Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] When and how to configure Proxy ARP



Article ID: KB21785 KB Last Updated: 24 Apr 2020Version: 6.0

This article describes when and how to configure Proxy ARP, with examples.

Note: The Resolution Guides for SRX NAT refer to this article.



NAT configuration on SRX device is not working. You followed the steps in the Resolution Guides for SRX NAT, and it referenced this article for configuring Proxy ARP. 

  • When do you configure Proxy ARP?

  • How do you check if Proxy ARP is configured?

  • How do you configure Proxy ARP?



When to configure Proxy ARP

As specified in Configuring Proxy ARP (CLI Procedure), Proxy ARP should be configured for the following scenarios:

  • When addresses defined in the static NAT and source NAT pool are in the same subnet as that of the ingress interface (Source NAT and Static NAT scenario)

  • When addresses in the original destination address entry in the destination NAT rules are in the same subnet as that of the ingress interface (Destination NAT scenario)


Below is a simple explanation of Proxy ARP for the Static NAT Scenario.


SRX interface ge-0/0/0.0 is              
Upstream Router IP Addr  can be anything between -----and----- 

The upstream router needs to send a packet to the Destination IP address It will send an ARP request for the IP address If Proxy ARP is not configured on the SRX device, the SRX device will not reply to the ARP request as it does not have the IP address configured on the interface ge-0/0/0.0. The ARP request will time out and the packet will be dropped at the upstream router. However, if Proxy ARP is configured for interface ge-0/0/0.0 for the IP, then when the upstream router sends an ARP request out for the IP address, the SRX device will respond to the ARP request. Then the upstream router will be able to send the packet to the Destination IP address (and the MAC address of the SRX device).

How to check if Proxy ARP is enabled

Run the following configuration mode command:

root# show security nat proxy-arp 

Below is an example of a Proxy ARP configuration. (If nothing is returned with the above command, then Proxy ARP is not configured.)

root# show security nat proxy-arp
interface ge-0/0/0.0 {  ## The interface where the proxy-arp is configured
    address {;    ## The 2 IPs where the packet will be destined;


How to configure Proxy ARP

The instructions for configuring Proxy ARP are documented here:  Configuring Proxy ARP (CLI Procedure).

Below is the Configuration Example:

  1. Check if the Proxy ARP configuration is present or not:

# show security nat proxy-arp
  1. Identify the address for which the Proxy ARP is needed.

If Source NAT / Destination NAT is configured for IP, then the Proxy ARP will be configured for the IP address

  1. Select the interface to which the NAT is performed.

This decision is based on the IP addresses obtained in the previous step.

IP is in the IP network of the interface ge-0/0/0.0.

Verify the IP address of the interface ge-0/0/0.0:

#show interfaces ge-0/0/0.0
family inet {

The IP belongs to the same network as

  1. Configure the Proxy ARP.

Address chosen is:

Interface chosen is: ge-0/0/0.0.

Proxy ARP command is:

set security nat proxy-arp interface ge-0/0/0.0 address

To verify:

# show security nat proxy-arp
interface ge-0/0/0.0 {
    address {;

Other Example

The Destination NAT example is the same as the Static NAT example above. 

Below is a Source NAT example. This is how to configure Proxy-ARP when the Source NAT is configured for an IP address, which is not the external interface IP address, but in the same network as that of the external interface IP address.



In this example, Source NAT is configured with an IP pool ( -, which is on the same subnet as the SRX interface ( 

The Client requires their IP address to be translated to or (from the Source NAT Pool).

In this case, Proxy-ARP needs to be configured for the interface ge-0/0/0.0, mapping the interface MAC to the IP address and

root# set security nat proxy-arp interface ge-0/0/0.0 address
root# set security nat proxy-arp interface ge-0/0/0.0 address


Modification History:

2020-04-24: Article reviewed for accuracy; no changes required; article valid and relevant


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search