[j-nsp] SRX Static NAT
Doug Hanks
dhanks at juniper.net
Wed Mar 2 22:19:42 EST 2011
Proxy-arp isn't required unless you're placing the SRX on a LAN segment where other costs need to use ARP to reach the VIP instead of a route lookup.
-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Daniel M Daloia Jr
Sent: Wednesday, March 02, 2011 4:51 PM
To: Scott T. Cameron; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] SRX Static NAT
Almost positive that proxy-arp is required for NAT on the SRX series if the destination addresses is not assigned to the interface. Not in front of my gear now, but can lab it out tomorrow. As for the static NAT, two lines is necessary.
-Dan
----- Original Message -----
From:Scott T. Cameron <routehero at gmail.com>
To:juniper-nsp at puck.nether.net
Cc:
Sent:Wednesday, March 2, 2011 7:12 PM
Subject:Re: [j-nsp] SRX Static NAT
You should only need proxy-arp if your particular routing scenario requires
it. If all the IPs that you are answering for are routed to you, then
there's no need for proxy-arp.
However, you'll still require 2 lines per static nat. One for the match,
and one for the action.
Scott
On Wed, Mar 2, 2011 at 7:05 PM, Bill Blackford <bblackford at gmail.com> wrote:
> I am looking for a more efficient method to define/map several
> scattered/non-contiguous static NATS. I can use pools to map ranges
> for end user blocks, but this need is for publishing services
> (servers) globally on a one by one basis.
>
> ex.,
>
> using the following method, I would need to make a separate rule and a
> proxy-arp address for each one-to-one snat.
>
> <snip>
> static {
> rule-set SNAT1 {
> from interface ge-0/0/0.0;
> rule SNAT-TEST0 {
> match {
> destination-address 66.x.y.6/32;
> }
> then {
> static-nat prefix 192.168.1.65/32;
> }
> }
> rule SNAT-TEST1 {
> match {
> destination-address 66.x.y.18/32;
> }
> then {
> static-nat prefix 192.168.13.67/32;
> }
> }
> }
> }
> proxy-arp {
> interface ge-0/0/0.0 {
> address {
> 66.x.y.6/32;
> 66.x.y.18/32;
> }
> }
> }
> </snip>
>
> I remember doing a single line in screenos unless my recollection is off.
>
> On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
> ....' statement.
> Is there an equivalently efficient method on the SRX?
>
> Thank you in advance for any input.
>
> -b
>
>
> --
> Bill Blackford
> Network Engineer
>
> Logged into reality and abusing my sudo privileges.....
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list