SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos
Accepted Solution

STATIC NAT and PROXY ARP Scenario on SRX

Hi everybody,

 

Please consider following scenarios:

 

 

CASE1

    Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet

 

Above we are using STATIC NAT, so whenever Host 10.10.10.10 talks to someone across Internet, SRC IP 10.10.10.10 is replaced by 199.199.199.1.

Similarly, all traffic from Internet arriving on F2 on SRX destined to 199.199.199.1, have their destination IP replaced with 10.10.10.10

 

In above scenario, we do not need enable proxy arp for 199.199.199.1 under F2, because we will never receive ARP request for 199.199.199.1 from PE, because as far as PE is concerned 199.199.199.1 lies behind 1.1.1.1 since PE does not see 199.199.199.1 as directly connected so it will not send any ARP for 199.199.199.1

Am I correct?

 

CASE2:

  Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet

Above we are using STATIC NAT, all traffic from 10.10.10.10 destined to Internet, will have SRC IP 10.10.10.10 replaced by 1.1.1.3.

Similarly all traffic from Internet, arriving on F2, destined to 1.1.1.3 will have DEST IP replaced by 10.10.10.10

For this case, we have to enable proxy ARP for 1.1.1.3 as PE sees 1.1.1.3 directly connected thus will send ARP for 1.1.1.3 if it receives any packet for 1.1.1.3

Am I correct?

 

 

Thanks and have a good day!!!

Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

My opinion is that arp proxy be enabled on all. This is because the internal Network will utilize it. Second I think that this nat will convert the arp requests. It isn't a dime box like say a hotbrick lb2 which can create a different subnet other than it's default vlan(ip and all). The lb2 will however will nat the 1.1.1.1 address and send it across all domains.
Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Just because the subnet doesn't respond to pings doesn't mean it isn't nat'ed.
Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Third, traffic will degrade if you don't arp it.
Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Thanks for your response,

 

Could you please explain  when you said:

 

This is because the internal Network will utilize it. Second I think that this nat will convert the arp requests.

 

In my example i.e  case 1 , how  internal network can benefit if enable proxy arp as you suggested.

Secondly, NAT translation is between IPS not arp as ARP is layer 2 and has no IP header available  for NAT translation.

 

 

Please share your thoughts.

 

 

 

Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Considering my first example, please expound on :

 

Third, traffic will degrade if you don't arp it.

Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

I lost you here please explain .

Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

If you are using proxy arp on any of your subnet you might want to use it on all of them because your flow will even out. That's how it will benefit. The more you segment your net with different protocols the more you must think about even flow. It could be a negative(but maybe not) if you have a great deal of segmented traffic. Traffic should prune out. Your addressing is vital if you are going to use proxy arp.
Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

NDP proxy are required together.
Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Arp proxy and NDP proxy are required together. My mistake on last post....
Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Stumbled upon tthis link:

 

http://www.juniper.net/documentation/en_US/junos11.2/information-products/topic-collections/security...

 

 

It does say for SX, Proxy ARP must be explicity enabled but it did not exaplain why.

 

For example case 1, I do not the need to enable PROXY ARP as NATTED IP is not within Subnet used between SRX and PE.  

 

  Based on the above link, Proxy ARP should not be enabled but since it is SRX it has to be enabled, but why as NATTED IP is not within subnet used between SRX and PE?

 

 

Thanks

Highlighted
Super Contributor
Posts: 95
Registered: ‎03-11-2011

Re: STATIC NAT and PROXY ARP Scenario on SRX

Yes, you were correct int the first post.

 

Documentation says proxy arp must be explicitly enabled because in Junos it's never enabled automatically. Some firewall vendors enable proxy arp automatically when NAT requires it.

 

Regards, Wojtek

 

Distinguished Expert
Posts: 5,122
Registered: ‎03-30-2009

Re: STATIC NAT and PROXY ARP Scenario on SRX

CASE1
    Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet
 
Above we are using STATIC NAT, so whenever Host 10.10.10.10 talks to someone across 
Internet, SRC IP 10.10.10.10 is replaced by 199.199.199.1. Similarly, all traffic from Internet arriving on F2 on SRX
destined to 199.199.199.1, have their destination IP replaced with 10.10.10.10 In above scenario, we do not need enable proxy arp for 199.199.199.1 under F2,
because we will never receive ARP request for 199.199.199.1 from PE, because as
far as PE is concerned 199.199.199.1 lies behind 1.1.1.1 since PE does not see
199.199.199.1 as directly connected so it will not send any ARP for 199.199.199.1 Am I correct?

This is correct as described.  There is no proxy arp required because there is no layer 2 communications for the 199.199199.1 ip address subnet thus no arp required.

 

All that is required is that upstream device on 1.1.1.2 must have a route that forwards the 199.199.199.1 address to the next hop of 1.1.1.1 on the SRX.

 

CASE2:
  Host)10.10.10.10/24----10.10.10.1/24 F1 SRX F2 /1.1.1.1/24---1.1.1.2/24 PE-Internet
Above we are using STATIC NAT, all traffic from 10.10.10.10 destined to Internet, will
have SRC IP 10.10.10.10 replaced by 1.1.1.3. Similarly all traffic from Internet, arriving on F2, destined to 1.1.1.3 will have
DEST IP replaced by 10.10.10.10 For this case, we have to enable proxy ARP for 1.1.1.3 as PE sees 1.1.1.3 directly
connected thus will send ARP for 1.1.1.3 if it receives any packet for 1.1.1.3 Am I correct?

This is also correct, since there is a layer 2 adjacency then arp will need to occur for the forwarding of the traffic to happen.  And as you see in the linked documentation this is a manual configuration on the SRX.  There are no automatic proxy-arp configurations made when nat is configured.

 

http://www.juniper.net/documentation/en_US/junos11.2/information-products/topic-collections/security...

 

The other documentation you might find helpful for this is the nat examples guide.

 

https://kb.juniper.net/library/CUSTOMERSERVICE/technotes/Junos_NAT_Examples.pdf

 

 

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 94
Registered: ‎10-19-2013
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Thanks , very much appreciated!!

Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Says "not required".....
Distinguished Expert
Posts: 5,122
Registered: ‎03-30-2009
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

eugene1973, not sure why you want to configure something that is both unnecessary and will never be used.  There is no point n bloating a configuration with commands that are not needed.

 

In order to do a proxy arp the interface MUST have a configured ip address in the same subnet as the address you want to proxy arp for.  If there is no address in that subnet there is noone who can proxy the arp for the configured address.

 

Arp is only used at all in a layer 2 segment.  If the address is layer 3 routed to the next hop of the segment there is no arp done at all.  The packet is simply forwarded.

 

So adding the proxy arp will be accepted in the configuration but never used "not required" as the documentation says.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 71
Registered: ‎02-03-2015
0 Kudos

Re: STATIC NAT and PROXY ARP Scenario on SRX

Smiley Happy