SRX Services Gateway
Highlighted
SRX Services Gateway

Weird NAT rules behavior

[ Edited ]
‎02-25-2019 05:10 AM

       We have two SRX-5600 (software version 18.2R1-S1.5) in chassic cluster setup (active-passive) with SRX5k IOC3 24XGE+6XLG service card. 

When creating nat rule (no matter which, source, static, destination) rule is not applied on commit. We have to change rule order in rule-set few times for rule to apply. Any ideas as tow hy and how to fix this behavior?

 

P.S.

There are no conflicting rules / rules for same networks.

 

3 REPLIES 3
Highlighted
SRX Services Gateway

Re: Weird NAT rules behavior

‎02-25-2019 05:15 AM

Just example of this behavior:

{primary:node0}[edit security nat source rule-set rs1]
darkstar@srx5600-A# set rule r1_test_rule match source-address 10.7.56.0/24 destination-address 0.0.0.0/0 application any

darkstar@srx5600-A# set rule r1_test_rule then source-nat pool src-nat-pool-1

darkstar@srx5600-A# top

{primary:node0}[edit]
darkstar@srx5600-A# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]
darkstar@srx5600-A# run show security nat source rule r1_test_rule
node0:
--------------------------------------------------------------------------

node1:
--------------------------------------------------------------------------

{primary:node0}[edit]

 

and then:

 

darkstar@srx5600-A# top edit security nat source rule-set rs1

{primary:node0}[edit security nat source rule-set rs1]
darkstar@srx5600-A# insert rule r1_test_rule before rule r1_admin_nat

{primary:node0}[edit security nat source rule-set rs1]
darkstar@srx5600-A# top

{primary:node0}[edit]
darkstar@srx5600-A# commit
node0:
configuration check succeeds
node1:
commit complete
node0:
commit complete

{primary:node0}[edit]
darkstar@srx5600-A# run show security nat source rule r1_test_rule
node0:
--------------------------------------------------------------------------
source NAT rule: r1_test_rule Rule-set: rs1
Rule-Id : 70
Rule position : 3
From zone : internal
To zone : userdata_uplink
Match
Source addresses : 10.7.56.0 - 10.7.56.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Application : configured
Action : src-nat-pool-1
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0

node1:
--------------------------------------------------------------------------
source NAT rule: r1_test_rule Rule-set: rs1
Rule-Id : 70
Rule position : 3
From zone : internal
To zone : userdata_uplink
Match
Source addresses : 10.7.56.0 - 10.7.56.255
Destination addresses : 0.0.0.0 - 255.255.255.255
Application : configured
Action : src-nat-pool-1
Persistent NAT type : N/A
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 0
Max session number : 0
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0

{primary:node0}[edit]

Highlighted
SRX Services Gateway

Re: Weird NAT rules behavior

‎02-25-2019 05:22 AM

Can you upload the full configuration section of the source-nat rule-set rs1.

Highlighted
SRX Services Gateway

Re: Weird NAT rules behavior

[ Edited ]
‎02-25-2019 07:31 AM

There's just zones "from -> to" and nothing else.

 

from zone internal;
to zone external;

 

and then rules. 

rules are all look alike with different networks

like:

rule r1_srs_am1 {
match {
source-address 10.7.0.0/24;
destination-address 0.0.0.0/0;
application any;
}
then {
source-nat {
pool {
src-nat-pool-am1;
}
}
}
}

Feedback