[j-nsp] interfaces, addresses, and nat.. oh my!

Stefan Fouant sfouant at gmail.com
Mon Sep 14 12:38:02 EDT 2009


On Mon, Sep 14, 2009 at 11:28 AM, Christopher M. Hobbs <
chobbs at siloamsprings.com> wrote:

> Greetings, List!
>
> I imagine this post will be pretty ignorant as I'm lacking
> sleep and caffeine in a big way.  Forgive me if it makes
> little sense...
>
> I've inherited an ancient firewall setup and I'm in the
> process of replacing it with two SRX240 series firewalls.
> We currently have 3 IPs coming from our ISP, two of which
> are handed off to a couple of internal addresses via static
> NAT with our existing firewall.
>
> I'm trying to duplicate this setup with our SRX.  I've
> attempted to assign multiple IPs to the external interface
> on the firewall to no avail.  It generally complains about
> encapsulation and/or "host families".  This is very likely
> the wrong way to go about things...
>
> Is it possible to assign multiple addresses to a single
> interface?  If not, can I take care of the static NAT issue
> without assigning the remaining addresses to an interface?
>
> Thanks a ton, and again, please pardon my ignorance!
> --
> Christopher M. Hobbs [chobbs at siloamsprings.com]
> Network Administrator, City of Siloam Springs
> ___________________________________________


Yeah I don't think you need to add those additional IP addresses to the
external interface.  I think you can just do something along the lines of
the following:

[edit security]
user at host# show
nat {
    static {
        rule-set r1 {
            from zone untrust;
            rule a {
                match {
                    destination-address x.x.x.2/32;
                }
                then {
                    static-nat prefix y.y.y.2/32;
                }
            }
        }
        rule-set r2 {
            from zone untrust;
            rule a {
                match {
                    destination-address x.x.x.3/32;
                }
                then {
                    static-nat prefix y.y.y.3/32;
                }
            }
        }
    }
}

I think you'll need to enable Proxy ARP for those address as well as by
default the device will only respond to ARPs for IPs which are configured on
an interface.  Proxy ARP required for IP addresses that need NAT and belong
to subnet of ingress interface.  Something along the lines of the following
will enable the Proxy ARP functions:

[edit security nat]
user at host# show
proxy-arp {
    interface 'interface-name' {
        address {
            x.x.x.2 to x.x.x.3;
        }
    }
}

HTHs.

-- 
Stefan Fouant


More information about the juniper-nsp mailing list