Okay, so here's what I have:
[edit security nat source] set pool src-nat-pool20 address 10.20.1.10 to 10.20.1.249 set rule-set 20 from zone 20 set rule-set 20 to zone untrust set rule-set 20 rule 20 match source-address 0.0.0.0/0 set rule-set 20 rule 20 match destination-address 0.0.0.0/0 set rule-set 20 rule 20 then source-nat pool src-nat-pool20 [edit security nat] set proxy-arp interface ge-0/0/0.0 address 1.2.3.2 to 1.2.3.5 [edit security policies from-zone 20 to-zone untrust] set policy 20 match source-address any destination-address any application any set policy 20 then permit
But now when I head to the LAN port on a downstream router that encapsulates vlan-20, I can't get to the Internet. OTOH, when I ping my downstream router IP from my SRX, it responds, which tells me I *think* that my firewall rules aren't set up right to pass traffic to upstream public statics, is that right? Like I need some policy from untrust to 20? Here's what I have for that:
from-zone untrust to-zone 20 { policy deny-all { match { source-address any; destination-address any; application any; } then { deny; } } }
Feels like I might be getting close?