[j-nsp] SRX Static NAT
Daniel M Daloia Jr
daniel.daloia at yahoo.com
Wed Mar 2 20:49:22 EST 2011
I think I understand what you were saying before with routed to you and it depends on the situation.
For instance.
If I have a public my public interface 1.1.1.1/24 and my next-hop is 1.1.1.254, if I wanted to static nat 1.1.1.10, then I would need to use proxy-arp for the public interface with address 1.1.1.10. Otherwise, the SRX would not answer an arp request for 1.1.1.10.
But, if my public interface is 1.1.1.1 and the address 2.2.2.0/24 is being routed to me, proxy-arp would not be necessary since an arp request would never happen.
Sound about right? :)
________________________________
From: Scott T. Cameron <routehero at gmail.com>
To: Daniel M Daloia Jr <daniel.daloia at yahoo.com>
Cc: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
Sent: Wednesday, March 2, 2011 8:04 PM
Subject: Re: [j-nsp] SRX Static NAT
I've got two srx3400 clusters that disagree with you about proxy-arp. :)
Scott
On Wed, Mar 2, 2011 at 7:50 PM, Daniel M Daloia Jr <daniel.daloia at yahoo.com> wrote:
Almost positive that proxy-arp is required for NAT on the SRX series if the destination addresses is not assigned to the interface. Not in front of my gear now, but can lab it out tomorrow. As for the static NAT, two lines is necessary.
>
>>-Dan
>
>
>
>>----- Original Message -----
>>From:Scott T. Cameron <routehero at gmail.com>
>To:juniper-nsp at puck.nether.net
>>Cc:
>>Sent:Wednesday, March 2, 2011 7:12 PM
>>Subject:Re: [j-nsp] SRX Static NAT
>
>>You should only need proxy-arp if your particular routing scenario requires
>>it. If all the IPs that you are answering for are routed to you, then
>>there's no need for proxy-arp.
>
>>However, you'll still require 2 lines per static nat. One for the match,
>>and one for the action.
>
>>Scott
>
>>On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford <bblackford at gmail.com> wrote:
>
>>> I am looking for a more efficient method to define/map several
>>> scattered/non-contiguous static NATS. I can use pools to map ranges
>>> for end user blocks, but this need is for publishing services
>>> (servers) globally on a one by one basis.
>>>
>>> ex.,
>>>
>>> using the following method, I would need to make a separate rule and a
>>> proxy-arp address for each one-to-one snat.
>>>
>>> <snip>
>>> static {
>>> rule-set SNAT1 {
>>> from interface ge-0/0/0.0;
>>> rule SNAT-TEST0 {
>>> match {
>>> destination-address 66.x.y.6/32;
>>> }
>>> then {
>>> static-nat prefix 192.168.1.65/32;
>>> }
>>> }
>>> rule SNAT-TEST1 {
>>> match {
>>> destination-address 66.x.y.18/32;
>>> }
>>> then {
>>> static-nat prefix 192.168.13.67/32;
>>> }
>>> }
>>> }
>>> }
>>> proxy-arp {
>>> interface ge-0/0/0.0 {
>>> address {
>>> 66.x.y.6/32;
>>> 66.x.y.18/32;
>>> }
>>> }
>>> }
>>> </snip>
>>>
>>> I remember doing a single line in screenos unless my recollection is off.
>>>
>>> On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
>>> ....' statement.
>>> Is there an equivalently efficient method on the SRX?
>>>
>>> Thank you in advance for any input.
>>>
>>> -b
>>>
>>>
>>> --
>>> Bill Blackford
>>> Network Engineer
>>>
>>> Logged into reality and abusing my sudo privileges.....
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>_______________________________________________
>>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
>
>
More information about the juniper-nsp
mailing list