SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Posts: 13
Registered: ‎11-15-2009
0 Kudos

set proxy-arp + destination nat


I'm trying to configure destination nat xx.xx.xx.195 ->
xx.xx.xx.195 [public] is configured as a static address on ge-0/0/0.0
trying to commit:
[edit security nat]
    proxy-arp {
        interface ge-0/0/0.0 {
           address {




root@test.firewall1# commit

[edit security nat proxy-arp interface ge-0/0/0.0]

  'address xx.xx.xx.195/32'

    Proxy ARP IP address range [xx.xx.xx.195 xx.xx.xx.195] overlaps with interface IP address range [xx.xx.xx.195 xx.xx.xx.195] defined on interface 'ge-0/0/0.0'

error: configuration check-out failed



It looks I cannot use the address configured on the interface. What if there is only one public ip address? Is there any workaround?


I was following this manual

My os version: 10.0R3.10


Thank you,


Recognized Expert
Posts: 255
Registered: ‎07-24-2009
0 Kudos

Re: set proxy-arp + destination nat

What services are you trying to forward to the private IP?  You may be able to resolve your problem using port-forwarding off the public IP of the SRX (no proxy-arp needed in this case) - similar to VIP off the interface in Netscreen lingo.  See these threads for more info:

Juniper Elite Partner
Posts: 39
Registered: ‎09-04-2010
0 Kudos

Re: set proxy-arp + destination nat

There's no need for the proxy-arp for the IP already defined on the public interface.  You only need to use proxy-arp for IP's that are in your assigned range that aren't already assigned to an interface.


address xx.xx.xx.196 to xx.xx.xx.228

Posts: 82
Registered: ‎12-11-2009
0 Kudos

Re: set proxy-arp + destination nat

Hi pawelek,


i think you are looking for static nat.


sebastian@lab1# edit security nat

sebastian@lab1# show static

static {
    rule-set rule-set1 {
        from zone untrust;
        rule rule1 {
            match {
                destination-address xx.xx.xx.195/32;
            then {
                static-nat prefix;