Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Outbound IPv4 to IPv4 traffic dropped after adding a NAT64 rule

1

0

Article ID: KB35687 KB Last Updated: 13 Aug 2020Version: 1.0
Summary:

This article discusses the proper way to do an "open" NAT64 policy to translate a /96 into the full IPv4 0/0 range on a dual stack IPv4/6 interface on the SRX series firewalls.

Symptoms:

In some scenarios, IPv4 traffic may be tunneled through an IPv6 network. The full range of IPv4 my be present in the traffic, or it may be a lot of work to specify or maintain the IPv4 subnets in question.

After adding the open NAT64 to a dual stack IPv4/6 interface, you may start to lose IPv4 <---> IPv4 traffic with the following message in flow traces:

The packet destination ip is not same as source ip version, drop it
Cause:

A common configuration is an "open" NAT64 to covert an incoming IPv6 /96 to the full IPv4 range without having to be specific with the IPv4 subnet.

It is typically accomplished by simply stating then static-nat inet

root@SRX5800# show security nat static
rule-set untrust_to_trust_nat64 {
from zone untrust;
rule dst-nat64-rule {
    match {
        destination-address 64:ff9b::/96;
        }
    then {
        static-nat {
            inet;
            }
        }
    }
}

The reason this causes a problem on the SRX when it is not seen on other Junos devices is the flow module. It had additional bi-direction checks to verify proper flow session creation. Static NAT rules are always bi-directional. During the flow processing for an outbound IPv4 to IPv4 flow, it will come to the static NAT rule and match it to this flow to be source translated to IPv6. This would then be illegal as the destination address for the flow is IPv4.

Therefore:

"The packet destination ip is not same as source ip version, drop it"
Solution:

Add an additional match condition to the NAT64 rule.

source-address ::/0

root@SRX5800# show security nat static
rule-set untrust_to_trust_nat64 {
from zone untrust;
rule dst-nat64-rule {
    match {
        source-address ::/0;
        destination-address 64:ff9b::/96;
        }
    then {
        static-nat {
            inet;
            }
        }
    }
}


This will exempt the traffic sourced from IPv4 from this rule and resolve the conflict.

Note: The match condition source-address is only available in Static NAT beginning with Junos version 12.1X46 and above.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search