Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] NAT64 basic source-NAT configuration

0

0

Article ID: KB31822 KB Last Updated: 27 Jun 2017Version: 1.0
Summary:

If an SRX has a public IP with an IPv6 address, but a host is using IPv4, Source-NAT configuration should be used to translate a private IPv4 address to a public IPv6 address. This article provides an example of such a scenario.

Symptoms:
Basic NAT64 configuration example:
IPv4-Host (192.168.141.2) <------------> (192.168.141.1) fe-0/0/3.0 | SRX-DUT | fe-0/0/1.0 ( 2607:f650:102:ffee::2) <----------> Internet
  • SRX has Public IP in IPv6 address, but Hosts are using IPv4. In order to access Internet using IPv6 public IP, use Source-NAT configuration for IPv6.

Solution:

Check Configuration

  1. Check if SRX is configured to handle IPv6 traffic:
root> show security flow status

Flow forwarding mode:
Inet forwarding mode: flow based
Inet6 forwarding mode: flow based

Note: To enable INET6 on SRX, rRefer to KB25697 - How to enable the IPv6 flow (or packet) mode on SRX

  1. Basic configuration for Source-NAT:
set security nat source pool POOL address 2607:f650:102:ffee::3/128
set security nat source rule-set SRC from zone trust
set security nat source rule-set SRC to zone untrust
set security nat source rule-set SRC rule 1 match source-address 0.0.0.0/0
set security nat source rule-set SRC rule 1 match destination-address 0000::0000/0
set security nat source rule-set SRC rule 1 then source-nat pool POOL
  1.  For IPv6 pool IP, configure proxy-ndp
‚Äčset security nat proxy-ndp interface fe-0/0/1.0 address 2607:f650:102:ffee::3/128
Note: Proxy-NDP configuration is not required if using interface-nat

 

Verification

root# run show security flow session
Session ID: 32609, Policy name: default-policy-logical-system-00/2, Timeout: 2, Valid
In: 192.168.141.2/1803 --> 192.168.142.2/1;icmp, If: fe-0/0/3.0, Pkts: 1, Bytes: 60
Out: 2608:f650:102:ffee::2/1 --> 2607:f650:102:ffee::3/3814;icmp6, If: fe-0/0/1.0, Pkts: 1, Bytes: 80
Total sessions: 1



 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search