03-06-2013 06:30 AM
I'm working on migrating a network currently running on Mikrotik appliances to an SRX. The existing layout is:
Inside int - 220.127.116.11/24 (Public) and 192.168.1.1/24 (Private)
Outside int - 18.104.22.168/30
So far, easy to replicate. My uplink is on one interface in zone untrust, the new int is in a new zone called Public_DMZ. No NAT involved yet as they route the private ranges within their AS... not my choice but I have to match for now.
Where it gets interesting is trying to roll in the portforwards they're doing:
22.214.171.124 port 25 => 126.96.36.199 port 25
188.8.131.52 port 26 => 184.108.40.206 port 25
220.127.116.11 port 53 => 18.104.22.168 port 53
22.214.171.124 port 53 => 126.96.36.199 port 53
188.8.131.52 port 587 => 184.108.40.206 port 25
220.127.116.11 port 8443 => 192.168.1.27 port 8443
Normally I'd anticipate doing proxy-arp for the left side IPs, but in many cases they're existing systems. The SMTP submit port remap to port 25 example is a good one for that. The traffic will be driven to the SRX via static route on the upstream router, do I need the SRX to assume control of the left side IPs for it to do destination NAT on them or will it still process the traffic without the SRX being the final destination pre-port forward?
Solved! Go to Solution.
03-06-2013 09:53 AM
If I'm understanding this correctly (blame the lack of caffeine if I'm not...) then I don't think you'll need any proxy ARP in this case. Your public IPs are routed to your SRX over your PTP /30 link, so the first place those packets land is going to be the SRX, regardless.
Proxy ARP is more for cases when you have additional IPs that are in the same network as your uplink, for example, and the SRX has to masquerade as additional hosts in that network.