Hi all,
Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....
Here i will give a brief overview of how juniper firewalls handle proxy arp:
As most of you know there are 5 solutions to do NATTING in juniper firewalls:
MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)
So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?
Yes:
-MIP
-VIP
No:
-Dest nat
So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.
Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.
Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!
When will he do it or not:
• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.
• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
0.
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.
Hope this helps you all.
About Me
- Wim De Smet (aka Frac)
- Antwerp, Belgium
- I worked with juniper/netscreen devices from 1999. Started with cisco routing and switching. One of my goals is to be a expert in juniper Security and routing products.
Contact Me
wim@securelink.be
Frac @ LinkedInCertification
JNCIE-SEC#16 / JNCIP-SEC / JNCIS-FWV / JNCIS-ER / JNCIA-EX / JNCIA-IDP / CCNP (Cisco) / NSA (nokia) / CCSA (Checkpoint)
Subscribe To
Posts
Comments
1 comment:
Good overview. I can't get Proxy ARP working for DST-NAT for some reason. The set arp nat-dst has been deprecated and replaced by set interface proxy-arp-entry. What I have as a config is this:
set interface ethernet1/1 proxy-arp-entry WAN_IP WAN_IP
Several intra-zone entries in the form:
set policy id from "Untrust" to "Untrust" "Any" "WAN_IP" "Some_service" nat dst ip LAN_IP port XX permit
WAN_IP is within the subnet of the ISP-facing interface but not the physical interface IP itself (which responds correctly to ARP requests from the ISP). I thought I might be missing a policy for permitting ICMP traffic to the WAN_IP - added it - didn't work. Any idea where the problem might be?
Post a Comment