Hopefully someone can help as I am probably overlooking something simple but cannot see what it might be.
Trying to setup a new SRX100 to handle traffic for a few servers and services.
We have Verizon DSL with a static 5 ip block xxx.yyy.zzz.96/29. Not sure if it's a configuration or isp issue.
I think I've followed the available guides for setting up destination/source nat and proxy-arp (configuration attached)
It seems like the issue is that the SRX is not responding to ARP packets from the ISP.
monitor traffic interface fe-0/0/0 no-resolve results in the following typical traffic:
Spoiler11:53:55.078933 In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
12:01:06.441713 Out arp who-has xxx.yyy.zzz.1 tell xxx.yyy.zzz.100
12:01:06.474174 In arp reply xxx.yyy.zzz.1 is-at 00:90:1a:##:##:##
12:02:23.652737 In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
12:02:23.664796 In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
12:02:25.021807 In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
After a commit (with fe-0/0/0 using the .100 address) the router gARPs for .100 but never answers ARP requests for the others.
Spoiler11:39:30.130639 In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
11:39:34.817498 Out arp who-has xxx.yyy.zzz.1 tell xxx.yyy.zzz.100
11:39:34.852059 In arp reply xxx.yyy.zzz.1 is-at 00:90:1a:##:##:##
11:39:35.125046 In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
11:39:40.818704 Out arp who-has xxx.yyy.zzz.100 tell xxx.yyy.zzz.100
11:39:45.126235 In arp who-has xxx.yyy.zzz.101 tell 71.97.229.1
11:39:45.126477 In arp who-has xxx.yyy.zzz.102 tell 71.97.229.1
Show route output:
Spoilerinet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:31:37
> to xxx.yyy.zzz.1 via fe-0/0/0.0
xxx.yyy.zzz.0/24 *[Direct/0] 00:31:37
> via fe-0/0/0.0
xxx.yyy.zzz.100/32 *[Local/0] 00:31:37
Local via fe-0/0/0.0
xxx.yyy.zzz.101/32 *[Static/1] 00:31:37
Discard
xxx.yyy.zzz.102/32 *[Static/1] 00:31:37
Discard
192.168.2.0/24 *[Direct/0] 5d 02:54:27
> via vlan.0
192.168.2.3/32 *[Local/0] 5d 02:54:54
Local via vlan.0
If I manually change fe-0/0/0.0 to the other two addresses (.101 and .102) the router will gARP for those and traffic to all three addresses (.100, .101, .102) is directed to the SRX for the few hours it takes Verizon to drop the ARP entry.
During the time traffic is directed at the SRX, "show security nat destination pool all" shows increasing translation hits
Show route output after setting fe-0/0/0 to .101 address and proxy-arp set for .100 and .102:
Spoilerinet.0: 8 destinations, 8 routes (7 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 01:12:17
> to xxx.yyy.zzz.1 via fe-0/0/0.0
xxx.yyy.zzz.0/24 *[Direct/0] 00:00:05
> via fe-0/0/0.0
xxx.yyy.zzz.100/32 *[Static/1] 00:00:05
Discard
xxx.yyy.zzz.101/32 *[Local/0] 00:00:05
Local via fe-0/0/0.0
xxx.yyy.zzz.102/32 *[Static/1] 00:00:05
Discard
192.168.2.0/24 *[Direct/0] 5d 03:35:07
> via vlan.0
192.168.2.3/32 *[Local/0] 5d 03:35:34
Local via vlan.0
Thanks for your assistance!