Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ISG/NS/SSG] How to configure MIP on IPv6 address and block malicious incoming IPv6

0

0

Article ID: KB33675 KB Last Updated: 04 Jan 2019Version: 1.0
Summary:

This article provides the MIP (mapped internet protocol) IPv6 address configured on the interface and how to block the incoming IPv6 for the MIP. This describes a scenario when the customer requirement is to create the MIP IPv6 address for the internal server and to block certain IPv6 from the internet which hits the destination MIP address. 

Symptoms:
  • Configuring MIP for a sever using IPv6 which is behind the ScreenOS firewall.

  • Certain IPv6 addresses should be blocked, which is trying to access the internal server (MIP).

Solution:

Internal server-------eth4/2-(trust)--firewall----eth4/1--(untrust)--------internet------------

To configure the ipv6 address on the interface: 

set interface "ethernet4/1" ipv6 mode "host"
set interface "ethernet4/1" ipv6 ip 2001:1890:1001:20bf::1:1b/64
set interface "ethernet4/1" ipv6 enable
set interface ethernet4/1 route
set interface "ethernet4/2" ipv6 mode "host"
set interface "ethernet4/2" ipv6 ip 2001:1850:1001:20bf::1:34/128
set interface "ethernet4/2" ipv6 enable
set interface ethernet4/2 nat


To configure the MIP on the interface Eth4/1: 

set interface "ethernet4/1" mip 2001:1890:1001:20bf::1:1c ipv6 host 2001:1850:1001:20bf::1:34 vr "trust-vr"

Creating the address book for the zones:

set address "Trust" "2001:1890:1001:20bf::1:1c/128" 2001:1890:1001:20bf::1:1c/128
set address "Trust" "2001:1890:1001:20bf::1:1c/64" 2001:1890:1001:20bf::1:1c/64
set address "Untrust" "2001:1890:1001:20bf::1:1a/128" 2001:1890:1001:20bf::1:1a/128
set address "Untrust" "2001:1890:1001:20bf::1:1a/64" 2001:1890:1001:20bf::1:1a/64
set address "Untrust" "2001:1890:1001:20bf:0:1:1a:220/64" 2001:1890:1001:20bf:0:1:1a:220/64
set address "Global" "2001:1890:1001:20bf::1:1c/128" 2001:1890:1001:20bf::1:1c/128
set address "Global" "2001:1890:1001:20bf::1:1c/64" 2001:1890:1001:20bf::1:1c/64


Creating policies for the MIP and to block the incoming IPv6 address from the internet to the internal server in which the MIP configured on the firewall

set policy id 2 from "Untrust" to "Global"  "2001:1890:1001:20bf::1:1a/128" "2001:1890:1001:20bf::1:1c/128" "ANY" deny log

Note: Here in the policy id 2, you can create as many source address books and add it into address group. You can call the address group name as the source object. 

set policy id 1 from "Untrust" to "Trust"  "Any-IPv6" "MIP(2001:1890:1001:20bf::1:1c)" "ANY" permit log  

Debug for the traffic which is considered as legitimate:

