Juniper SRX NAT using Proxy ARP (Not interface Address

Download Template
NAT on JUNOS is better structured (IMO) then on IOS and IOS-like platforms. But it's still a different world. Here's a short to setting up NAT for packets moving from the Trust security zone to the Untrust security zone but using a dedicated "NAT address" not the untrust interface address. Proxy ARP is the key, it's what you'd usually forget to config and scratch your head about why it's not working. This can easily be expanded to use a pool (multiple) NAT addresses in case you need more IPs on the "Outside"

elombera
June 21, 2012
The IP address you want inside sources to NAT to.

JUNOS style interface name ie: "ge-0/0/0"

JUNOS style interface name ie: "ge-0/0/0"

IP address of Untrust Interface. a.b.c.d

Bit lenght of the mask. ie "24" for a /24

IP address of Untrust Interface. a.b.c.d

Bit lenght of the mask. ie "24" for a /24

security {
	nat {
		source {
			pool src-nat-pool-1 {
				address {
					%{NAT_IP_ADDRESS}%/32;
				}
			}
			rule-set rs1 {
				from zone trust;
				to zone untrust;
				rule r1 {
					match {
						source-address any;
					}
					then {
						source-nat {
							pool {
								src-nat-pool-1;
							}
						}
					}
				}
			}
		}
	}
	proxy-arp {
		interface %{UNTRUST_INTERFACE}%.0 {
			address {
				%{NAT_IP_ADDRESS}%/32;
			}
		}
	}
	zones {
		security-zone untrust {
			interface %{UNTRUST_INTERFACE}%.0;
		}
		security-zone trust {
			interface %{TRUST_INTERFACE}%.0;
		}
	}
	policies {
		from-zone trust to-zone untrust {
			policy internet-access {
				match {
					source-address any;
					destination-address any;
					application any;
				}
				then {
					permit;
				}
			}
		}
	}
}
interfaces {
	%{UNTRUST_INTERFACE}% {
		unit 0 {
			family inet {
				address %{UNTRUST_IP_ADDRESS}%/%{UNTRUST_IP_MASK_LENGTH}%;
			}
		}
	}
	%{TRUST_INTERFACE}% {
		unit 0 {
			family inet {
				address %{TRUST_IP_ADDRESS}%/%{TRUST_IP_MASK_LENGTH}%;
			}
		}
	}
}

You must be logged in to comment.