I'm working on migrating a network currently running on Mikrotik appliances to an SRX. The existing layout is:
Inside int - 1.2.3.1/24 (Public) and 192.168.1.1/24 (Private)
Outside int - 1.2.57.2/30
So far, easy to replicate. My uplink is on one interface in zone untrust, the new int is in a new zone called Public_DMZ. No NAT involved yet as they route the private ranges within their AS... not my choice but I have to match for now.
Where it gets interesting is trying to roll in the portforwards they're doing:
1.2.3.28 port 25 => 1.2.3.19 port 25
1.2.3.28 port 26 => 1.2.3.19 port 25
1.2.3.12 port 53 => 1.2.3.25 port 53
1.2.3.30 port 53 => 1.2.3.25 port 53
1.2.3.17 port 587 => 1.2.3.17 port 25
1.2.3.23 port 8443 => 192.168.1.27 port 8443
Normally I'd anticipate doing proxy-arp for the left side IPs, but in many cases they're existing systems. The SMTP submit port remap to port 25 example is a good one for that. The traffic will be driven to the SRX via static route on the upstream router, do I need the SRX to assume control of the left side IPs for it to do destination NAT on them or will it still process the traffic without the SRX being the final destination pre-port forward?