SRX Services Gateway
Reply
Contributor
pawelek
Posts: 13
Registered: ‎11-15-2009
0

set proxy-arp + destination nat

 

Hi,
I'm trying to configure destination nat xx.xx.xx.195 -> 10.10.158.228
xx.xx.xx.195 [public] is configured as a static address on ge-0/0/0.0
trying to commit:
[edit security nat]
    proxy-arp {
        interface ge-0/0/0.0 {
           address {
                xx.xx.xx.195/32;
            }
        }
    }

 

error:

 

root@test.firewall1# commit

[edit security nat proxy-arp interface ge-0/0/0.0]

  'address xx.xx.xx.195/32'

    Proxy ARP IP address range [xx.xx.xx.195 xx.xx.xx.195] overlaps with interface IP address range [xx.xx.xx.195 xx.xx.xx.195] defined on interface 'ge-0/0/0.0'

error: configuration check-out failed

 

 

It looks I cannot use the address configured on the interface. What if there is only one public ip address? Is there any workaround?

 

I was following this manual http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

My os version: 10.0R3.10

 

Thank you,

Pawel

Recognized Expert
aweck
Posts: 255
Registered: ‎07-24-2009
0

Re: set proxy-arp + destination nat

What services are you trying to forward to the private IP?  You may be able to resolve your problem using port-forwarding off the public IP of the SRX (no proxy-arp needed in this case) - similar to VIP off the interface in Netscreen lingo.  See these threads for more info:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-VIP-with-Dynamic-Public-IP/m-p/35192
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-PAT-Question/m-p/33763

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Contributor
dscott98
Posts: 38
Registered: ‎09-04-2010
0

Re: set proxy-arp + destination nat

There's no need for the proxy-arp for the IP already defined on the public interface.  You only need to use proxy-arp for IP's that are in your assigned range that aren't already assigned to an interface.

 

address xx.xx.xx.196 to xx.xx.xx.228

Contributor
gosi
Posts: 82
Registered: ‎12-11-2009
0

Re: set proxy-arp + destination nat

Hi pawelek,

 

i think you are looking for static nat.

 

sebastian@lab1# edit security nat

sebastian@lab1# show static

static {
    rule-set rule-set1 {
        from zone untrust;
        rule rule1 {
            match {
                destination-address xx.xx.xx.195/32;
            }
            then {
                static-nat prefix 10.10.158.228/32;
            }
        }
    }
}

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.