Junos OS

Expand all | Collapse all

nat configuration issue SRX

Jump to Best Answer
  • 1.  nat configuration issue SRX

    Posted 06-16-2020 08:22

    Hi,

     

    If we follow the link below it tech us how to configure NAT.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/nat-security-source-and-source-pool.html

    I try to configur nat according to above but received the error message:

    # commit check

    [edit security nat proxy-arp interface ge-0/0/0.0]

      'address 175.14.211.6/30'

        Proxy ARP IP address range [175.14.211.6 175.14.211.7] overlaps with interface IP address range [175.14.211.6 175.14.211.6] defined on interface 'ge-0/0/0.0'

    error: configuration check-out failed

     

     

    My config:

    set security nat source rule-set AAAA from zone trust
    set security nat source rule-set AAAA to zone untrust
    set security nat source rule-set AAAA rule OUT match source-address 192.168.1.0/24
    set security nat source rule-set AAAA rule OUT match source-address 192.168.5.0/24
    set security nat source rule-set AAAA rule OUT match destination-address 0.0.0.0/0
    set security nat source rule-set AAAA rule OUT then source-nat interface
    set security nat proxy-arp interface ge-0/0/0.0 address 175.14.211.6/30
    set security policies from-zone trust to-zone untrust policy INTERNET-ACCESS match source-address 192.168.1.0/24
    set security policies from-zone trust to-zone untrust policy INTERNET-ACCESS match source-address 192.168.5.0/24
    set security policies from-zone trust to-zone untrust policy INTERNET-ACCESS match destination-address any
    set security policies from-zone trust to-zone untrust policy INTERNET-ACCESS match application any
    set security policies from-zone trust to-zone untrust policy INTERNET-ACCESS then permit

     

    Any suggestion welcome.

    Thank you.

     



  • 2.  RE: nat configuration issue SRX
    Best Answer

    Posted 06-16-2020 08:49

    Proxy-arp is not required when source nat interface is configured. 

     

     



  • 3.  RE: nat configuration issue SRX

    Posted 06-16-2020 09:11

    Hi World, 

     

    As per the documentation link you shared SNAT for Egress Interface translation , I think you missed the note: 

    It says : " No source NAT pool is required for source NAT using an egress interface. Proxy ARP does not need to be configured for the egress interface.  "

     

    Hope this helps.

     

    Please mark "Accept as solution" if this answers your query.   Kudos are appreciated too! 

     

    Regards, 

    Sharat Ainapur



  • 4.  RE: nat configuration issue SRX

     
    Posted 06-16-2020 15:37
    [edit security nat proxy-arp interface ge-0/0/0.0]
    
      'address 175.14.211.6/30'
    
        Proxy ARP IP address range [175.14.211.6 175.14.211.7] overlaps with interface IP address range [175.14.211.6 175.14.211.6] defined on interface 'ge-0/0/0.0'
    
    error: configuration check-out failed

    This error is because proxy-arp is only valid for addresses that are:

    • Not configured on the interface itself
    • And in the same subnet as the interface
    • And not used by other devices in the subnet

    An interface configured with a /30 address will never have proxy-arp as there are only two addresses in this subnet with one being on the SRX interface and the second used by the connected network device. Thus ther are no addresses available to proxy-arp for.