SRX

Hopefully someone can help as I am probably overlooking something simple but cannot see what it might be.

Trying to setup a new SRX100 to handle traffic for a few servers and services.

We have Verizon DSL with a static 5 ip block xxx.yyy.zzz.96/29.  Not sure if it's a configuration or isp issue.

I think I've followed the available guides for setting up destination/source nat and proxy-arp (configuration attached)

It seems like the issue is that the SRX is not responding to ARP packets from the ISP.

monitor traffic interface fe-0/0/0 no-resolve results in the following typical traffic:

 

After a commit (with fe-0/0/0 using the .100 address) the router gARPs for .100 but never answers ARP requests for the others.

 

 

 

Show route output:

 

 

 

If I manually change fe-0/0/0.0 to the other two addresses (.101 and .102) the router will gARP for those and traffic to all three addresses (.100, .101, .102) is directed to the SRX for the few hours it takes Verizon to drop the ARP entry.

During the time traffic is directed at the SRX, "show security nat destination pool all" shows increasing translation hits

Show route output after setting fe-0/0/0 to .101 address and proxy-arp set for .100 and .102:

 

 

Thanks for your assistance!

 

 

 

 

 

Let me see if I understand your issue.

Your ISP has allocated a /29 to you. You have a DSL modem connected to the SRX and you want the SRX to respond to all IP addresses, minus net/broadcast and router IP. Is this correct?

Is the modem running in bridge/half-bridge mode?

If the above is correct, then you do not need to use proxy arp to get the SRX to respond to the IP within the /29. I have a similar setup in my lab, but I use the SRX210 modem PIM.

Thanks for taking a look.

The modem is in bridge mode.  How do I get the SRX to respond to ARP requests for more than just its interface IP?

Right now it isn't responding to anything but .100 because the other two haven't been swapped to the interface for hours.

There are two ways (that I know of) of getting your setup to work.

 

1.  if the modem offers PPPoA with DHCP, then you can get the SRX to get its IP WAN facing interface to get its IP via DHCP and then maue sure that the source/dst nat rules are setup to use these IP addresses as and when needed.

2.  The other option is to add several IP addresses (multi-home) on the WAN interface, and again use the NAT rules to specify how the IPs are used.

 

interfaces {
    fe-0/0/0 {
        description "Connection to Internet via Netgear ADSL Router.";
        unit 0 {
            family inet {

                address xxx.xxx.xxx.xx6/29;
                address xxx.xxx.xxx.xx7/29;
            }
        }
    }
}

routing-options {
    static {
        route 0.0.0.0/0 next-hop xxx.xxx.xxx.xx8;  where the next-hop is the IP address of the modem.
    }
}


security {  
  nat {
        source {
            pool WAN_xxx-xxx-xxx-xx4 {
                address {
                    xxx.xxx.xxx.xx4/32;
                }
            }
            pool WAN_xxx-xxx-xxx-xx6 {
                address {
                    xxx.xxx.xxx.xx6/32;
                }
            }
            pool WAN_xxx-xxx-xxx-xx7 {
                address {
                    xxx.xxx.xxx.xx7/32;
                }
            }
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule trust-source-nat-rule {
                    match {
                        source-address 192.168.253.0/24;   [My LAN (one of) subnet range
                    }
                    then {
                        source-nat {
                            pool {
                                WAN_xxx-xxx-xxx-xx6;
                            }
                        }
                    }
                }
            }
}
}

 

Thanks John & Mark,

 

Combination of the two of your suggestions fixed my issue.

Mark's issue (http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-strange-ARP-issue/m-p/158076)

 

After adding the addresses to the interface and adding the arp-resp unrestricted the SRX properly responds to Verizon's ARP requests.

 

fe-0/0/0 {
    description "Primary WAN";
    unit 0 {
        arp-resp unrestricted;
        family inet {
            address xxx.yyy.zzz.100/29;
            address xxx.yyy.zzz.101/29;
            address xxx.yyy.zzz.102/29;
        }
    }
}

01:20:15.949276  In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
01:20:24.019138  In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
01:20:24.019243 Out arp reply xxx.yyy.zzz.101 is-at <mySRX_MAC_ADDR>
01:22:30.294840  In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
01:22:30.294949 Out arp reply xxx.yyy.zzz.102 is-at <mySRX_MAC_ADDR>

---

01:20:15.949276  In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
01:20:24.019138  In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
01:20:24.019243 Out arp reply xxx.yyy.zzz.101 is-at <mySRX_MAC_ADDR>
01:22:30.294840  In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
01:22:30.294949 Out arp reply xxx.yyy.zzz.102 is-at <mySRX_MAC_ADDR>

---

Hello, which command do you use to display these prompt?