Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to configure Proxy NDP for NAT64

0

0

Article ID: KB26776 KB Last Updated: 21 Jul 2020Version: 3.0
Summary:

This article describes how to configure Proxy NDP (Neighbor Discovery Protocol) for NAT64 scenario, with examples and troubleshooting commands.

Symptoms:

In the proxy-arp feature in NAT, the interface configured for proxy-arp responds to ARP requests for IP addresses that are in the same subnet as that of interface address. For IPv6, the proxy-ndp feature performs the same function.

Here is a commonly seen scenario involving proxy-ndp.

TOPOLOGY:

Client IP : 2001:db8::8/64
Server IP : 192.168.2.2/24
SRX External Interface IP : 2001:db8::5/64
Natted Public IP of Server : 2001:db8::1/64


 
Solution:
  1. Configure static NAT to translate IPv6 address (2001:db8::1/64) to IPv4 address (192.168.2.2/24).

    static {
                    rule-set rs1 {
                              from zone untrust;
                              rule 1 {
                                     match {
                                              destination-address 2001:db8::1/128;
                                     }
                                     then {
                                              static-nat prefix 192.168.2.2/32;
                                     }
                             }
                     }
            }
  2. Since 2001:db8::1/128 is a dangling IP (not configured on any interface) and also is on the same subnet as that of external interface fe-0/0/0.0, proxy-ndp is required.

    proxy-ndp {
             interface fe-0/0/0.0 {
                     address {
                              2001:db8::1/128;
                     }
             }
    }
    
  3. Note: Since the client IP address is an IPv6 address, it is necessary to NAT it to an IPv4 address, so that the server (192.168.2.2) can accept the connection. So, for NAT64, a source NAT that translates the IPv6 address of client to IPv4 address in the same subnet as that of server is required.

    Here the client IP 2001:db8::8/64 is translated to 192.168.2.5

    nat {
                  source {
                          pool pool1 {
                                  address {
                                           192.168.2.5/32;
                                  }
                          }
                          rule-set client-to-server {
                                 from zone untrust;
                                 to zone trust;
                                 rule 1 {
                                        match {
                                                  source-address 2001:db8::8/128;
                                                  destination-address 192.168.2.2/32;
                                        }
                                        then {
                                                  source-nat {
                                                           pool {
                                                                   pool1;
                                                                   persistent-nat {
                                                                           permit any-remote-host;
                                                                   }
                                                           }
                                                  }
                                        }
                               }
                   }
    }
    
  4. Since the NAT'ed IP is in the same subnet as that of the interface connected to the server, proxy-arp is needed.

    proxy-arp {
                interface fe-0/0/1.0 {
                    address {
                        192.168.2.5/32;
                    }
                }
              }


Troubleshooting Commands:

[edit]
root# run show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/1

source NAT rule: 1 Rule-set: client-to-server
Rule-Id : 3
Rule position : 2
From zone : untrust
To zone : trust
Match
Source addresses : 2001:db8::8 - 2001:db8::8
Destination addresses : 192.168.2.2 - 192.168.2.2
Destination port : 0 - 0
Action : pool1
Persistent NAT type : any-remote-host
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 300
Max session number : 30
Translation hits : 0

[edit]
root#
root# run show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1

Static NAT rule: 1 Rule-set: rs1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 2001:db8::1
Host addresses : 192.168.2.2
Netmask : 128
Host routing-instance : N/A
Translation hits : 0


[edit]
root#
root# run show security flow session protocol tcp destination-port 23
Session ID: 9802, Policy name: default-policy-00/2, Timeout: 1798, Valid
In: 2001:db8::8/56112 --> 2001:db8::1/23;tcp, If: fe-0/0/0.0, Pkts: 11, Bytes: 736
Out: 192.168.2.2/23 --> 192.168.2.5/25599;tcp, If: fe-0/0/1.0, Pkts: 10, Bytes: 495
Total sessions: 1

[edit]
root#
root# run show security flow session protocol tcp destination-port 23 session-identifier 9802
Session ID: 9802, Status: Normal
Flag: 0x0
Policy name: default-policy-00/2
Source NAT pool: pool1, Application: junos-telnet/10
Maximum timeout: 1800, Current timeout: 1790
Session State: Valid
Start time: 264373, Duration: 10
In: 2001:db8::8/56112 --> 2001:db8::1/23;tcp,
Interface: fe-0/0/0.0,
Session token: 0x6, Flag: 0x623
Route: 0xd0010, Gateway: 2001:db8::8, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 11, Bytes: 736
Out: 192.168.2.2/23 --> 192.168.2.5/25599;tcp,
Interface: fe-0/0/1.0,
Session token: 0x8, Flag: 0x620
Route: 0xe0010, Gateway: 192.168.2.2, Tunnel: 0
Port sequence: 0, FIN sequence: 0,
FIN state: 0,
Pkts: 10, Bytes: 495
Total sessions: 1

[edit]
root# run show security nat source rule all
Total rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 2/1

source NAT rule: 1 Rule-set: client-to-server
Rule-Id : 3
Rule position : 2
From zone : untrust
To zone : trust
Match
Source addresses : 2001:db8::8 - 2001:db8::8
Destination addresses : 192.168.2.2 - 192.168.2.2
Destination port : 0 - 0
Action : pool1
Persistent NAT type : any-remote-host
Persistent NAT mapping type : address-port-mapping
Inactivity timeout : 300
Max session number : 30
Translation hits : 1

[edit]
root#
root# run show security nat static rule all
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1

Static NAT rule: 1 Rule-set: rs1
Rule-Id : 1
Rule position : 1
From zone : untrust
Destination addresses : 2001:db8::1
Host addresses : 192.168.2.2
Netmask : 128
Host routing-instance : N/A
Translation hits : 1


root# run show security nat source persistent-nat-table all
Internal           Reflective                  Source                      Type             Left_time/ Curr_Sess_Num/ Source
In_IP          In_Port I_Proto  Ref_IP         Ref_Port R_Proto NAT Pool                    Conf_time Max_Sess_Num NAT Rule
2001:db8::8    56112   tcp   192.168.2.5        25599    tcp      pool1    any-remote-host       -/300          1/30       1
Modification History:
2020-07-14: Article reviewed for accuracy; no changes required.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search