понедельник, 4 апреля 2011 г.

Больше 8 destination-nat в Juniper SRX

Не знаю почему, но в джунах SRX-серии невозможно создать больше восьми dnat-правил на одну зону. Впрочем, это легко обходится (найдено в Интернете, лень переводить):


For every additional 8 rules you want to apply, you create a new "dummy" zone... that is, a zone that is not used for anything, like so:
set security zones security-zone dummy1
set security zones security-zone dummy2
set security zones security-zone dummyN
...

Then, you can create rule-sets using your source zone and a dummy zone, like so:

set security nat destination rule-set DestinationNAT1 from zone dummy1
set security nat destination rule-set DestinationNAT1 from zone untrust

set security nat destination rule-set DestinationNAT1 from zone dummy2
set security nat destination rule-set DestinationNAT1 from zone untrust
...

 So that each rule-set has a unique source (untrust or dummy1, untrust or dummy2, etc...) but in reality it's just going to match untrust since the dummy zones aren't used.

Комментариев нет: