SRX

Hi,

we would like to configure NAT64 on our SRX1400 device... but anyhow with the very few available documentation like

http://kb.juniper.net/InfoCenter/index?page=content&id=KB22391&cat=SRX_650&actp=LIST

we couldn't manage it to work...

Does anyone have configuration example for us ?

Or can anyone support us ..?

So far destination NAT is working but not source NAT...

Attached to you find the test-set drawing and the current config...

Thanks in advance

Taner

Attachment(s)

Working DEST_NAT.txt   20 KB 1 version

NAT64-test.ppt   53 KB 1 version

please find attached working config.

thanks,

raheel

Attachment(s)

NAT64-Overview.pdf   126 KB 1 version

oki.. thanks .. it was helping

Hi,

I configured NAT64 on SRX using 2 methods: static and source nat. Attached you'll find a description of the testbed put in place. None of configurations worked.

On the client machine, I configured ipv6 address 2001:db6:0:1::c0a8:920a with a route to  2001:db6:0:1::c0a8:9201.

on destination server,192.168.145.100, I set a default route to SRX ipv4 interface .145.1.

For the static nat, it fails with a neighbor sollicitation as when I ping 2001:db6:0:1::c0a8:9164 (192.168.145.100), the MAC address of destination could not be determined.

Same for source Nat.

what I understood for now is that:

- when Static NAT is used, packet destined to an IPv6 @ that is configured on SRX will be NATted such that source becomes the static-nat prefix and ipv4 destination@ is retrieved from destination ipv6 address.

Is my understanding correct?

- When Source NAT is used, packet destined to an IPv6 @ that is configured on SRX, will be natted such that source is natted to an address on the pool, and destination is determined from ipv6 destination address.

Is my understanding correct?

I can't see any NAT64 prefix configuration on SRX. Is that "normal"?

Thank you in advance for your help,

Best Regards,

Tanic

Attachment(s)

Slide_SRX_v1.pdf   69 KB 1 version

Hello,

the logic I described previously lacks a proper handling of source NAT.

I modified the example by adding the following:

security {
    nat {
        source {
            pool cs64-pool {
                address {
                    192.168.145.8/32;
                }
            }

 rule-set test-1 {
                from zone Untrust-ipv6;
                to zone Trust-ipv4;
                rule rule-1 {
                    match {
                        source-address 2001:db6:0:1::c0a8:920b/128;
                        destination-address 192.168.145.100/32;
                    }
                    then {
                        source-nat {
                            pool {
                                cs64-pool;
                                persistent-nat {
                                    permit any-remote-host;
                                }
                            }
                        }
                    }
                }
            }
        }

destination {
            pool ipPool {
                address 192.168.145.100/32;
            }
            rule-set test-1 {
                from zone Untrust-ipv6;
                rule rule-1 {
                    match {
                        destination-address 2001:db6:0:1::c0a8:9164/128;
                    }
                    then {
                        destination-nat pool ipPool;
                    }
                }
            }
        }

zones {
        security-zone Untrust-ipv6 {
            address-book {
                address clientv6 2001:db6:0:1::c0a8:920b/128;
            }
            interfaces {
                ge-0/0/1.146 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
        security-zone Trust-ipv4 {
            address-book {
                address serverv4 192.168.145.100/32;
            }
            interfaces {
                ge-0/0/1.145 {
                    host-inbound-traffic {
                        system-services {
                            all;
                        }
                        protocols {
                            all;
                        }
                    }
                }
            }
        }
    }
}

This configuration is expected to allow client6 with IPv6 address 2001:db6:0:1::c0a8:920b to reach server 192.168.145.100 by doing a source NAT and a destination NAT using configured pools.

On the client side, I configure a route to the 2001:db6:0:1::c0a8:9164 via 2001:db6:0:1::c0a8:9201.

I can see ping ech requests out of interface of my client, BUT I can't see any packet offered to the ipv6 logical unit on the SRX.

Could you please tell me what is going wrong with this configuration?

Please note that I am using a logical unit inside SRX and not root system.

Best Regards,