SRX

 View Only
last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Packet with IPv6 source & IPv4 destination (in Juniper documentation)

    Posted 01-14-2019 08:40

    Anyone know how a packet could have an IPv6 source address and an IPv4 destination address?  The example at https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipv6-nat.html#jd0e880 thinks it is possible:

     

    [edit security nat]
source {
  pool myipv4 {
    address {
      203.0.113.2/32 to 203.0.113.5/32;
    }
  }
  rule-set myipv4_rs {
    from interface ge-0/0/1.0;
    to interface ge-0/0/2.0;
    rule ipv4_rule {
      match {
        source-address 2001:db8::/96;
        destination-address 10.1.1.15/30;
      }
      then {
        source-nat {
          pool {
            myipv4;
          }
        }
      }
    }
  }
}

     

    Thanks.

     

     

     



  • 2.  RE: Packet with IPv6 source & IPv4 destination (in Juniper documentation)
    Best Answer

     
    Posted 01-14-2019 20:15

    Hello

     

    Good catch. Traffic on the wire can never be a mix of IPv4 and IPv6. However the snippet provided here is purely an internal processing/flow logic on the SRX firewalls.

     

    > The example given below is that of a NAT64 - which is IPv6 to IPv4 NAT

    > So to achive this both source and destination v6 addresses need to be translated to v4

    > As part of the SRX flow processing Dest-NAT happens first

    > Therefore the destination gets translated to v4 while source is yet a v6

    > Subsequently there is a security policy and source nat lookup 

    > The snippet you have provided is for creating a source NAT policy while the destination was already translated in the earlier step

    > This is where you would see this funny looking combo of source v6 and destination v4

    > Here is a link to explain the flow processing on the SRX: https://kb.juniper.net/InfoCenter/index?page=content&id=kb16110

     

    I hope this answers your query. Regards,

     

    Vikas

    JTAC-CFTS



  • 3.  RE: Packet with IPv6 source & IPv4 destination (in Juniper documentation)

    Posted 01-14-2019 22:09

    Hi Atinglin,

     

    Because IPv4 migration to IPv6 needs to be transparent and smooth, several ways of communication between IPv4 and IPv6 hosts have been developed; you can even have IPv4 addresses inside IPv6 headers for this same purpose:

     

       http://www.tcpipguide.com/free/t_IPv6IPv4AddressEmbedding.htm 

     

    The document you are checking is for one of those solutions that were developed and its called NAT-PT, where you perform NAT operations between IPv4 and IPv6. As the document states "IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address allocation and protocol translation between IPv4 and IPv6 addressed network devices.". Check the "IPv6 NAT PT Overview" section, if you havent, for a better understanding:

     

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-ipv6-nat.html#id-ipv6-nat-pt-overview 

     

    I hope the above info helps 😉