If an SRX has a public IP with an IPv6 address, but a host is using IPv4, Source-NAT configuration should be used to translate a private IPv4 address to a public IPv6 address. This article provides an example of such a scenario.
Basic NAT64 configuration example:
IPv4-Host (192.168.141.2) <------------> (192.168.141.1) fe-0/0/3.0 | SRX-DUT | fe-0/0/1.0 ( 2607:f650:102:ffee::2) <----------> Internet
Check Configuration
- Check if SRX is configured to handle IPv6 traffic:
root> show security flow status
Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based
Note: To enable INET6 on SRX, rRefer to KB25697 - How to enable the IPv6 flow (or packet) mode on SRX
- Basic configuration for Source-NAT:
set security nat source pool POOL address 2607:f650:102:ffee::3/128
set security nat source rule-set SRC from zone trust
set security nat source rule-set SRC to zone untrust
set security nat source rule-set SRC rule 1 match source-address 0.0.0.0/0
set security nat source rule-set SRC rule 1 match destination-address 0000::0000/0
set security nat source rule-set SRC rule 1 then source-nat pool POOL
- For IPv6 pool IP, configure
proxy-ndp:
set security nat proxy-ndp interface fe-0/0/1.0 address 2607:f650:102:ffee::3/128
Note: Proxy-NDP configuration is not required if using interface-nat.
Verification
root# run show security flow session
Session ID: 32609, Policy name: default-policy-logical-system-00/2, Timeout: 2, Valid
In: 192.168.141.2/1803 --> 192.168.142.2/1;icmp, If: fe-0/0/3.0, Pkts: 1, Bytes: 60
Out: 2608:f650:102:ffee::2/1 --> 2607:f650:102:ffee::3/3814;icmp6, If: fe-0/0/1.0, Pkts: 1, Bytes: 80
Total sessions: 1