I don't think you would need the proxy arp for IP 76.76.76.1 since it's probably already setup as the Ip on your untrust interface.
ALSO, question if anyone has the answer... I thought proxy-arp was for destination nat only, however; this seems the only way I can get the SRX to source from another IP on the same subnet as the external interface...
WOULD adding a secondary IP to the interface on the ontrust be better practice then proxy-arp?
Cheers!
admin@SRX240# show | compare
[edit interfaces vlan]
+ unit 20 {
+ family inet {
+ address 192.168.20.254/24;
+ }
+ }
+ unit 30 {
+ family inet {
+ address 192.168.30.254/24;
+ }
+ }
[edit security nat source]
+ pool ISPIPOne {
+ address {
+ 76.76.76.1/32;
+ }
+ }
+ pool ISPIPTwo {
+ address {
+ 76.76.76.2/32;
+ }
+ }
[edit security nat source]
rule-set interface-nat { ... }
+ rule-set company1 {
+ from zone company1;
+ to zone untrust;
+ rule nat-pat {
+ match {
+ source-address 192.168.20.0/24;
+ destination-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ pool {
+ ISPIPOne;
+ }
+ }
+ }
+ }
+ }
+ rule-set company2 {
+ from zone company2;
+ to zone untrust;
+ rule nat-pat-2 {
+ match {
+ source-address 192.168.30.0/24;
+ destination-address 0.0.0.0/0;
+ }
+ then {
+ source-nat {
+ pool {
+ ISPIPTwo;
+ }
+ }
+ }
+ }
+ }
[edit security nat]
+ proxy-arp {
+ interface ge-0/0/0.0 {
+ address {
+ 76.76.76.1/32;
+ 76.76.76.2/32;
+ }
+ }
+ }
[edit security zones]
security-zone vpn { ... }
+ security-zone company1 {
+ host-inbound-traffic {
+ system-services {
+ any-service;
+ }
+ }
+ interfaces {
+ vlan.20;
+ }
+ }
+ security-zone company2 {
+ host-inbound-traffic {
+ system-services {
+ any-service;
+ }
+ }
+ interfaces {
+ vlan.30;
+ }
+ }
[edit security policies]
from-zone untrust to-zone vpn { ... }
+ from-zone company1 to-zone untrust {
+ policy default-permit {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
+ from-zone company2 to-zone untrust {
+ policy default-permit {
+ match {
+ source-address any;
+ destination-address any;
+ application any;
+ }
+ then {
+ permit;
+ }
+ }
+ }
[edit vlans]
+ v20 {
+ vlan-id 20;
+ interface {
+ ge-0/0/4.0;
+ }
+ l3-interface vlan.20;
+ }
+ v30 {
+ vlan-id 30;
+ interface {
+ ge-0/0/5.0;
+ }
+ l3-interface vlan.30;
+ }
[edit]