destination-address (Security Policies Flag)

Syntax

destination-address {drop-translated;drop-untranslated;}

Hierarchy Level

[edit security policies from-zone zone-name to-zone zone-name policy policy-name then permit]

Release Information

Statement introduced in Release 9.2 of Junos OS.

Description

Specify whether the traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule or to packets where the destination IP address has not been translated.

On Juniper Networks security devices, destination NAT rules are processed before security policy lookup. Therefore, it is possible for a security policy to permit traffic from a source S to a destination D (where no destination NAT is performed) and also to permit traffic from the source S to the destination d (where d has been translated to D).

Options

drop-translated—Drop packets with translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has not been translated.

drop-untranslated—Drop packets without translated destination IP addresses. Traffic permitted by the security policy is limited to packets where the destination IP address has been translated by means of a destination NAT rule.

Usage Guidelines

For configuration instructions and examples, see the Junos OS Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Copyright© 1999-2010 Juniper Networks, Inc. All rights reserved.