I; struggling to understand what is wrong with my conf.
I'm configurig a nat destination rule:
set security nat destination rule-set PFW-RASPI rule PFW-8080 match source-address-name ASET-YOTI-OFFICE
but when I commit:
root@SRX210# commit [edit security nat destination rule-set PFW-RASPI rule PFW-8080 match] 'source-address-name ASET-YOTI-OFFICE' Can not find address/address-set(ASET-YOTI-OFFICE) in default global address bookerror: configuration check-out failed
However I have that address book configured
root@SRX210# show | display set | match ASET-YOTI-OFFICE set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-1set security address-book YOTI-OFFICE address-set ASET-YOTI-OFFICE address YOTI-2
Question 1: What is the reason of that error?
Question 2: Why JunOS gives the opportunity to restrict the access to a range of IP under NAT as well as under the security policy for that nat rule? What is the difference?Thanks
You have defined that address set under the YOTI-OFFICE address book and not the global one. Please change it to the following :-
set security address-book global address-set ASET-YOTI-OFFICE address YOTI-1
And perform a similar configuration for the YOTI-2 as well.
Please mark my solution as accepted if it helped, Kudos are appreciated as well.
Hi, Thnak you very much for your reply!Can you please give me more info about that? Why this is necessary? I would like to understand that!
Suppose your internal Server IP address is 192.168.1.10 and you have a public IP from the ISP, suppose 184.108.40.206.
You want to host various applications on the internal server working on different ports, and want them accessible from the internet.
You create a static NAT between 192.168.1.10 and 220.127.116.11. This essentially means that all ports on 18.104.22.168 are translated to all ports on 192.168.1.10.
However, currently you have only one single port on the internal server which is running an application. Hence, you create a security policy to allow just that one port from the Internet Zone to the Server Zone and thus blocking access to all the other ports on that IP despite of having a NAT for all the ports.
Please let me know if the explanation is clear.
Regarding your second question, here is the packet flow for the SRX :-
Depending on the type of NAT, Junos gives the flexibility to restrict access in security policies as well.
Hence, even if you configure a static nat for a single internal IP to an External IP, you can still restrict the ports using the security policy.