destination-address (Security Policies Flag)
Syntax
Hierarchy Level
Release Information
Statement introduced in Junos OS Release 9.2.
Description
Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated.
On Juniper Networks security devices, destination NAT rules are processed before security policy lookup. Therefore, it is possible for a security policy to permit traffic from a source S to a destination D (where no destination NAT is performed) and also to permit traffic from the source S to the destination d (where d has been translated to D).
Options
drop-translated—Drop packets with translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has not been translated.
drop-untranslated—Drop packets without translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.