The following config excerpt almost works:
interfaces {
ge-0/0/14 {
vlan-tagging;
unit 0 {
arp-resp unrestricted;
proxy-arp unrestricted;
vlan-id 6;
family inet {
address 10.0.0.6/31;
}
}
}
ge-0/0/15 {
unit 0 {
family inet {
address 10.0.0.1/28;
address 10.0.0.2/28;
}
}
}
}
security {
nat {
source {
pool snat {
address {
10.0.0.5/32;
}
}
rule-set internal-inet {
from zone trust;
to zone untrust;
rule source-nat-rule {
match {
source-address 10.0.1.0/24;
}
then {
source-nat {
pool {
snat;
}
}
}
}
}
}
static {
rule-set static {
from zone untrust;
rule r1 {
match {
destination-address 10.0.0.4/32;
}
then {
static-nat {
prefix {
10.0.1.1/32;
}
}
}
}
}
}
proxy-arp {
interface ge-0/0/15.0 {
address {
10.0.0.4/32;
10.0.0.5/32;
}
}
interface ge-0/0/14.0 {
address {
10.0.0.1/32;
10.0.0.4/32;
10.0.0.5/32;
}
}
}
}
}
Everything works on the ge-0/0/15 network, static and source NAT both work on ge-0/0/14, ge-0/0/14 responds to ARP queries for 10.0.0.1, but there is no ICMP/SSH response to 10.0.0.1 from ge-0/0/14 (haven't tried IPsec yet)