Re: [j-nsp] Destination NAT on SRX cluster
Yup it is a bug, it works fine in 11.4R1.6. -- Leigh > -Original Message- > From: Ben Dale [mailto:bd...@comlinx.com.au] > Sent: 20 March 2012 13:09 > To: Leigh Porter > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] Destination NAT on SRX cluster > > Hi Leigh, > > On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > > > > error: The number of destination NAT pools exceeds limit of 0 [edit > > security nat destination rule-set incoming-connections rule > > port-forward then destination-nat] 'pool' > > failed to get pool (wilderness) > > error: configuration check-out failed > > It looks like a bug, but try changing the "from interface reth0.352" to > "from zone " and see if the issue goes > away. Failing that, upgrade to 11.1R6 and see if that fixes it. > > Ben > > __ > This email has been scanned by the Symantec Email Security.cloud > service. > For more information please visit http://www.symanteccloud.com > __ __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
I'd agree it seems that you're running into a bug. Trying your config on my SRX I am able to commit through. Reth's tend to be different than a normal interface from a code standpoint, but nat isn't a limitation (thank god). If you're working in a lab, try to upgrade to my code version perhaps. If you're in prod, good luck..open up a jtac case and find out which release fixes it. Sorry Leigh, best of luck. [edit security nat] root@Lab-SRX240-11# commit check configuration check succeeds [edit security nat] root@Lab-SRX240-11# show | compare [edit security nat] + destination { + pool wilderness { + address 172.16.253.10/32 port 22; + } + rule-set incoming-connections { + from interface ge-0/0/0.0; + rule port-forard { + match { + destination-address 88.94.205.5/32; + destination-port 22; + } + then { + destination-nat pool wilderness; + } + } + } + } + proxy-arp { + interface ge-0/0/0.0 { + address { + 88.94.205.5/32; + } + } + } [edit security nat] root@Lab-SRX240-11# run show version Hostname: Lab-SRX240-11 Model: srx240h-poe JUNOS Software Release [11.4R1.6] Hope this helps, -Tim Eberhard On Tue, Mar 20, 2012 at 12:09 PM, Leigh Porter wrote: > > >> From: Ben Dale [mailto:bd...@comlinx.com.au] >> >> Hi Leigh, >> >> On 20/03/2012, at 10:53 PM, Leigh Porter wrote: >> >> > >> > error: The number of destination NAT pools exceeds limit of 0 [edit >> > security nat destination rule-set incoming-connections rule >> > port-forward then destination-nat] 'pool' >> > failed to get pool (wilderness) >> > error: configuration check-out failed >> >> It looks like a bug, but try changing the "from interface reth0.352" to >> "from zone " and see if the issue goes >> away. Failing that, upgrade to 11.1R6 and see if that fixes it. > > Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm > just about to try 11.blah > > Thanks, > Leigh > > > __ > This email has been scanned by the Symantec Email Security.cloud service. > For more information please visit http://www.symanteccloud.com > __ > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
> From: Ben Dale [mailto:bd...@comlinx.com.au] > > Hi Leigh, > > On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > > > > error: The number of destination NAT pools exceeds limit of 0 [edit > > security nat destination rule-set incoming-connections rule > > port-forward then destination-nat] 'pool' > > failed to get pool (wilderness) > > error: configuration check-out failed > > It looks like a bug, but try changing the "from interface reth0.352" to > "from zone " and see if the issue goes > away. Failing that, upgrade to 11.1R6 and see if that fixes it. Yeah I thought bug too. I tried the "from zone .." but it didn't fix it. I'm just about to try 11.blah Thanks, Leigh __ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com __ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Destination NAT on SRX cluster
Hi Leigh, On 20/03/2012, at 10:53 PM, Leigh Porter wrote: > > error: The number of destination NAT pools exceeds limit of 0 > [edit security nat destination rule-set incoming-connections rule > port-forward then destination-nat] > 'pool' > failed to get pool (wilderness) > error: configuration check-out failed It looks like a bug, but try changing the "from interface reth0.352" to "from zone " and see if the issue goes away. Failing that, upgrade to 11.1R6 and see if that fixes it. Ben ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp