Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Basic NAT64 configuration example

0

0

Article ID: KB22391 KB Last Updated: 10 Apr 2017Version: 2.0
Summary:

This article provides an example of a basic scenario which requires a NAT64 configuration.

Symptoms:

Basic NAT64 configuration example:

IPv6-Host ( 2001:0660:1000:8c00::b ) <------------> ( 2001:0660:1000:8c00::a )(reth0.0) | SRX-DUT | (reth1.0)( 192.168.203.1 ) <----------> ( 192.168.203.10 ) Server

  • You have a device with a IPv6 address, but your servers are using IPv4. In order to access IPv4 servers, use NAT64 in the security NAT hierarchy.

  • Since the host is configured with IPv6 IP address, it will need a IPv6 destination address to reach the server. In this example, we assume the IPv6 address of the server is 2001:0660:1000:9002::cafe. (Note : 2001:0660:1000:9002::cafe is NOT configured on the actual server ).

Solution:
  1. To configure NAT64, you need to have a pool of single IPs which will be the IPv4 address of the server.

    root# set security nat destination pool ipPool address 192.168.203.10/32

  2. We need a destination NAT configuration for the 2001:0660:1000:9002::cafe. This will translate the  IPv6 address (2001:0660:1000:9002::cafe) into IPv4 address (192.168.203.10) in the destination field of the incoming packet.

    root# set security nat destination rule-set test-1 from zone untrust
    root# set security nat destination rule-set test-1 rule rule-1 match destination-address 2001:0660:1000:9002::cafe/128
    root# set security nat destination rule-set test-1 rule rule-1 then destination-nat pool ipPool

  3. The destination address is IPv4, but the source address is IPv6. Thus, we must apply the source NAT in order to change the IPv6 address to IPv4 in the source field of the packet. 

    root# set security nat source rule-set test-2 from zone untrust
    root# set security nat source rule-set test-2 to zone trust
    root# set security nat source rule-set test-2 rule rule-2 match source-address 0::/0
    root# set security nat source rule-set test-2 rule rule-2 match destination-address 192.168.203.10/32
    root# set security nat source rule-set test-2 rule rule-2 then source-nat interface

  4. Check how the sessions are being established:

    root> show security flow session
    Session ID: 120000016, Policy name: default-policy-00/2, State: Active, Timeout: 1794, Valid
    In: 2001:660:1000:8c00::b/1053 --> 2001:660:1000:9002::cafe/80;tcp, If: reth0.0, Pkts: 4, Bytes: 574
    Out: 192.168.203.10/80 --> 192.168.203.1/24770;tcp, If: reth1.0, Pkts: 3, Bytes: 447

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search