SRX

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

However, I started using the inside IP because when i use the public IP, I get this error.

[edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

Penny for your thoughts?

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

Proxy arp is not needed for the ip address assigned to the interface itself.  That will arp as part of the normal configuration.

Proxy arp is for ip addresses within the same subnet of the interface but not actually configured on the interface.  Meaning the ip on the interface will arp as a proxy for the empty not configured ip address.

Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

However, I started using the inside IP because when i use the public IP, I get this error.

[edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

Penny for your thoughts?

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

We only own the 1 public IP in most situations.  If I proxy arp for another interface in the same subnet as our WAN interface IP, it would not be something we own.

What would you recommend as a configuration change to allow access to more than one inside device?

Proxy arp is not needed for the ip address assigned to the interface itself.  That will arp as part of the normal configuration.

Proxy arp is for ip addresses within the same subnet of the interface but not actually configured on the interface.  Meaning the ip on the interface will arp as a proxy for the empty not configured ip address.

Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

However, I started using the inside IP because when i use the public IP, I get this error.

[edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

Penny for your thoughts?

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

In the application where you configure printer addresses to print to, can you specify a port number, or just an IP address?

If you can specify port numbers, then you can have different NAT rules matching the same public IP, but different port numbers and direct traffic to different printers based on the port number.

If you cannot specify port numbers, then you're stuck to one printer per public IP address. The only workaround I can think of is if the application that uses the printers is also behind a VPN-capable device (or at least tunnel-capable device). If it is, then you can set up a VPN or GRE tunnel between the two devices, and then you'll be able to use private IP addresses.

We only own the 1 public IP in most situations.  If I proxy arp for another interface in the same subnet as our WAN interface IP, it would not be something we own.

What would you recommend as a configuration change to allow access to more than one inside device?

Proxy arp is not needed for the ip address assigned to the interface itself.  That will arp as part of the normal configuration.

Proxy arp is for ip addresses within the same subnet of the interface but not actually configured on the interface.  Meaning the ip on the interface will arp as a proxy for the empty not configured ip address.

Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

However, I started using the inside IP because when i use the public IP, I get this error.

[edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

Penny for your thoughts?

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------

Hi Nikolay.  We're not using an application.  Just the web GUI of the printer over HTTPS.

If i'm understanding you correctly, we can't DNAT to multiple devices behind the firewall unless we own multiple public IP addresses. 

Is that accurate?

In the application where you configure printer addresses to print to, can you specify a port number, or just an IP address?

If you can specify port numbers, then you can have different NAT rules matching the same public IP, but different port numbers and direct traffic to different printers based on the port number.

If you cannot specify port numbers, then you're stuck to one printer per public IP address. The only workaround I can think of is if the application that uses the printers is also behind a VPN-capable device (or at least tunnel-capable device). If it is, then you can set up a VPN or GRE tunnel between the two devices, and then you'll be able to use private IP addresses.

We only own the 1 public IP in most situations.  If I proxy arp for another interface in the same subnet as our WAN interface IP, it would not be something we own.

What would you recommend as a configuration change to allow access to more than one inside device?

Proxy arp is not needed for the ip address assigned to the interface itself.  That will arp as part of the normal configuration.

Proxy arp is for ip addresses within the same subnet of the interface but not actually configured on the interface.  Meaning the ip on the interface will arp as a proxy for the empty not configured ip address.

Thank you for your help.  I know that using the public address is what Juniper suggests in their KB. 

However, I started using the inside IP because when i use the public IP, I get this error.

[edit security nat proxy-arp interface ge-0/0/1.0] Proxy ARP IP address range [12.12.12.12 12.12.12.12] overlaps with interface IP address range [12.12.12.12 12.12.12.12] defined on interface 'ge-0/0/1.0'

Penny for your thoughts?

If I follow your example correctly you have the proxy arp configured on the wrong side of the nat.

The proxy arp is used with the public address on the inbound interface where the public ip would be configured not on the nat changed private address.

"Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address" This issue I'm running into is that I have more than one internal address. 

Here's what I have running.  One proxy-arp entry, but two internal devices that I'm trying to  connect to.   I tried with two entries, but didn't see any behavioral differences.   WAN IP changed for obvious reasons.   With the configuration below, I can get to my printer at 12.12.12.12:4443 but trying to get to my switch at 12.12.12.12:11443 just times out, which is the opposite of what I would have expected.

set security nat destination pool dst-nat-pool-1 address 172.18.160.85/32
set security nat destination pool dst-nat-pool-1 address port 443

set security nat destination pool switch address 172.18.162.140/32
set security nat destination pool switch address port 443

set security nat destination rule-set rs1 from zone WAN2-Static
set security nat destination rule-set rs1 rule r1 match destination-address 12.12.12.12
set security nat destination rule-set rs1 rule r1 match destination-port 4443
set security nat destination rule-set rs1 rule r1 then destination-nat pool dst-nat-pool-1
set security nat destination rule-set rs1 rule r2 match destination-address  12.12.12.12
set security nat destination rule-set rs1 rule r2 match destination-port 11443
set security nat destination rule-set rs1 rule r2 then destination-nat pool switch
set security nat proxy-arp interface ge-0/0/1.0 address 172.18.162.140/32

set security address-book global address Printer1 172.18.160.85/32
set security address-book global address switch 172.18.162.140/32
set security policies from-zone WAN2-Static to-zone LAN policy server-access match source-address any
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address Printer1
set security policies from-zone WAN2-Static to-zone LAN policy server-access match destination-address switch
set security policies from-zone WAN2-Static to-zone LAN policy server-access match application any
set security policies from-zone WAN2-Static to-zone LAN policy server-access then permit

------------------------------
NICHOLAS MARSZALKOWSKI

Original Message:
Sent: 05-31-2024 20:18
From: spuluka
Subject: DNAT for port forwarding multiple devices

Proxy arp is only needed when you are using an ip address that is NOT configured on the physical interface but is in the same subnet.

For ip addresses configured on the interface the arp reply when that ip is used is part of the standard practice.

Once proxy arp is configured for a particular additional address the single instance is all that is needed even if more that one port rule is configured against that address.

------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home

Original Message:
Sent: 05-31-2024 15:31
From: NICHOLAS MARSZALKOWSKI
Subject: DNAT for port forwarding multiple devices

Good Afternoon!!

In our organization, we currently use port forwarding to provide external access to printers at our geographically spread out sites.  No S2S VPN's in use.

This is fine when it's just one device, but I'm having some issues in setting up access to more than one device.

I've used the Juniper KB as my base.  Destination NAT

However, I did find that setting up as they demonstrate did not with with proxy arp.  Their statement essentially has you use your WAN IP on the interface.  When i've tried configuring this as demonstrated below, it errors out stating that you can't use this IP since it's already configured on the interface.

set security nat proxy-arp interface ge-0/0/0.0 address 203.0.113.200/32

As a  result, I use the local IP of the device i'm trying to access - set security nat proxy-arp interface ge-0/0/1.0 address 172.18.160.85/32

That all being said,  when trying to setup two devices, I'm not sure what to do with the proxy-arp statement.  I've tried including two proxy-arp statements with the same interface, but it doesn't work and only allows access into one device.  Has anyone setup a similar design to this who has it working?

------------------------------
NICHOLAS MARSZALKOWSKI
------------------------------