SRX

There is one question, how to organize for JunOS, the following features: 

ISP gave me IP address of the subnet, XX.XX.123.192/28. 
Where 
XX.XX.123.192 - Base address of the network 
XX.XX.123.193 - Gateway, for my device 
XX.XX.123.194/28 - IP Address of my devices 
XX.XX.123.207 - Broadcast address 

There remains a list of addresses 
XX.XX.123.195 on XX.XX.123.206, I would like them to do the following scheme, as it was earlier in the ScreenOS like MIP. 

Tried different variations of NAT, using the manual http://kb.juniper.net/InfoCenter/index?page=content&id=TN25&actp=LIST 
Prescribed additional addresses through proxy-arp. 

Addresses are not working. 

I understand through the proxy-arp, they operate under such a scheme can not. 

Prescribed in his juniper srx 240: 

ge-0/0/0 { 
    unit 0 { 
        family inet { 
            address XX.XX.123.194/28 { 
                primary; 
            } 
            address XX.XX.123.196/28; 
            address XX.XX.123.197/28; 
            address XX.XX.123.198/28; 
            address XX.XX.123.199/28; 
            address XX.XX.123.200/28; 
        } 
    } 
} 

How do I attach them to you for my internal addresses with the appointment of the services? 

How better to do? 

I apologize for my English. 

Hi

1) Do not configure those addresses on the interface ge-0/0/0 (delete them, leave only .194)

2) MIP = Static NAT, so use the manual

http://www.juniper.net/us/en/local/pdf/app-notes/3500152-en.pdf

page 4. Basically, you will need proxy-arp for those additional addresses to be configured on

ge-0/0/0; static nat rule (s); security policy. Examples are in the manual.

If it will not work, paste your full config here so we can see what's wrong.

Hello,

Could you add your zone configuration to see where each interface has been allocated?

Could you give your arp entries on both devices to see if the proxy arp is working normally?

Regards,

Can you post a SRX show route here? There should be a receive route for proxy-arp address similar

tothis one

192.168.65.242/32  *[Static/1] 00:00:05
                                 Receive

If its not there or if netscreen can't get ARP reply from this address (show arp) then probarbly the problem is not in nat configuration. Can netscreen access SRX by its interface ip, by the way?

Please 

inet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 1d 01:33:19 > to XX.XX.123.193 via ge-0/0/0.0

XX.XX.123.192/28 *[Direct/0] 21:19:43 > via ge-0/0/0.0

XX.XX.123.194/32 *[Local/0] 21:19:43 Local via ge-0/0/0.0

XX.XX.123.195/32 *[Static/1] 19:10:20 Receive

192.168.0.0/16 *[Static/5] 23:04:29 > to 192.168.2.1 via vlan.0

192.168.2.0/24 *[Direct/0] 23:04:29 > via vlan.0

192.168.2.2/32 *[Local/0] 23:04:34 Local via vlan.0

Even shows that there is active:

XX.XX.123.194/32 (1 entry, 1 announced)
         * Local Preference: 0
                 Next hop type: Local
                 Address: 0x13c7834
                 Next-hop reference count: 6
                 Next hop:
                 Interface: ge-0/0/0.0
                 State: <Active NoReadvrt Int>
                 Age: 22:20:38
                 Task: IF
                 Announcement bits (1): 4-Resolve tree 1
                 AS path: I

XX.XX.123.195/32 (1 entry, 1 announced)
         * Static Preference: 1
                 Next hop type: Receive
                 Address: 0x13c8050
                 Next-hop reference count: 3
                 State: <Active Int ProxyArp>
                 Age: 20:11:15
                 Task: RPD Unix Domain Server. / var / run / rpd_serv.local
                 Announcement bits (2): 0-KRT 4-Resolve tree 1

So can netscreen ping .194? After pinging .195, what does "show arp" show?

From the outside you can ping the 194 address,

195 is not pinged when the scheme where Ipointed out earlier.

When on the same interface found on all IP addresses to ping all. 

Show arp command shows only the address of the Gateway 193

Do you have l3-interface in vlan-trust configured (should be vlan.0)?

If yes, can you please post the full config once again, please...

Please, my configuration:

Attachment(s)

240.txt   10 KB 1 version

Config looks perfect to me... Can you initiate a continous ping from some external device

(which is on the internet) and check the output of "show security flow session protocol icmp"

to see if sessions corresponding to the pings are there?

Another option would be to use flow traceoptions.

Result in an investment

Attachment(s)

show.txt   1 KB 1 version

Can be there is no policy from the trusted zone in the trusted?

Looks like 192.168.2.20 does not reply to the ping,

1) Is the ping enabled for that address?

2) Does 192.168.2.20 have a route to the internet (i.e., default rout through the SRX)?

To 192.168.2.20 ping address is, and here the route isn't present. Thanks for the decision

I for all network have a route on juniper ns25, want it to replace srx240.

On the switchboard the route by default is registered already: 
0.0.0.0/0 hopnext 192.168.1.1 if I will add one more route 0.0.0.0/0 hopnext  192.168.2.2. How all will work in this case?

Sorry I don't completely understant the scheme of your network and what the switchboard is.

Generally you should have only one default route, not 2 (unless doing multipath or active/backup route).

Policy has added from turst-to-trust, hasn't helped.

Has made ping with srx240:

netscreen@srx-hqekb> ping XX.XX.123.195    

PING XX.XX.123.195 (XX.XX.123.195): 56 data bytes

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

ping: sendto: Can't assign requested address

netscreen@srx-hqekb> show security flow session protocol icmp brief    

Session ID: 18236, Policy name: st-mail-dns/5, Timeout: 46, Valid

In: 119.100.173.185/4073 --> XX.XX.123.195/17;icmp, If: ge-0/0/0.0, Pkts: 1, Bytes: 28 

Out: 192.168.2.20/17 --> 119.100.173.185/4073;icmp, If: vlan.0, Pkts: 0, Bytes: 0

Total sessions: 1

Why that is palmed off what that other 119.100.173.185 address