access snapins in Windows server for example? I don't have my win server boxes running at this instant. Help is appreciated.

Yes, the protocol numbers is to specify one based on the IP standards.  This allows you to have rules based on any standardized protocol even if it is not listed above.

 

But your assumption is incorrect.  You will match faster by having the minimum number of criteria not by adding more.  When you add the protocol criteria instead of leaving it out this is an addition item that must be evaluated before the rule is complete thus taking more processing not less.

 

Ok, I have no choice to assume you are right. Thx for the reply. I still want to know how to get a list. Thx to others for a reply as well. I want a list how can I get one? A full list.

The full list would be every active IP protocol which you can see here from IANA.

 

https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml

 

But I'm not even sure you could configure that long a list. 

 

The point is this feature was designed to check everything by default unless you RESTRICT it to just a few protocols.  This is the way it is intended to work.

 

Kudos!!!!!