SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
Back to discussions
Expand all | Collapse all

How to do destination NAT with domain?

  • 1.  How to do destination NAT with domain?

    Posted 06-06-2016 22:34

    Hello,

     

    I'm wondering whether it's possible to do destination NAT with domain name. Something like:

     

    - service1.example.com -> 172.17.1.3 port 80

    - service2.example.com -> 172.17.1.4 port 80

     

    There seems to be a discussion on this topic here, but that thread mentions source NAT. I've tried configuring an address in the address book like this:

     

    set security zones security-zone Internet address-book address SERVICE_1 dns-name service1.example.com ipv4-only

    Then configuring destination NAT like this:

     

     

    description "Destination NAT for Service 1";
match {
    destination-address-name SERVICE_1;
    destination-port 80;
    protocol tcp;
}
then {
    destination-nat {
        pool {
           service-1-server;
        }
    }
}

     

    However, when I tried committing, I got this error:

     

    [edit security nat destination rule-set dst-nat rule forward-service-1 match]
  'destination-address-name'
    Can not find address/address-set(SERVICE_1) in default global address book
error: configuration check-out failed

     

     

    (It seems that the global address book can't be set when there's any zone-specific address book configured - which in my case there is a few of addresses set there. Is there any other way?)

     

    Any help would be appreciated.

     



  • 2.  RE: How to do destination NAT with domain?
    Best Answer

     
    Posted 06-06-2016 22:42

    Hello ,

     

    DNS name in NAT rule is not supported . Please check :

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB27679&actp=RSS



  • 3.  RE: How to do destination NAT with domain?

    Posted 05-13-2024 04:34

    Hi. 

    8 years later... I guess this is still not solved in JunOS? 

    Does anyone have a good workaround? 



    ------------------------------
    Best regards
    Vidar Stokke
    ------------------------------

    Original Message


  • 4.  RE: How to do destination NAT with domain?

    Posted 05-14-2024 11:40

    I suspect there are chip features that do NAT in hardware. I doubt they'll ever tie those rigid rules to something dynamic like DNS resolution.

    But ... perhaps commit script macros? (https://www.juniper.net/documentation/us/en/software/junos/automation-scripting/topics/concept/junos-software-automation-commit-script-macros.html) Or maybe some other scripting magic...



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 5.  RE: How to do destination NAT with domain?

    Posted 05-16-2024 09:34

    Ahh... actually a nice suggestion to use scripts. Maybe using automation scripting that does a DNS lookup and  updates a address-book entry regularly?



    ------------------------------
    Best regards
    Vidar Stokke
    ------------------------------

    Original Message


  • 6.  RE: How to do destination NAT with domain?

    Posted 05-16-2024 10:54

    I usually use d-nat for inbound traffic and I've had situations where it would have been nice to have the d-nat pool entry be dynamic, but no the matched address. I'm curious, what is your use case?



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 7.  RE: How to do destination NAT with domain?

    Posted 06-11-2024 16:06

    Correction: DNS for NAT is supported starting in 22.2R1.

    https://www.juniper.net/documentation/us/en/software/junos/release-notes/22.2/junos-release-notes-22.2r1/topics/new-features/feature-descriptions/nat-7.html

    Address entries should be defined in the global address book.



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 8.  RE: How to do destination NAT with domain?

    Posted 06-13-2024 05:20

    Thanks Nikolay. 

    As far as I can see and with the tests I've done, this does not resolve my problem.

    My use case for this is doing source-NAT to a specific source pool when traffic has a destination which is a FQDN. I am unable to create a NAT rule with a match on destination-address that is a address book entry of the type "DNS Host".  It seems that the fix you linked to, is the support for using FQDN in a NAT pool. 



    ------------------------------
    Best regards
    Vidar Stokke
    ------------------------------

    Original Message


  • 9.  RE: How to do destination NAT with domain?

    Posted 06-13-2024 11:06

    I don't have a box running 22 to test with, but I saw this in a recently-updated KB, except in their example they're using it to match the source-address rather than the destination-address.
    https://supportportal.juniper.net/s/article/SRX-DNS-name-is-not-a-supported-address-or-address-set-type-in-NAT-rules?language=en_US

    So close to your use case ... Maybe next time ...



    ------------------------------
    Nikolay Semov
    ------------------------------

    Original Message


  • 10.  RE: How to do destination NAT with domain?

    Posted 06-18-2024 06:29

    I will also take a closer look at this Nikolay. I'll keep you posted.



    ------------------------------
    Best regards
    Vidar Stokke
    ------------------------------

    Original Message