nsisg2000-> get db st
****** 02604.0: packet received [v6/40]******
  flow_decap_vector_v6 ifp ethernet4/1
  ethernet4/1:2001:1890:1001:20bf::1:1a/469->2001:1890:1001:20bf::1:1c/1,58(128/0)
  flow_first_sanity_check: in , out
  flow_first_for_self_v6: in , out
  flow_first_in_dst_nat_v6: in , out
  chose interface ethernet4/1 as incoming nat if.
  packet needs MIP xlate
  flow_first_routing: in , out
  search route (2001:1850:1001:20bf::1:34) in vr for vsd 0 flag 0x0 ifp
  route 2001:1850:1001:20bf::1:34->2001:1850:1001:20bf::1:34, to ethernet4/2
  routed (x_dst_ip 2001:1850:1001:20bf::1:34) from ethernet4/1 (ethernet4/1 in 0) to ethernet4/2
  flow_first_cross_vsys_v6: in , out
  policy search from zone 1-> zone 2
 policy_flow_search_v6: policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 2001:1890:1001:20bf::1:1c, port 73, proto 58)
  No SW RPC rule match, search normal rule
  Permitted by policy 1
  flow_first_reverse_mip_v6: in , out
  flow_first_policy_dst_xlate_v6: in , out
  flow_first_src_xlate_v6: in , out
  No src xlate   flow_first_get_out_phy_ifp_v6: in , out
  choose interface ethernet4/2 as outgoing phy if
  flow_first_loopback_check_v6: in , out
  set interface ethernet4/2 as loop ifp.
  flow_first_service_lookup_v6: in , out
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in , out
  flow_first_create_session_v6: in , out
  existing v6 vector list 0-39be34fc.
  Session (id:1048562) created for first pak 0
  loopback session processing
  post addr xlation: 2001:1890:1001:20bf::1:1a->2001:1850:1001:20bf::1:34.
  flow_first_sanity_check: in , out
  flow_first_for_self_v6: in , out
  existing v6 vector list 0-39be34fc.
   create a self session (flag 0x206), timeout=60sec.
  vector index1 0, vector index2 0
  existing vector list 0-4ec0bd4.
  existing v6 vector list 0-39be34fc.
  new vector index 0.
  loopback session created
  flow_first_install_session======>
  handle cleartext reverse route
  search route (2001:1890:1001:20bf::1:1a) in vr for vsd 0 flag 0x3000 ifp
  route 2001:1890:1001:20bf::1:1a->2001:1890:1001:20bf::1:1a, to ethernet4/1
  route to 2001:1890:1001:20bf::1:1a
  ND entry found for 2001:1890:1001:20bf::1:1a
  ifp2 ethernet4/1, out_ifp ethernet4/1, flag 01000603, tunnel ffffffff, rc 1
  flow got session.
  flow session id 1048562
  flow_main_body_vector_v6 v6 in ifp ethernet4/1 out ifp ethernet4/2
  flow vector index v6 0x0, vector addr 0x39be34fc, orig vector 0x39be34fc
  flow_ttl_vector_v6: ifp
  flow_l2prepare_xlate_vector_v6: in ifp out ifp
  flow_l2prepare_xlate_vector_v6,926: l2 prepare ready.
  post addr xlation: 2001:1890:1001:20bf::1:1a->2001:1850:1001:20bf::1:34.
  flow_fragging_vector_v6: ifp
  packet is for self, copy packet to self
copy packet to us.


Debug for the traffic which is to be blocked:

nsisg2000-> get db st
****** 02472.0: packet received [v6/40]******
  flow_decap_vector_v6 ifp ethernet4/1
  ethernet4/1:2001:1890:1001:20bf::1:1a/441->2001:1890:1001:20bf::1:1c/1,58(128/0)
  flow_first_sanity_check: in , out
  flow_first_for_self_v6: in , out
  flow_first_in_dst_nat_v6: in , out
  chose interface ethernet4/1 as incoming nat if.
  packet needs MIP xlate
  flow_first_routing: in , out
  search route (2001:1850:1001:20bf::1:34) in vr for vsd 0 flag 0x0 ifp
  route 2001:1850:1001:20bf::1:34->2001:1850:1001:20bf::1:34, to ethernet4/2
  routed (x_dst_ip 2001:1850:1001:20bf::1:34) from ethernet4/1 (ethernet4/1 in 0) to ethernet4/2
  flow_first_cross_vsys_v6: in , out
  policy search from zone 1-> zone 2
 policy_flow_search_v6: policy search nat_crt from zone 1-> zone 10
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 2001:1890:1001:20bf::1:1c, port 101, proto 58)
  No SW RPC rule match, search normal rule
  log this session (pid=2)
policy id (2)
packet dropped, denied by policy

Policy id deny policy, ipv6 1, flow_potential_violation 0
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search