SRX Services Gateway
Highlighted
SRX Services Gateway

address/address-set under nat destination

‎07-18-2016 08:45 AM

Hi everybody.

I; struggling to understand what is wrong with my conf.

I'm configurig a nat destination rule:

set security nat destination rule-set PFW-RASPI rule PFW-8080 match source-address-name ASET-YOTI-OFFICE

but when I commit:

root@SRX210# commit
[edit security nat destination rule-set PFW-RASPI rule PFW-8080 match]
'source-address-name ASET-YOTI-OFFICE'
Can not find address/address-set(ASET-YOTI-OFFICE) in default global address book
error: configuration check-out failed

However I have that address book configured

root@SRX210# show | display set | match ASET-YOTI-OFFICE
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1
set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2

 

Question 1: What is the reason of that error?

Question 2: Why JunOS gives the opportunity  to restrict the access to a range of IP under NAT as well as under the security policy for that nat rule? What is the difference?

Thanks

4 REPLIES 4
SRX Services Gateway
Solution
Accepted by topic author FedeYoti
‎07-18-2016 01:50 PM

Re: address/address-set under nat destination

‎07-18-2016 09:00 AM

Hi,

 

You have defined that address set under the YOTI-OFFICE address book and not the global one. Please change it to the following :-

 

set security address-book global address-set ASET-YOTI-OFFICE address YOTI-1

 And perform a similar configuration for the YOTI-2  as well.

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: address/address-set under nat destination

‎07-18-2016 09:04 AM

Regarding your second question, here is the packet flow for the SRX :-

http://kb.juniper.net/InfoCenter/index?page=content&id=kb16110&actp=search

 

Depending on the type of NAT, Junos gives the flexibility to restrict access in security policies as well.

 

Hence, even if you configure a static nat for a single internal IP to an External IP, you can still restrict the ports using the security policy.

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.

SRX Services Gateway

Re: address/address-set under nat destination

‎07-18-2016 01:19 PM

Hi, Thnak you very much for your reply!
Can you please give me more info about that? Why this is necessary? I would like to understand that!

Thanks!

SRX Services Gateway

Re: address/address-set under nat destination

‎07-18-2016 10:57 PM

Hi,

 

Suppose your internal Server IP address is 192.168.1.10 and you have a public IP from the ISP, suppose 9.9.9.9.

 

You want to host various applications on the internal server working on different ports, and want them accessible from the internet.

 

You create a static NAT between 192.168.1.10 and 9.9.9.9. This essentially means that all ports on 9.9.9.9 are translated to all ports on 192.168.1.10.

However, currently you have only one single port on the internal server which is running an application. Hence, you create a security policy to allow just that one port from the Internet Zone to the Server Zone and thus blocking access to all the other ports on that IP despite of having a NAT for all the ports.

 

Please let me know if the explanation is clear.

 

Regards,

Sahil Sharma

---------------------------------------------------

Please mark my solution as accepted if it helped, Kudos are appreciated as well.