SRX Services Gateway
SRX Services Gateway

set proxy-arp + destination nat

10.27.10   |  
‎10-27-2010 04:53 AM


I'm trying to configure destination nat xx.xx.xx.195 ->
xx.xx.xx.195 [public] is configured as a static address on ge-0/0/0.0
trying to commit:
[edit security nat]
    proxy-arp {
        interface ge-0/0/0.0 {
           address {




root@test.firewall1# commit

[edit security nat proxy-arp interface ge-0/0/0.0]

  'address xx.xx.xx.195/32'

    Proxy ARP IP address range [xx.xx.xx.195 xx.xx.xx.195] overlaps with interface IP address range [xx.xx.xx.195 xx.xx.xx.195] defined on interface 'ge-0/0/0.0'

error: configuration check-out failed



It looks I cannot use the address configured on the interface. What if there is only one public ip address? Is there any workaround?


I was following this manual

My os version: 10.0R3.10


Thank you,


SRX Services Gateway

Re: set proxy-arp + destination nat

10.27.10   |  
‎10-27-2010 09:56 AM

What services are you trying to forward to the private IP?  You may be able to resolve your problem using port-forwarding off the public IP of the SRX (no proxy-arp needed in this case) - similar to VIP off the interface in Netscreen lingo.  See these threads for more info:

Juniper Elite Partner
SRX Services Gateway

Re: set proxy-arp + destination nat

11.01.10   |  
‎11-01-2010 06:23 AM

There's no need for the proxy-arp for the IP already defined on the public interface.  You only need to use proxy-arp for IP's that are in your assigned range that aren't already assigned to an interface.


address xx.xx.xx.196 to xx.xx.xx.228

SRX Services Gateway

Re: set proxy-arp + destination nat

11.05.10   |  
‎11-05-2010 12:36 AM

Hi pawelek,


i think you are looking for static nat.


sebastian@lab1# edit security nat

sebastian@lab1# show static

static {
    rule-set rule-set1 {
        from zone untrust;
        rule rule1 {
            match {
                destination-address xx.xx.xx.195/32;
            then {
                static-nat prefix;