Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to Configure NAT-PT translation

0

0

Article ID: KB23600 KB Last Updated: 21 Feb 2020Version: 2.0
Summary:
This article provides information on how to configure Network Address Translation - Protocol Translation (NAT-PT), which is an IPv4-to-IPv6 transition mechanism.
Symptoms:
NAT-PT provides a complete solution, which allows a large number of commonly used applications to interoperate between IPv6-only nodes and IPv4-only nodes.
Solution:
A fundamental assumption for NAT-PT is that it should be used only when no other native IPv6 or IPv6 over IPv4 tunneled means of communication is possible. In other words, the aim is to only use translation between IPv6 only nodes and IPv4 only nodes, when the translation is between IPv6 only nodes. The IPv4 part of a dual stack node should be avoided over other alternatives.



For more information, refer to RFC2766.
root@IPV6# run show configuration conf   | no-more 
## Last commit: 2011-11-11 16:43:48 UTC by root
version 11.2R1.10;
system {
    host-name IPV6;
    root-authentication {
        encrypted-password "$ABC123"; ## SECRET-DATA
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet6 {
                address 2001:db8::1/64;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.1/24;
            }
        }
    }
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
    flow {
        traceoptions {
            file 6to4;
            flag all;
            packet-filter 1 {
                source-prefix 2001:db8::/64;
                destination-prefix 2002:db8::5/64;
            }
            packet-filter 2 {
                source-prefix 192.168.1.5/32;
                destination-prefix 192.168.2.2/32;
            }
        }
    }
    nat {
        source {
            rule-set 1 {
                from zone ipv6;
                to zone ipv4;
                rule 1 {
                    match {
                        source-address 2001:db8::2/64;
                        destination-address 192.168.1.5/32;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
            rule-set 2 {
                from zone ipv4;
                to zone ipv6;
                rule 1a {
                    match {
                        source-address 192.168.1.5/32;
                        destination-address 2001:db8::2/64;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
        destination {
            pool a {
                address 192.168.1.5/32;
            }
            pool v6 {
                address 2001:db8::2/128;
            }
            rule-set 1 {
                from zone ipv6;
                rule 1 {
                    match {
                        destination-address 2002:db8::5/64;
                    }
                    then {
                        destination-nat pool a;
                    }
                }
            }
            rule-set 2 {
                from zone ipv4;
                rule 1a {
                    match {
                        destination-address 192.168.2.2/32;
                    }
                    then {
                        destination-nat pool v6;
                    }
                }
            }
        }
    }
    policies {
        from-zone ipv6 to-zone ipv4 {
            policy 6to4 {
                match {
                    source-address v6;
                    destination-address v4;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone ipv4 to-zone ipv6 {
            policy 4to6 {
                match {
                    source-address v4;
                    destination-address v6;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone ipv4 {
            address-book {
                address v4 192.168.1.5/32;
            }
            interfaces {
                ge-0/0/1.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone ipv6 {
            address-book {
                address v6 2001:db8::2/64;
            }
            interfaces {
                ge-0/0/0.0 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                       protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}


[edit]
root@IPV6# run show route | no-more 

inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

192.168.1.0/24     *[Direct/0] 01:16:41
                    > via ge-0/0/1.0
192.168.1.1/32     *[Local/0] 01:17:42
                      Local via ge-0/0/1.0

inet6.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:db8::/64      *[Direct/0] 01:16:43
                    > via ge-0/0/0.0
2001:db8::1/128    *[Local/0] 01:17:42
                      Local via ge-0/0/0.0
fe80::/64          *[Direct/0] 01:16:43
                    > via ge-0/0/0.0
fe80::5e5e:abff:fe15:b000/128
                   *[Local/0] 01:17:42
                      Local via ge-0/0/0.0

[edit]
root@IPV6# run show security nat source rule all | no-more 
Total rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 2/2

source NAT rule: 1                    Rule-set: 1 
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : ipv6
  To zone                    : ipv4
  Match
    Source addresses         : 2001:db8::      - 2001:db8::ffff:ffff:ffff:ffff
    Destination addresses    : 192.168.1.5     - 192.168.1.5
    Destination port         : 0               - 0
  Action                        : interface 
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 55

source NAT rule: 1a                   Rule-set: 2 
  Rule-Id                    : 2  
  Rule position              : 2
  From zone                  : ipv4
  To zone                    : ipv6
  Match
    Source addresses         : 192.168.1.5     - 192.168.1.5
    Destination addresses    : 2001:db8::      - 2001:db8::ffff:ffff:ffff:ffff
    Destination port         : 0               - 0
  Action                        : interface 
    Persistent NAT type         : N/A              
    Persistent NAT mapping type : address-port-mapping 
    Inactivity timeout          : 0
    Max session number          : 0 
  Translation hits           : 59

[edit]
root@IPV6# run show security nat destination rule all | no-more 
Total destination-nat rules: 2
Total referenced IPv4/IPv6 ip-prefixes: 1/1

Destination NAT rule: 1                    Rule-set: 1 
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : ipv6
    Destination addresses    : 2002:db8::      - 2002:db8::ffff:ffff:ffff:ffff
  Action                     : a 
 
  Destination port           : 0 
  Translation hits           : 79

Destination NAT rule: 1a                   Rule-set: 2 
  Rule-Id                    : 2  
  Rule position              : 2
  From zone                  : ipv4
    Destination addresses    : 192.168.2.2     - 192.168.2.2
  Action                     : v6 
 
  Destination port           : 0 
  Translation hits           : 62

root@IPV6# run show security flow session    
Session ID: 5854, Policy name: 4to6/5, Timeout: 2, Valid
  In: 192.168.1.5/536 --> 192.168.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 2001:db8::2/1 --> 2001:db8::1/49219;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80

Session ID: 5855, Policy name: 6to4/4, Timeout: 2, Valid
  In: 2001:db8::2/86 --> 2002:db8::5/1;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80
  Out: 192.168.1.5/1 --> 192.168.1.1/61053;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 5856, Policy name: 4to6/5, Timeout: 2, Valid
  In: 192.168.1.5/537 --> 192.168.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 2001:db8::2/1 --> 2001:db8::1/7562;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80

Session ID: 5857, Policy name: 6to4/4, Timeout: 4, Valid
  In: 2001:db8::2/87 --> 2002:db8::5/1;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80
  Out: 192.168.1.5/1 --> 192.168.1.1/23816;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 5858, Policy name: 4to6/5, Timeout: 4, Valid
  In: 192.168.1.5/538 --> 192.168.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60                                      
  Out: 2001:db8::2/1 --> 2001:db8::1/9391;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80

Session ID: 5859, Policy name: 6to4/4, Timeout: 4, Valid
  In: 2001:db8::2/88 --> 2002:db8::5/1;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80
  Out: 192.168.1.5/1 --> 192.168.1.1/41804;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60

Session ID: 5860, Policy name: 4to6/5, Timeout: 4, Valid
  In: 192.168.1.5/539 --> 192.168.2.2/1;icmp, If: ge-0/0/1.0, Pkts: 1, Bytes: 60
  Out: 2001:db8::2/1 --> 2001:db8::1/30835;icmp6, If: ge-0/0/0.0, Pkts: 1, Bytes: 80
Total sessions: 7
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search