[j-nsp] SRX Static NAT

Daniel M Daloia Jr daniel.daloia at yahoo.com
Wed Mar 2 19:50:48 EST 2011 

Almost positive that proxy-arp is required for NAT on the SRX series if the destination addresses is not assigned to the interface. Not in front of my gear now, but can lab it out tomorrow. As for the static NAT, two lines is necessary. 

-Dan


----- Original Message -----
From:Scott T. Cameron <routehero at gmail.com>
To:juniper-nsp at puck.nether.net
Cc:
Sent:Wednesday, March 2, 2011 7:12 PM
Subject:Re: [j-nsp] SRX Static NAT

You should only need proxy-arp if your particular routing scenario requires
it.  If all the IPs that you are answering for are routed to you, then
there's no need for proxy-arp.

However, you'll still require 2 lines per static nat.  One for the match,
and one for the action.

Scott

On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford <bblackford at gmail.com> wrote:

> I am looking for a more efficient method to define/map several
> scattered/non-contiguous static NATS. I can use pools to map ranges
> for end user blocks, but this need is for publishing services
> (servers) globally on a one by one basis.
>
>  ex.,
>
> using the following method, I would need to make a separate rule and a
> proxy-arp address for each one-to-one snat.
>
> <snip>
> static {
>    rule-set SNAT1 {
>        from interface ge-0/0/0.0;
>        rule SNAT-TEST0 {
>            match {
>                destination-address 66.x.y.6/32;
>            }
>            then {
>                static-nat prefix 192.168.1.65/32;
>            }
>        }
>        rule SNAT-TEST1 {
>            match {
>                destination-address 66.x.y.18/32;
>            }
>            then {
>                static-nat prefix 192.168.13.67/32;
>            }
>        }
>    }
> }
> proxy-arp {
>    interface ge-0/0/0.0 {
>        address {
>            66.x.y.6/32;
>            66.x.y.18/32;
>        }
>    }
> }
> </snip>
>
> I remember doing a single line in screenos unless my recollection is off.
>
> On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
> ....' statement.
> Is there an equivalently efficient method on the SRX?
>
> Thank you in advance for any input.
>
> -b
>
>
> --
> Bill Blackford
> Network Engineer
>
> Logged into reality and abusing my sudo privileges.....
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list