[j-nsp] SRX Static NAT

Scott T. Cameron routehero at gmail.com
Wed Mar 2 20:04:27 EST 2011 

I've got two srx3400 clusters that disagree with you about proxy-arp. :)

Scott

On Wed, Mar 2, 2011 at 7:50 PM, Daniel M Daloia Jr
<daniel.daloia at yahoo.com>wrote:

> Almost positive that proxy-arp is required for NAT on the SRX series if the
> destination addresses is not assigned to the interface. Not in front of my
> gear now, but can lab it out tomorrow. As for the static NAT, two lines is
> necessary.
>
> -Dan
>
>
> ----- Original Message -----
> From:Scott T. Cameron <routehero at gmail.com>
> To:juniper-nsp at puck.nether.net
> Cc:
> Sent:Wednesday, March 2, 2011 7:12 PM
> Subject:Re: [j-nsp] SRX Static NAT
>
> You should only need proxy-arp if your particular routing scenario requires
> it.  If all the IPs that you are answering for are routed to you, then
> there's no need for proxy-arp.
>
> However, you'll still require 2 lines per static nat.  One for the match,
> and one for the action.
>
> Scott
>
> On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford <bblackford at gmail.com>
> wrote:
>
> > I am looking for a more efficient method to define/map several
> > scattered/non-contiguous static NATS. I can use pools to map ranges
> > for end user blocks, but this need is for publishing services
> > (servers) globally on a one by one basis.
> >
> >  ex.,
> >
> > using the following method, I would need to make a separate rule and a
> > proxy-arp address for each one-to-one snat.
> >
> > <snip>
> > static {
> >    rule-set SNAT1 {
> >        from interface ge-0/0/0.0;
> >        rule SNAT-TEST0 {
> >            match {
> >                destination-address 66.x.y.6/32;
> >            }
> >            then {
> >                static-nat prefix 192.168.1.65/32;
> >            }
> >        }
> >        rule SNAT-TEST1 {
> >            match {
> >                destination-address 66.x.y.18/32;
> >            }
> >            then {
> >                static-nat prefix 192.168.13.67/32;
> >            }
> >        }
> >    }
> > }
> > proxy-arp {
> >    interface ge-0/0/0.0 {
> >        address {
> >            66.x.y.6/32;
> >            66.x.y.18/32;
> >        }
> >    }
> > }
> > </snip>
> >
> > I remember doing a single line in screenos unless my recollection is off.
> >
> > On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
> > ....' statement.
> > Is there an equivalently efficient method on the SRX?
> >
> > Thank you in advance for any input.
> >
> > -b
> >
> >
> > --
> > Bill Blackford
> > Network Engineer
> >
> > Logged into reality and abusing my sudo privileges.....
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>

More information about the juniper-nsp mailing list