Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] DNS name is not a supported address or address-set type in NAT rules

0

0

Article ID: KB27679 KB Last Updated: 16 Sep 2014Version: 3.0
Summary:
This article links a commit error to the technical documentation.

Symptoms:
Configuring dns-name in the global address book and then calling in the NAT rule does not commit on the SRX:
root@abc# commit check
[edit security nat source rule-set Trust_to_Untrust rule rule1 match]
'source-address-name 123'
Address/address-set(123) isn't supported in NAT rule
error: configuration check-out failed

Cause:
The following configuration is not supported on the SRX.

[edit]
root@abc# show security address-book
global {
     address 123 {
         dns-name 123.com; <<<<<<<<<<
     }
     address anyv4 0.0.0.0/0;
     address 12345 1.2.3.4/32;
}


root@abc# show security nat source
pool first {
     address {
         10.10.10.10/32;
     }
}

rule-set Trust_to_Untrust {
     from zone trust;
     to zone untrust;
     rule rule1 {
          match {
             source-address-name 123;
             destination-address-name anyv4;
          }
         then {
             source-nat {
                 pool {
                     first;
                 }
             }
         }
    }
}

                                                                                    
root@abc# commit check
[edit security nat source rule-set Trust_to_Untrust rule rule1 match]
'source-address-name 123'
Address/address-set(123) isn't supported in NAT rule
error: configuration check-out failed


Solution:
Please refer to the NOTE in the technical documentation under 'Address Books and NAT' which specifies that this feature is not supported on the SRX.

Note: The following address and address set types are not supported in NAT rules — DNS names.

If DNS names in a NAT rule is required, please work with the account team, so they can file an enhancement request for this feature.  The only workaround for this is to do a name resolution of the DNS Name in question, and configure the corresponding IP addresses into the NAT rule.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search