SRX

Expand all | Collapse all

NAT rules limitation on SRX

Jump to Best Answer
  • 1.  NAT rules limitation on SRX

    Posted 10-23-2009 14:48

    1.   In one rule-set you can configure up to 8 rules. When you configure the ninth rule you receive the following error:



    [edit security nat destination rule-set ks]

     'rule'

       number of elements exceeds limit of 8

    error: commit failed: (number of elements exceeds limit)



    2.      You can’t configure two rule-sets that come from the same zone. When you do it you receive the following error:



    error: Destination NAT rule-set ks and rr have same context.

    [edit security nat destination]

     'rule-set rr'

       Destination NAT rule-set(rr) sanity check failed.

    error: configuration check-out failed



    In order to bypass it you configure another rule-set from an interface. This gives you another 8 rules. In destination nat you have only from statement so you have a total of 16 nat rules.

    In source nat you can configure also the “to” statement so you have 32 rules.

    Is there anything they are missing here or are we limited in number of NAT rules?

     

    --ash



  • 2.  RE: NAT rules limitation on SRX
    Best Answer

    Posted 10-23-2009 14:55

    The limit per rule-set is raised to 256 rules (except for dst nat, which is still at 8 per rule set / context).  Further improvements to NAT are planned for future releases, i believe.

    Apparently, you can also create "dummy" zones that contain no interfaces and thereby create an arbitrary number of contexts.  This is a work-around for cases where the limit is still too constraining.  explained earlier in one thread, actually reply on your earlier query 🙂

     

     

    thanks

    raheel anwar



  • 3.  RE: NAT rules limitation on SRX

    Posted 10-23-2009 14:58

    thanks raheel

     

    appricate of answering all NAT queries, appriciated.

     

    --ash



  • 4.  RE: NAT rules limitation on SRX

    Posted 04-14-2010 09:34

    I'm still having this issue on JunOS 10.1r1.8.  I've tricked the SRX by having two rulesets giving me 16.  I've shown how I did this below.  rkim, I just read your reply that this will be fixed in 10.2.  Thanks - I'll be looking forward to this release.  Does anyone have a solution for this limitation before then?   Also, any idea when 10.2 be out?

     

    rule-set nat-untrust {
        from zone untrust;
    rule-set nat-vlan_1 {
        from interface ge-0/0/2.0;



  • 5.  RE: NAT rules limitation on SRX

    Posted 04-14-2010 15:12
    Well the limitation is only by config, you can "fool" the machine by adding as much as you like dummy zones and by that adding rules. I have configured a 3600 with more the 10 dummy zones that each one of them holds 8 rules and by that achieve 80 dst nat rules.


  • 6.  RE: NAT rules limitation on SRX

    Posted 04-27-2010 13:02

    hi Tal,Shahab,

     

    if possible kindly send a snippet of this workaround (with dummy zones)

    thanks much!!



  • 7.  RE: NAT rules limitation on SRX

    Posted 04-04-2010 04:53

    is it solved yet????  , because I have SRX 240 (10.0R1.8) and still 16 destination nat rules no more , can you please help me on that 😞



  • 8.  RE: NAT rules limitation on SRX

    Posted 04-04-2010 17:58

    Check out the current NAT rule limits from below KB article.\

     

    http://kb.juniper.net/KB14149

     

    9.5 and later have rules limit increased to 256 rules for static NAT. Source NAT limit was included in 10.1 and destination NAT limit will happen in 10.2.

     

    -Richard

     


  • 9.  RE: NAT rules limitation on SRX

    Posted 06-28-2010 00:25

    Hi Raheel,

    Have you been publish this dummy zones solution in another separated thread?

    Kindly need this resolution before upgrade JunOS 🙂

     

    FR



  • 10.  RE: NAT rules limitation on SRX

    Posted 04-17-2010 19:53
    Hi talm,

    can you post the code here, I realy need it.

    Thanks

    Husni


  • 11.  RE: NAT rules limitation on SRX

    Posted 06-30-2010 10:25

    I'm setting up our first Junos device and just came across this limitation. It's disconcerting to find this out now, as it seems to me this is a basic function of a firewall to handle more than 8 incoming services 😞

     

    Anyhow, we have 40+ destination NAT rules and add more as necessary, so the tricks to get 16 or 24 rules won't help us.  I'd rather wait for 10.2r2 to fix the problem permanently, but I don't have the luxury of waiting until August.

     

    How does one configure these dummy zones? I don't mind doing a workaround, but some more details (or even better, code) would go a long way.

     

    Thanks!



  • 12.  RE: NAT rules limitation on SRX

    Posted 06-30-2010 15:42

    Just in case anyone's still looking, here are the details:

     

    For every additional 8 rules you want to apply, you create a new "dummy" zone... that is, a zone that is not used for anything, like so:

     

    set security zones security-zone dummy1

    set security zones security-zone dummy2

    set security zones security-zone dummyN

    ...

     

    Then, you can create rule-sets using your source zone and a dummy zone, like so:

     

    set security nat destination rule-set DestinationNAT1 from zone dummy1
    set security nat destination rule-set DestinationNAT1 from zone untrust

     

    set security nat destination rule-set DestinationNAT1 from zone dummy2
    set security nat destination rule-set DestinationNAT1 from zone untrust

    ...

     

     

    So that each rule-set has a unique source (untrust or dummy1, untrust or dummy2, etc...) but in reality it's just going to match untrust since the dummy zones aren't used.

     

     

    Hope this helps someone!

     

     

     

     



  • 13.  RE: NAT rules limitation on SRX

    Posted 11-19-2010 09:04

    Has this issue been fixed in 10.2?  Is 10.2 available now? 



  • 14.  RE: NAT rules limitation on SRX

    Posted 11-19-2010 11:41

    This is resolved in 10.2r3. 10.2r3 is available, and (mostly) stable. IDP is reportedly still a bit wonky (that's a technical term), but the majority of features work.

     

    10.2 release notes show the NAT limits as they apply now. You have a flat limit across all NAT types now, instead of these individual limits. And the limits are high, between 512 and 8192 depending on platform.

     



  • 15.  RE: NAT rules limitation on SRX

    Posted 09-07-2011 15:51

    You saved my life over a year later!

     

     

    Thanks!



  • 16.  RE: NAT rules limitation on SRX

    Posted 05-06-2014 15:16

    Dont think the issue with limitations to destination nat is being addressed not in 11.4R10.3 atleast. Does any one has any update as when this limit will be increased?



  • 17.  RE: NAT rules limitation on SRX

    Posted 06-05-2015 11:31

    Been 6 years, I'm surprised this hasn't been addressed.  I'm glad I found this thread, dummy zone solution did the trick for me with the nat context error I was getting.



  • 18.  RE: NAT rules limitation on SRX

    Posted 07-26-2017 08:00

    Below are the resolution configuration template being taken to address such limitation.

     

    1. Need to declare a subnet entity 192.168.123.0/24 place it in an address child group Enterprise-123 and assign the child group under a parent\mother group called NAT-GP-Corp-Users-Networks on the Global hierarchy.

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-123 192.168.123.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-123

     

    1. Then create a new NAT rule under the main hierarchy nat source rule-set NAT-SRC-03, and we name it NAT-SRC-03-05a similar to the existing rule NAT-SRC-03-05. The intention is not to overrule the existing rule, instead to complement hence to avoid any effect on production.

     

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a then source-nat pool vFW6-Pri2

     

    1. Next we called the new created parent\mother group NAT-GP-Corp-Users-Networks within the new NAT rule named NAT-SRC-03-05a being created.

     

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a match source-address-name NAT-GP-Corp-Users-Networks

     

    the configuration will also include the destination-address, for this part the destination address remains and the IP’s is not being place in any parent\mother group

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a match destination-address 10.168.105.0/24

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a match destination-address 10.168.106.0/24

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a match destination-address 10.168.108.0/24

    set logical-systems WBH-LSYS-06 security nat source rule-set NAT-SRC-03 rule NAT-SRC-03-05a match destination-address 10.168.109.0/24

     

    1. Once all have been loaded, the new NAT rule will exist and populated automatically under the existing rule queue order. E.g: refer below

    point 4point 4

     

    1. To ensure the rule is properly executed in proper order, we need to move rule NAT-SRC-03-05a after the existing rule NAT-SRC-03-05point 5point 5
    2. To implement step 5, we need to issue the “insert rule NAT-SRC-03-05a before rule NAT-SRC-03-06” command to complete the given change

     

    Command issued - step

    Description & Remark

    =================================================================

    sample another scenario "insert"

    =================================================================

     

    {primary:node0}[edit logical-systems x-LSYS-06]

    x.rahman@xJP01# edit security nat source rule-set NAT-SRC-03

     

    {primary:node0}[edit logical-systems x-LSYS-06 security nat source rule-set NAT-SRC-03]

    x.rahman@xJP01# insert rule NAT-SRC-03-05a before rule NAT-SRC-03-06

     

     

    {primary:node0}[edit logical-systems x-LSYS-06 security nat source rule-set NAT-SRC-03]

    x.rahman@xJP01# show

    insert rule NAT-TEST before rule NAT-SRC-03-06 in the hierarchy

     

     

     

     

    result will be    

     

    NAT-SRC-03-05a

                    ! NAT-SRC-03-06

     

     

    show command will show the new hierarchical structure of the rule.

    The new rule will be on top NAT-SRC-03-06

     

    1. Once the new rule NAT-SRC-03-05a are in order, we can then proceed to add the remaining subnet into parent\mother group called NAT-GP-Corp-Users-Networks. Below shows the new rule NAT arrangement upon steps 6 completed.point 7point 7
    2. Once all are in place, we may proceed to request, the requestor to test and verify. The next step will be to expand the group NAT-GP-Corp-Users-Networks

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-96 192.168.96.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-96

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-240 192.168.240.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-240

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-115 192.168.115.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-115

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-105 192.168.105.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-105

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-104 192.168.104.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-104

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-108 192.168.108.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-108

     

    set logical-systems WBH-LSYS-06 security address-book global address Enterprise-109 192.168.109.0/24

    set logical-systems WBH-LSYS-06 security address-book global address-set NAT-GP-Corp-Users-Networks address Enterprise-109

     

    1. The above configuration script will result to something like below. Thus the max 8 subnets under 1 NAT rule is being overcome.

    point 9point 9