Configure Proxy ARP in Juniper SRX Gateway

Today I will show you how to configure proxy ARP in Juniper SRX Gateway. Well, why do you want to configure proxy arp? How do you configure proxy ARP? Today I will counter with these two questions.

Configure Proxy ARP in Juniper SRX Gateway

Lets say company A have 5 public IP addresses and a dedicated link. The company is small and has connected the link from ISP to the router as shown in the figure below. There are servers and clients under the switch. A new server called public web server is added in the network. The new web server needs to be accessed from internet. The requirement is to use unused public IP address and do NAT on router. But is it possible??

You might be thinking, if the link is directly connected to the router you won’t be able to use those other 4 IP address. So to use those available IP addresses you are now thinking subnetting is required or may be switch is required above router. But the company will not purchase any more device. In this case proxy ARP kicks in.

Proxy ARP

Lets say we will use other public IP address 198.18.10.3 for new web server, but where do we configure the IP address? Well, we will configure the IP address as proxy arp in ge-0/0/0 interface.

root@srx# set security nat proxy-arp interface ge-0/0/0 address 198.18.10.3

After configuring proxy arp lets do the destination NAT.

[edit security nat destination]
root@srx#set pool MailServer address 192.168.101.2
[edit security nat destination]
root@srx# edit rule-set NatRule 
[edit security nat destination rule-set NatRule]
root@srx# set from zone untrust
[edit security nat destination rule-set NatRule]
root@srx# edit rule Rule1POP
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set match destination-address 2.2.2.2
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set match destination-port 110
[edit security nat destination rule-set NatRule rule Rule1POP]
root@srx# set then destination-nat pool MailServer

[edit security nat destination rule-set NatRule rule WebRule ]
root@srx# show
match {
destination-address 198.18.10.3/32;
destination-port 80
}
then {
destination-nat pool WebServer;
}

So, when a user from internet tries to access http://198.18.10.3, the request comes in to srx from ISP’s device. The ISP device ask for 198.18.10.3’s MAC address. SRX now replies to the ISPs device saying “I got the arp of 198.18.10.3” and sends the MAC address of ge-0/0/0 interface and  srx will now do destination NAT and the request goes to the web server and session establishes. In this way proxy ARP replies to the request of virtual IP eliminating the need for subinetting or adding new switch.

References

  1. Configuring Proxy ARP on SRX-series Services Gateways
  2. Scenario for configuring Proxy ARP on SRX