I've found all of the docs and troubleshooting guides and think everything is configured properly. I've gone through the guide (https://kb.juniper.net/InfoCenter/index?page=content&id=KB21922&actp=METADATA) and double checked. I'm currently testing with just one internal IP/machine.
Here's the short version:
Internal machine 10.20.15.172 connected to ge-0/0/1.0 (10.20.15.254).
Outside (cable modem) 172.20.15.1 connected to ge-0/0/0.0 (172.20.15.254).
If I setup the source nat rule to use the interface (10.20.15.254), everything works just fine.
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.128/26
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.100/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.101/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.250/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match source-address 10.20.15.210/32
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet match destination-address-name ADDR_ANY_IPV4
set security nat source rule-set NAT_SRCE_HOME_LAN rule HOME-LAN_to_Internet then source-nat interface
When I set it up to use the source pool
set security nat source pool NAT_SRCE_POOL_HOME_LAN description "NAT SOURCE POOL FOR HOME-LAN to INTERNET CONNECTIONS"
set security nat source pool NAT_SRCE_POOL_HOME_LAN address 172.20.15.172/32
set security nat source pool NAT_SRCE_POOL_HOME_LAN port no-translation
set security nat source pool NAT_SRCE_POOL_HOME_LAN address-pooling paired
If I get onto .172 and try to ping out, it fails:
user@barney:~$ ping -c1 23.216.159.40
PING 23.216.159.40 (23.216.159.40) 56(84) bytes of data.
--- 23.216.159.40 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
At the same time, I see the flow session on the SRX:
root@GreatGazoo> show security flow session source-prefix 10.20.15.172 destination-prefix 23.216.159.40 protocol icmp
cSession ID: 7818, Policy name: HOME_LAN_Internet/9, Timeout: 48, Valid
In: 10.20.15.172/1 --> 23.216.159.40/7051;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 84
Out: 23.216.159.40/7051 --> 172.20.15.172/1;icmp, If: ge-0/0/0.0, Pkts: 0, Bytes: 0
Total sessions: 1
I also did setup traceoptions and verified that the session was created there but don't want to waste space pasting that in.
Finally, when I monitor the interface (the one connected from the SRX to the cable modem), I see the arp requests:
root@GreatGazoo> monitor traffic interface ge-0/0/0 no-resolve no-domain-names
verbose output suppressed, use or for full protocol decode
Address resolution is OFF.
Listening on ge-0/0/0, capture size 96 bytes
18:08:59.573682 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
18:09:18.483741 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
18:09:39.737295 In arp who-has 172.20.15.172 tell 73.xx.xx.x7
But as you can see, the SRX is not replying 😞 😞 even though the proxy-arp is setup:
root@GreatGazoo> show configuration security nat proxy-arp |display set
set security nat proxy-arp interface ge-0/0/0.0 address 172.20.15.172/32
I also did check the hit counts on the nat rule and pool after clearing them and they both showed 1 hit with the single ping.
So best I can tell, the ping is getting out of the machine to the ingress of the SRX (ge-0/0/1.0) as 10.20.15.172 destined for 23.216.159.40. It is then natted to 172.20.15.172 and destined to leave the SRX out ge-0/0/0.0 which I can assume that it does since a moment later I see an arp request on ge-0/0/0.0 looking for 172.20.15.172. The request is coming from 73.xx.xx.x7 which is the WAN side interface of the cable modem - hence the assumption that the ping went out. So why does the SRX not answer the arp request for an IP that is in the range of what proxy-arp is set to - which in this case for testing is a single IP address, 172.20.15.172.
Appreciate any suggestions you may have and if you need additional information, I can provide it.