SRX

I'm working on migrating a network currently running on Mikrotik appliances to an SRX.  The existing layout is:

Inside int - 1.2.3.1/24 (Public) and 192.168.1.1/24 (Private)

Outside int - 1.2.57.2/30

So far, easy to replicate.  My uplink is on one interface in zone untrust, the new int is in a new zone called Public_DMZ.  No NAT involved yet as they route the private ranges within their AS... not my choice but I have to match for now.

Where it gets interesting is trying to roll in the portforwards they're doing:

1.2.3.28 port 25 => 1.2.3.19 port 25

1.2.3.28 port 26 => 1.2.3.19 port 25

1.2.3.12 port 53 => 1.2.3.25 port 53

1.2.3.30 port 53 => 1.2.3.25 port 53

1.2.3.17 port 587 => 1.2.3.17 port 25

1.2.3.23 port 8443 => 192.168.1.27 port 8443

Normally I'd anticipate doing proxy-arp for the left side IPs, but in many cases they're existing systems.  The SMTP submit port remap to port 25 example is a good one for that.  The traffic will be driven to the SRX via static route on the upstream router, do I need the SRX to assume control of the left side IPs for it to do destination NAT on them or will it still process the traffic without the SRX being the final destination pre-port forward?

If I'm understanding this correctly (blame the lack of caffeine if I'm not...) then I don't think you'll need any proxy ARP in this case.  Your public IPs are routed to your SRX over your PTP /30 link, so the first place those packets land is going to be the SRX, regardless.

Proxy ARP is more for cases when you have additional IPs that are in the same network as your uplink, for example, and the SRX has to masquerade as additional hosts in that network.

Ok, that makes sense and meshes with what I was thinking would occur, but having never actually done it that way I figured it'd be good to toss it out there for comment.