[j-nsp] SRX Static NAT

Doug Hanks dhanks at juniper.net
Thu Mar 3 01:11:30 EST 2011

There's Junos tools such as apply-groups and apply-path to help automate complicated or repetitive configurations.

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of EXT - plunin at senetsy.ru
Sent: Wednesday, March 02, 2011 9:36 PM
To: Bill Blackford
Cc: juniper-nsp
Subject: Re: [j-nsp] SRX Static NAT

> I remember doing a single line in screenos unless my recollection is off.
> On the Cisco ASA/PIX, it's a single line 'static (inside,outside)
> ....' statement.
> Is there an equivalently efficient method on the SRX?
> Thank you in advance for any input.

Arp-proxy is needed to attract traffic towards the SRX. E. g. if your
ISP-facing interface has address 66.x.y.2/27, and 66.x.y.1/27 is your ISP's
gw address, the ISP's router will newer send traffic towards 66.x.y.6 and
66.x.y.18 to you, unless one of the following is configured:

a) Arp-proxy on the SRX side,
b) Longer route like "66.x.y.18/32 -> 66.x.y.2" on the ISP side
c) Static ARP entry of the ISP side: "66.x.y.18 has the SRX's external iface
MAC address"

Otherwise it will ask for ARP 66.x.y.18 and won't get a reply. Of course the
first point is the best choice.

If your ISP routes traffic towards 66.x.x.18 to you (e. g. you announce them
66.x.y.0/24) using other addresses on the PE-CE link, you don't need

Yes, in ScreenOS and PIXOS, when you configure MIP/Static NAT, a proxy-arp
entry is automatically created. But in case of destination NAT (ScreenOS
speak, I don't remember how it's called in ASA) it is not. Moreover until
the very latest release of ScreenOS (only 6.4 IFAIR) you can not configure
arp-proxy for destination nat. We were suffering from this for ages.

In my opinion, new NAT logic is a strong point of SRX in comparison to
SrceenOS. I find very clever the idea to separate NAT rules totally from
routing (for source nat you don't bind pools to interfaces) and from FW
policies and to separate the arp-proxy settings. Yes, it adds some
complexity to config files and can be not comprehensive from the first
glance for people from different worlds, but this is much more flexible.
juniper-nsp mailing list juniper-nsp at puck.nether.net

More information about the juniper-nsp mailing list