Junos OS

Expand all | Collapse all

Proxy Arp Question

  • 1.  Proxy Arp Question

    Posted 12-03-2020 19:38
    Hey folks,
    I'm having an issue with a NAT I've built, and I want to know if proxy arp is the correct solution for the problem. 
    The long and the short of the story is that the folks on the other side of a tunnel I have built are trying to connect to some hosts behind a NAT that I have set up.  Their source IP address is 172.16.101.17, which is on their side of the tunnel.  I set up a second destination NAT for devices in a test network (10.70.0.0/16), and I am able to connect to things behind 172.16.101.18 without issue.  Do I need to enable proxy arp for this to work?  I am pretty new to setting up NATs.

    I have details below on how I set this up.  Thank you in advance for your help.

    ec2-user@VSRX1> show configuration interfaces st0.22
    family inet {
    mtu 1436;
    address 172.16.101.18/30;
    }
    source {
    rule-set source_nat_1 {
    from interface st0.22;
    to interface st0.22;
    rule from_tunnel_source_nat {
    match {
    source-address 172.16.101.17/32;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    rule-set source_nat_2 {
    from zone test-zone;
    to interface st0.22;
    rule from_test_zone_source_nat {
    match {
    source-address 10.70.0.0/16;
    }
    then {
    source-nat {
    interface;
    }
    }
    }
    }
    }


    destination {
    pool rdp {
    address 10.133.0.18/32 port 3389;
    }
    pool sftp {
    address 10.133.1.10/32 port 22;
    }
    rule-set dnat_rules {
    from zone tunnel_zone;
    rule rdp {
    match {
    destination-address 172.16.101.18/32;
    destination-port {
    3389;
    }
    }
    then {
    destination-nat {
    pool {
    rdp;
    }
    }
    }
    }
    rule ssh {
    match {
    destination-address 172.16.101.18/32;
    destination-port {
    22;
    }
    }
    then {
    destination-nat {
    pool {
    sftp;
    }
    }
    }
    }
    }
    }


  • 2.  RE: Proxy Arp Question

     
    Posted 12 days ago
    I am not sure I am understanding your scenario but proxy ARP is needed whenever you translate to an address in the same subnet the SRX interface  and the host sending traffic towards the SRX belong to,  without the address being configured on the SRX's interface. 

    In the example below, the real address of HostA is 10.1.1.1, but HostB knows A as 200.1.1.1.  Destination NAT is configured so that when a packet destined for HostA arrives, the DA address is translated from 200.1.1.1 to 10.1.1.1.

    Because HostB has an address in the 200.1.1/24 network,  it assumes that HostA is local and sends an ARP request asking 200.1.1.1 to reply with its MAC address. 

    Without proxy ARP enabled,  the ARP message is dropped,  address 200.1.1.1 is not assigned to any device:

    With proxy ARP enabled on interface ge-0/0/3, the SRX responds to the ARP request with its own MAC address (on behalf of 200.1.1.1), and HostB is able to encapsulate the IP packet , and send it to SRX1., which will translate the DA and send the packet to HostA. 


    In the same way, if you had configured SNAT from trust to untrust, when HostA sends a packet to Host B, the source address is translated from 10.1.1.1 to 200.1.1.1. When HostB tries to respond, again it assumes the destination address 200.1.1.1 is local (same problem). 

    Without proxy ARP:
    With Proxy ARP:

    Hopefully this will help you figure out if this is what you need, to solve your problem. 

    Regards, 


    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------