SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Jniper SRX3400 NAT Proxy ARP

    Posted 06-08-2013 00:17

    Hi, I am using an srx3400 chassis cluster and I have configured reth0 to be in the untrust zone. I want to perform pool based source NAT for many subnets on the inside network. I am wondering about the Proxy ARP, the subnet of the pool I am using is different from the subnet of the reth0. do I still have to configure Proxy ARP???? please find below my configuration:

     

    set security nat source pool Internet-Pool address 109.223.35.248/29
    set security nat source rule-set PAT1 from zone trust
    set security nat source rule-set PAT1 to zone untrust
    set security nat source rule-set PAT1 rule 1 match source-address [10.122.0.0/17 10.101.0.0/17 10.112.0.0/15 10.100.0.0/16 10.110.0.0/16 10.18.0.0/15 10.20.0.0/15 172.0.0.0/8]
    set security nat source rule-set PAT1 rule 1 match destination-address 0.0.0.0/0
    set security nat source rule-set PAT1 rule 1 then source-nat pool Internet-Pool
    set security nat source address-persistent
    set security nat proxy-arp interface reth0 address 109.223.35.249 to 109.223.249.54

     

    is this configuration correct? by the way is there any way to group the addresses between [ ] so they look in a nice format??

     

    Thank you for helping me.

     

     

     

     

     

     

     

     
     
     
     
     
     
     

     


  • 2.  RE: Jniper SRX3400 NAT Proxy ARP

    Posted 06-09-2013 08:49

    The point for the proxy ARP is where the traffic is originated. If on local connected subnet then you need a proxy ARP. In this case the source will ARP for the NAT address. If the traffic is originated remote, and routed to you SRX the ARP request will be be for the gateway address in the primary subnet, so you don't need  proxy ARP.  Makes sense for you?



  • 3.  RE: Jniper SRX3400 NAT Proxy ARP

    Posted 06-10-2013 04:05

    hello Screenie

     

    thank you for your reply.

     

    I'm still confused a little bit about proxy ARP.

    in Juniper documentation, they said that NAT Proxy ARP is required for IP addresses that need NAT and belong to subnet of ingress interface. and I understand this very well

     

    but in my case the subnet of the NAT pool is different from the subnet of the reth0 interface. still I need to configure NAT proxy ARP for the NAT pool?

     

    thanks again.

    Best Regards,



  • 4.  RE: Jniper SRX3400 NAT Proxy ARP

    Posted 06-10-2013 06:09

    You need the proxy if one of the nat addresses is contacted directly, without a router in between. If there's a router between the source and you nat pool, the router closed to the srx will have a route, holdoing the nat range,  to the gateway address of the srx. In this case this router will arp for the gateway address of the router, not for a nat address. It "sees" the srx as next-hop for for the nat range. So it will fiond the mac address of the srx using it's gateway address.

     

     



  • 5.  RE: Jniper SRX3400 NAT Proxy ARP

    Posted 06-10-2013 08:40
      |   view attached

    Hi Screenie

     

    kindly check the attached. thank you for your help.

     

    Best Regards,

    Haitham Jneid



  • 6.  RE: Jniper SRX3400 NAT Proxy ARP
    Best Answer

    Posted 06-11-2013 10:29

    I don't think you need the proxy arp in this case, but it can't heart either.



  • 7.  RE: Jniper SRX3400 NAT Proxy ARP

    Posted 06-12-2013 04:04
      |   view attached

    Here is an example that also explains Proxy arp. Basically the translated address of the internal host belongs to the same subnet as the incoming interface (which is outside), so it would simply drop the arp packet because it assumes that the packet is meant for another host. But proxy-arp says nope,  I know who you really want to talk and that host is inside my NAT, I will forward the ARP request for you.

    Attachment(s)

    docx
    proxy ARP.docx   604 KB 1 version