This article links a commit error to the technical documentation.
Configuring
dns-name
in the global address book and then calling in the NAT rule does not commit on the SRX:
root@abc# commit check
[edit security nat source rule-set Trust_to_Untrust rule rule1 match]
'source-address-name 123'
Address/address-set(123) isn't supported in NAT rule
error: configuration check-out failed
The following configuration is not supported on the SRX.
[edit]
root@abc# show security address-book
global {
address 123 {
dns-name 123.com; <<<<<<<<<<
}
address anyv4 0.0.0.0/0;
address 12345 1.2.3.4/32;
}
root@abc# show security nat source
pool first {
address {
10.10.10.10/32;
}
}
rule-set Trust_to_Untrust {
from zone trust;
to zone untrust;
rule rule1 {
match {
source-address-name 123;
destination-address-name anyv4;
}
then {
source-nat {
pool {
first;
}
}
}
}
}
root@abc# commit check
[edit security nat source rule-set Trust_to_Untrust rule rule1 match]
'source-address-name 123'
Address/address-set(123) isn't supported in NAT rule
error: configuration check-out failed
Please refer to the NOTE in the
technical documentation under 'Address Books and NAT' which specifies that this feature is not supported on the SRX.
Note: The following address and address set types are not supported in NAT rules — DNS names.
If DNS names in a NAT rule is required, please work with the account team, so they can file an enhancement request for this feature. The only workaround for this is to do a name resolution of the DNS Name in question, and configure the corresponding IP addresses into the NAT rule.