SRX Services Gateway
SRX Services Gateway

enhancement request - use address book aliases for destination-address in destination nat

02.25.11   |  
‎02-25-2011 08:46 AM
When configuring destination nat
[edit security nat destination]

I would like the ability to use an address book address for the destination address when I specify a rule, e.g.:

rule-set Virtual-IP {
from zone Internet;
rule HTTP-gate1 {
match {
destination-address 128.117.161.25/32;
destination-port 80;
}
then {
destination-nat pool dnat-gate1-http;
}
}
}

I want to use an symbolic name for 128.117.161.25/32, since I need to use this address repeatedly for multiple rules. I can't seem to use an address defined by
zone->security-zone->Internet->address-book. In our application, the network address can change, when we move our computers to a new internet connection.


5 REPLIES
SRX Services Gateway

Re: enhancement request - use address book aliases for destination-address in destination nat

10.24.11   |  
‎10-24-2011 08:21 AM

Hi,

 

I want the same thing for source nat

SRX Services Gateway

Re: enhancement request - use address book aliases for destination-address in destination nat

10.24.11   |  
‎10-24-2011 02:06 PM

Prepare to do a little happy dance. From the 11.2 release notes:

Address books are now defined under the [security] hierarchy level. Instead of defining address books under zones (zone-defined configuration), you now attach zones to address books (zone-attached configuration) This enhancement makes configuring your network simpler by allowing you to share the IP address books or pools when configuring features such as security policies and NAT. You can create addresses once in an address book and then use them in multiple configurations. Moreover, you can attach a single address book to multiple zones.

SRX Services Gateway

Re: enhancement request - use address book aliases for destination-address in destination nat

10.25.11   |  
‎10-25-2011 01:21 AM

Hi billp,

 

And can you show example configuration for that vananedl's destination-address (or destination-address-name) that works? I am trying to do that, but after commit it just screams someting on me.

 

It is only working with address-book "global"

 

root@srx-1# show security nat source                                        
pool pool-snat-131 {                                                            
    address {                                                                   
        x.x.x.x/32;                                                      
    }                                                                           
}

[edit security nat source rule-set trust-to-untrust]      
root@srx-1# show                                                            
from zone trust;                                                           
to zone untrust;
rule snat-131 {                                                                 
    match {                                                                     
        source-address-name snat-131; # i have to add this manually and unfortunately it didn't work
    }                                                                           
    then {                                                                      
        source-nat {                                                            
            pool {                                                              
                pool-snat-131;                                                  
            }                                                                   
        }                                                                       
    }                                                                           
}                                                                   
rule source-nat-rule {                                                          
    match {                                                                     
        source-address 0.0.0.0/0;                                               
    }                                                                           
    then {                                                                      
        source-nat {                                                            
            interface;                                                          
        }                                                                       
    }                                                                           
}                                                                               



root@srx-1# show security address-book                                      
trust-add {                                                                    
    address jozo1 192.168.123.123/32;                                             
    address jozo2 192.168.123.124/32;                                             
    address-set snat-131 {                                                    
        address jozo1;                                                      
        address jozo2;                                                
    }                                                                                                                                                
    attach {                                                                    
        zone trust;                                                        
    }                                                                           
} 

root@srx-1# commit                                                          
[edit security nat source rule-set trust-to-untrust rule snat-131 match]   
  'source-address-name snat-131'                                                
    Can not find address/address-set(snat-131) in default global address book   
error: configuration check-out failed                                           

Example: Configuring Address Books and Address Sets

 http://www.juniper.net/techpubs/en_US/junos11.2/topics/example/zone-address-book-configuring-cli.htm...

 

Highlighted
SRX Services Gateway

Re: enhancement request - use address book aliases for destination-address in destination nat

10.27.11   |  
‎10-27-2011 06:39 AM

Hmm... on testing, I can't get it working with anything but global either. I'll check around and see if I can find an answer - maybe non-global got pushed out, maybe there's a magic knob that I'm missing, or maybe it's just a bug (11.4 is still beta code). I'll get back if/when I find anything.

SRX Services Gateway

Re: enhancement request - use address book aliases for destination-address in destination nat

10.27.11   |  
‎10-27-2011 08:01 AM

Looks like the release notes are unclear. Turns out that shared address books apply to policy, but only global address book applies to NAT rules. It still gives you the ability to use global objects in NAT rules, but doesn't offer quite the same flexibility as shared address books.