Re: [j-nsp] Destination NAT on SRX cluster
Yup it is a bug, it works fine in 11.4R1.6. -- Leigh > -Original Message- > From: Ben Dale [mailto:bd...@comlinx.com.au] > Sent: 20 March 2012 13:09 > To: Leigh Porter > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Destination NAT on SRX cluster > > Hi Leigh, > > On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > > > > error: The number of destination NAT pools exceeds limit of 0 [edit > > security nat destination rule-set incoming-connections rule > > port-forward then destination-nat] 'pool' > > failed to get pool (wilderness) > > error: configuration check-out failed > > It looks like a bug, but try changing the "from interface reth0.352" to > "from zone " and see if the issue goes > away. Failing that, upgrade to 11.1R6 and see if that fixes it. > > Ben > > __ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > __ __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
I'd agree it seems that you're running into a bug. Trying your config
on my SRX I am able to commit through. Reth's tend to be different
than a normal interface from a code standpoint, but nat isn't a
limitation (thank god).
If you're working in a lab, try to upgrade to my code version perhaps.
If you're in prod, good luck..open up a jtac case and find out which
release fixes it. Sorry Leigh, best of luck.
[edit security nat]
root@Lab-SRX240-11# commit check
configuration check succeeds
[edit security nat]
root@Lab-SRX240-11# show | compare
[edit security nat]
+ destination {
+ pool wilderness {
+ address 172.16.253.10/32 port 22;
+ }
+ rule-set incoming-connections {
+ from interface ge-0/0/0.0;
+ rule port-forard {
+ match {
+ destination-address 88.94.205.5/32;
+ destination-port 22;
+ }
+ then {
+ destination-nat pool wilderness;
+ }
+ }
+ }
+ }
+ proxy-arp {
+ interface ge-0/0/0.0 {
+ address {
+ 88.94.205.5/32;
+ }
+ }
+ }
[edit security nat]
root@Lab-SRX240-11# run show version
Hostname: Lab-SRX240-11
Model: srx240h-poe
JUNOS Software Release [11.4R1.6]
Hope this helps,
-Tim Eberhard
On Tue, Mar 20, 2012 at 12:09 PM, Leigh Porter
wrote:
>
>
>> From: Ben Dale [mailto:bd...@comlinx.com.au]
>>
>> Hi Leigh,
>>
>> On 20/03/2012, at 10:53 PM, Leigh Porter wrote:
>>
>> >
>> > error: The number of destination NAT pools exceeds limit of 0 [edit
>> > security nat destination rule-set incoming-connections rule
>> > port-forward then destination-nat] 'pool'
>> > failed to get pool (wilderness)
>> > error: configuration check-out failed
>>
>> It looks like a bug, but try changing the "from interface reth0.352" to
>> "from zone " and see if the issue goes
>> away. Failing that, upgrade to 11.1R6 and see if that fixes it.
>
> Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm
> just about to try 11.blah
>
> Thanks,
> Leigh
>
>
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
> From: Ben Dale [mailto:bd...@comlinx.com.au] > > Hi Leigh, > > On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > > > > error: The number of destination NAT pools exceeds limit of 0 [edit > > security nat destination rule-set incoming-connections rule > > port-forward then destination-nat] 'pool' > > failed to get pool (wilderness) > > error: configuration check-out failed > > It looks like a bug, but try changing the "from interface reth0.352" to > "from zone " and see if the issue goes > away. Failing that, upgrade to 11.1R6 and see if that fixes it. Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm just about to try 11.blah Thanks, Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
Hi Leigh, On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > error: The number of destination NAT pools exceeds limit of 0 > [edit security nat destination rule-set incoming-connections rule > port-forward then destination-nat] > 'pool' > failed to get pool (wilderness) > error: configuration check-out failed It looks like a bug, but try changing the "from interface reth0.352" to "from zone " and see if the issue goes away. Failing that, upgrade to 11.1R6 and see if that fixes it. Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
