Hello again. Recently, I configured remote access to my ESXi servers, which are behind the JSRX 210. I used those commands, and everything works great (x.x.x.x is my public address):
edit security nat destination set pool dst-nat-pool-esxi1 address 172.16.254.11 port 443 set pool dst-nat-pool-esxi2 address 172.16.254.12 port 443 set rule-set rs1 from zone untrust set rule-set rs1 rule r1 match destination-address x.x.x.x set rule-set rs1 rule r1 match destination-port 11443 set rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-esxi1 set rule-set rs1 rule r2 match destination-address x.x.x.x set rule-set rs1 rule r2 match destination-port 12443 set rule-set rs1 rule r2 then destination-nat pool dst-nat-pool-esxi2 exit edit security nat set proxy-arp interface ge-0/0/0.0 address x.x.x.x exit edit security set zones security-zone trust address-book address esxi1 172.16.254.11/32 set zones security-zone trust address-book address esxi2 172.16.254.12/32 exit edit security policies from-zone untrust to-zone trust set policy cloud-access match source-address any destination-address [ esxi1 esxi2 ] application any set policy cloud-access then permit exit commit confirmed 120
However, I wanted to add another set of rules, to get into iDRAC interfaces, by doing this:
edit security nat destination set pool dst-nat-pool-esxi1-idrac6 address 172.16.254.201 port 443 set pool dst-nat-pool-esxi2-idrac6 address 172.16.254.202 port 443 set rule-set rs2 from zone untrust set rule-set rs2 rule r1 match destination-address x.x.x.x set rule-set rs2 rule r1 match destination-port 61443 set rule-set rs2 rule r1 then destination-nat pool dst-nat-pool-esxi1-idrac6 set rule-set rs2 rule r2 match destination-address x.x.x.x set rule-set rs2 rule r2 match destination-port 62443 set rule-set rs2 rule r2 then destination-nat pool dst-nat-pool-esxi2-idrac6 exit edit security nat set proxy-arp interface ge-0/0/0.0 address x.x.x.x exit edit security set zones security-zone trust address-book address esxi1-idrac6 172.16.254.11/32 set zones security-zone trust address-book address esxi2-idrac6 172.16.254.12/32 exit edit security policies from-zone untrust to-zone trust set policy cloud-access match source-address any destination-address [ esxi1-idrac6 esxi2-idrac6 ] application any set policy cloud-access then permit exit commit confirmed 120
But it did not work, I got this message:
[edit security nat destination]
'rule-set rs2'
rule-set rs1 and rule-set rs2 have same context.
error: configuration check-out failedWhich I do not understand. Does it mean that I can't add more rules? But why?
How should I add (append) another rules?