I'm sorry if I didn't explain it well. The device is not dual-addressed. It is simply given a public address and I do not do any NAT translation at the SRX. The device is connected to SRX interface ge-0/0/6.0, and this interface is given a private IP address, which is also the default gateway for the device. I have no issues pinging the gateway from the device or sending data from the device out to the internet through the SRX.
The issue is getting data back, and according to the ISP, it's because there is no ARP information for the device's IP address advertised to their router that the SRX is connected to, so the router doesn't know where to send the data. As you said in an earlier post, "If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX. This would be an address conflict for that broadcast domain."
So, I need to know how to get the ARP information for the device out to the router, or find some other way of making this work.
Original Message:
Sent: 02-28-2023 12:54
From: spuluka
Subject: public ip without nat
I'm not sure I follow the setup here so forgive me if this is not right.
It sounds like you are dual addressing a server with both a public and private ip address but do NOT over lap the two broadcast domains. This would be none standard configurations so I could see why it might stop working after an upgrade.
For the server arp to reach the upstream ISP device both would need to be in an interface configured with the same broadcast domain. If both are connected to different SRX interfaces then policy from untrust to untrust zone (or whatever that external zone name is) could be used to control traffic and nat behavior.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-18-2023 14:51
From: Jerry
Subject: public ip without nat
The ISP is directly connected to ge-0/0/0.0, and the public addressed resource is connected to ge-0/0/6.0 through a couple of network switches. The default gateway for the resource is a private IP address assigned to the ge-0/0/6.0 interface. There are other devices using this interface as their default gateway, too, but they are setup with NAT. The ge-0/0/0.0 interface is assigned a public IP address as the next hop for the ISP router. The resource, the ISP interface, and the ge-0/0/0.0 interface are all in the same subnet.
I use a rule under security -> nat to disable NAT for the resource (x.x.x.x):
rule no-nat-security-rule {
match {
source-address x.x.x.x/32;
}
then {
source-nat {
off;
}
}
}
I set a static route to direct the SRX to send traffic to the ge-0/0/6.0 for the resource as well as the default route to the ISP router (x.x.x.y):
routing-options {
static {
route 0.0.0.0/0 next-hop x.x.x.y;
route x.x.x.x/32 next-hop ge-0/0/6.0;
}
}
Do I need to have a rule to allow the ARP from the resource pass through the SRX to the ISP? I'm not sure if that should just happen, or if I could be unintentionally blocking that with my security policies due to a lack of understanding on my part.
Thanks for continuing to stick with me here!
Original Message:
Sent: 02-18-2023 11:02
From: spuluka
Subject: public ip without nat
Could you confirm how the physical cabling is setup?
It sounds like you have the SRX interface, the public addressed resource interface and the ISP interface in the same broadcast domain.
I assume the resource is using the SRX interface as the default gateway.
So for the SRX to control traffic both the ISP and the resource would need to be physically connected to an SRX interface.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-17-2023 15:50
From: JERRY GIACINTO
Subject: public ip without nat
To expand... I have a device behind the firewall that I need to not apply NAT to. I have had that configured and connectivity established from outside the firewall for a good year and a half. The connectivity stopped working a couple of weeks ago, but I haven't changed any configs on the firewall or the other device. In the end, I talked to my ISP, and they said they don't have an ARP table entry for the device. I am not an expert at the SRX (one man shop), but I did find out a year and half ago that I could not use proxy arp for NAT for this device, and I figured it was an IP conflict. I reminded myself of that earlier this week when I tried it again. The ISP has currently added a static entry to the ARP table for the MAC of the SRX, but this, of course, is problematic because if I replace the firewall, then I'll have to engage the ISP to change that, and I really shouldn't need to do that.
I don't know what changed on the ISP router that caused the connectivity to go down, and the techs haven't been able to explain it, either. So, the question becomes how do I make sure the ARP information for the internal non-NATed device makes it through to the next hop router that the SRX is connected to on the external interface?
Thank you - Jerry
------------------------------
JERRY GIACINTO
Original Message:
Sent: 02-15-2023 15:20
From: spuluka
Subject: public ip without nat
Could you expand on your exact situation?
If you are using a public address on a device without any NAT you cannot use the same address with proxy arp for NAT on the SRX. This would be an address conflict for that broadcast domain.
------------------------------
Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
http://puluka.com/home
Original Message:
Sent: 02-14-2023 17:30
From: JERRY GIACINTO
Subject: public ip without nat
Hi... I know this is two years old, but can you provide what you did, in some detail, to get this working? When I add a proxy arp to my config for the unNATed address, traffic doesn't pass from to my device that is not NATed despite having a static route in my config to direct that traffic to the correct internal interface.
Thank you!
Original Message:
Sent: 01-19-2021 04:56
From: carstenroenne
Subject: public ip without nat
Just wanted to let you know i got to work with proxy arp. Thank you.
Original Message:
Sent: 01-04-2021 09:15
From: Unknown User
Subject: public ip without nat
Hi,
I have a srx-320 with 2 x /29.
First /29 i use to static/dest NAT and it's working egress and ingress as desired.
Second /29 i want to use for public ips behind the firewall without using NAT. This is working egress but no traffic is received from internet. How do i set this up?
I've tried to setup some static NAT prefixed with the public ip and rules allowing the this respective untrust zone to access a trust zone defined by the second public /29 range but that's not working. Any one knows how to get this traffic flowing?
Thank you.