SRX Services Gateway
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
pawelek
Contributor
pawelek
Posts: 13
Registered: ‎11-15-2009
0

set proxy-arp + destination nat

Options

‎10-27-2010 04:53 AM

 

Hi,
I'm trying to configure destination nat xx.xx.xx.195 -> 10.10.158.228
xx.xx.xx.195 [public] is configured as a static address on ge-0/0/0.0
trying to commit:
[edit security nat]
    proxy-arp {
        interface ge-0/0/0.0 {
           address {
                xx.xx.xx.195/32;
            }
        }
    }

 

error:

 

root@test.firewall1# commit

[edit security nat proxy-arp interface ge-0/0/0.0]

  'address xx.xx.xx.195/32'

    Proxy ARP IP address range [xx.xx.xx.195 xx.xx.xx.195] overlaps with interface IP address range [xx.xx.xx.195 xx.xx.xx.195] defined on interface 'ge-0/0/0.0'

error: configuration check-out failed

 

 

It looks I cannot use the address configured on the interface. What if there is only one public ip address? Is there any workaround?

 

I was following this manual http://www.juniper.net/us/en/local/pdf/app-notes/3500151-en.pdf

My os version: 10.0R3.10

 

Thank you,

Pawel

Message 1 of 4 (3,990 Views)
 
Reply
Recognized Expert
Recognized Expert
aweck
Posts: 253
Registered: ‎07-24-2009
0

Re: set proxy-arp + destination nat

Options

‎10-27-2010 09:56 AM

What services are you trying to forward to the private IP?  You may be able to resolve your problem using port-forwarding off the public IP of the SRX (no proxy-arp needed in this case) - similar to VIP off the interface in Netscreen lingo.  See these threads for more info:

 

http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-VIP-with-Dynamic-Public-IP/m-p/35192
http://forums.juniper.net/t5/SRX-Services-Gateway/SRX-PAT-Question/m-p/33763

Juniper Elite Partner
JNCIE-ENT #63, JNCIE-SP #705, JNCIE-SEC #17, JNCIS-FWV, JNCIS-SSL
Message 2 of 4 (3,975 Views)
 
Reply
dscott98
Contributor
dscott98
Posts: 32
Registered: ‎09-04-2010
0

Re: set proxy-arp + destination nat

Options

‎11-01-2010 06:23 AM

There's no need for the proxy-arp for the IP already defined on the public interface.  You only need to use proxy-arp for IP's that are in your assigned range that aren't already assigned to an interface.

 

address xx.xx.xx.196 to xx.xx.xx.228

Message 3 of 4 (3,880 Views)
 
Reply
gosi
Contributor
gosi
Posts: 82
Registered: ‎12-11-2009
0

Re: set proxy-arp + destination nat

Options

‎11-05-2010 12:36 AM

Hi pawelek,

 

i think you are looking for static nat.

 

sebastian@lab1# edit security nat

sebastian@lab1# show static

static {
    rule-set rule-set1 {
        from zone untrust;
        rule rule1 {
            match {
                destination-address xx.xx.xx.195/32;
            }
            then {
                static-nat prefix 10.10.158.228/32;
            }
        }
    }
}

Message 4 of 4 (3,768 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.