Wednesday, April 23, 2008

Proxy arp

Hi all,

Proxy arp is something that not all people understand well. Some devices are able to do it, other not, and other do it automatic (sometimes), etc....

Here i will give a brief overview of how juniper firewalls handle proxy arp:

As most of you know there are 5 solutions to do NATTING in juniper firewalls:

MIP: one to one (bi-directional)
DIP: many to one (uni-directional)
VIP: one to many (uni-directional)
Destination NAT (policy): one to one, one to many (uni-directional)
Source NAT (policy): many to one, one to one (uni-directional)

So this is a overview of the natting, know when will the firewall to proxy arp for these NAT addresses?

Yes:

-MIP
-VIP

No:

-Dest nat

So you see that when using Destination nat you will have problem. Solution to solve this problem, ... place a static arp entry on higher level router, or when not in same network has the interface ... place a route to cluster ip of the juniper firewall.

Sometimes this isn't a solution, because the upstream router isn't managed by yourself. This means you need to be able to do proxy arp on firewall for these NAT addresses.

Well there is a hidden command "set arp nat-dst", which will do proxy arp for NAT addresses in a certain situation!!

When will he do it or not:

• The Destination NAT policy must be configured using the same source and
destination Layer 3 security zone. However, traffic that matches the policy
can then be sent to any Layer 3 security zone.

• The device does not respond to an ARP request if the Destination NAT IP is
in the same incoming subnet as a secondary IP address.
• In an HA environment, the device only supports the Destination NAT ARP
capability if using NSRP Active/Passive on interfaces that reside in VSD ID
0.
• In ScreenOS 5.0r7 and below, the device does not respond to an ARP request
for a Destination NAT IP that is in the same subnet as the incoming
interface for a Destination NAT policy.

Hope this helps you all.

1 comment:

TheGrave said...

Good overview. I can't get Proxy ARP working for DST-NAT for some reason. The set arp nat-dst has been deprecated and replaced by set interface proxy-arp-entry. What I have as a config is this:

set interface ethernet1/1 proxy-arp-entry WAN_IP WAN_IP

Several intra-zone entries in the form:

set policy id from "Untrust" to "Untrust" "Any" "WAN_IP" "Some_service" nat dst ip LAN_IP port XX permit

WAN_IP is within the subnet of the ISP-facing interface but not the physical interface IP itself (which responds correctly to ARP requests from the ISP). I thought I might be missing a policy for permitting ICMP traffic to the WAN_IP - added it - didn't work. Any idea where the problem might be?