Proxy ARP question on SRX 240H



  • hi everyone,

    I’ m new to juniper so please be patient with me, i wanted to static NAT a VPN server (windows 2003) behind SRX-240H.

    182.180.x.x on Ge-0/0/2.0 is live and hard-coded there –----> 192.168.8.103 (External Interface) -----> 192.168.1.1 (Internal interface)

    wanted to map 182.180.x.x with 192.168.8.103 the configuration i am finding all the way on web is simple and below.

    [edit security nat static]
    set rule-set rs1 from zone untrust
    set rule-set rs1 rule r1 match destination-address 1.1.1.200/32
    set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
    [edit security nat]
    set proxy-arp interface fe-0/0/7.0 address 1.1.1.200
    [edit security]
    set zones security-zone trust address-book address server-1 192.168.1.200/32
    [edit security policies from-zone untrust to-zone trust]
    set policy server-access match source-address any destination-address server-1application
    any
    set policy server-access then permit
    [edit security policies from-zone trust to-zone untrust]
    set policy permit-all match source-address server-1 destination-address any application
    any
    set policy permit-all then permit

    All is done but when i do PROXY-ARP the below

    [edit security nat]
    set proxy-arp interface ge-0/0/2.0 address 182.180.x.x/32

    I get error that ip address range overlaps with interface ip address range defined on interface ge-0/0/2.0 (even if they are same still all the configuration and the one up there shows that they are putting live ip with proxy arp and also in previous line they are mentioning the same live ip again then its obvious they will overlap… but every where on internet its the same configuration… check the bold

    set rule-set rs1 rule r1 match destination-address 1.1.1.200/32
    set rule-set rs1 rule r1 then static-nat prefix 192.168.1.200/32
    [edit security nat]
    set proxy-arp interface fe-0/0/7.0 address 1.1.1.200



  • Bad online examples is all you can chalk this one up to. Proxy-arp is needed in a scenario where the IP being used in the NAT rules is not on the interface itself. Let’s say ge-0/0/1 had an IP of 1.1.1.1/29. You are assigned the usable IPs of 1,2,3,4,5,6. If the NAT rules specifies anything destined to 1.1.1.2, then the upstream peer associated with 1.1.1.1/29 will send an ARP request for 1.1.1.2. In this case you can either assign 1.1.1.2/29 as a secondary IP on the ge-0/0/0 interface, or use proxy-arp under the security NAT level.
    Attached is a document that explains it a little better.

    HTH

    Proxy-ARP.pdf


 

43
Online

38.4k
Users

12.7k
Topics

44.5k
Posts