SlideShare a Scribd company logo

NAT64 Overview

Salachudin Emir
Salachudin Emir
Technology
1 of 16
Download to read offline
NAT64 Overview
NAT64 example n  SSH from an IPv6 client to an IPv4 server using NAT64 n  Use Static NAT on the Untrust side n  SRX presents an IPv6 destination to the client n  Translates the IPv6 destination address to the actual IPv4 address of server n  Use Source NAT with Persistence n  SRX translates the client's IPv6 address to an IPv4 address so the server can accept the connection n  Example NATs: n  Client8 from 2001:db8::8 to 10.1.1.8 n  Server5 from 10.1.1.5 to 2001:db8:5 SSH via NAT64 Client8 Server5 2001:db8::8 10.1.1.5 Untrust 2001:db8::1 10.1.1.1 Trust ge-0/0/0.0 ge-0/0/1.0 Step 1 Step 2 Step 3 Step 4 Src IP 2001:db8::8 Src IP 2001:db8::8 Src IP 10.1.1.8 Src IP 10.1.1.8 Src Port 56604 Src Port 56604 Src Port 18750 Src Port 18750 Dst IP 2001:db8::5 Dst IP 2001:db8::5 Dst IP 10.1.1.5 Dst IP 10.1.1.5 Dst Port 22 Dst Port 22 Dest Port 22 Dest Port 22
NAT64 configuration example – IPv6 Flow n  Ensure the SRX is configured for IPv6 Flow Mode n  One time setting to enable flow mode for IPv6 n  Not enabled by default n  Requires a reboot security { forwarding-options { family { inet6 { mode flow-based; } } } }
NAT64 configuration example - Interfaces n  Configure the SRX Interfaces n  ge-0/0/0.0 = 2001:db8::164 n  ge-0/0/1.0 = 10.1.1.1/24 interfaces { ge-0/0/0 { unit 0 { family inet6 { address 2001:db8::1/64; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.1.1/24; } } } }
NAT64 configuration example - zones n  Configure the SRX Security Zones security { security-zone untrust { address-book { address client8 2001:db8::8/128; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { address-book { address server5 10.1.1.5/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } }
NAT64 configuration example – static nat n  Configure Static NAT for Server5 n  Traffic is coming from the client on the untrust zone n  NAT Server5's 10.1.1.5 IPv4 address to the IPv6 2001:db8::5 address security { nat { static { rule-set static64 { from zone untrust; rule server5 { match { destination-address 2001:db8::5/128; } then { static-nat prefix 10.1.1.5/32; } } } } } }
NAT64 configuration example – source nat n  Configure Source NAT for Client8 n  Traffic is coming from the client on the untrust zone going to the server on the trust zone n  NAT Client8's 2001:db8::8 IPv6 address to the IPv4 10.1.1.8 address security { nat { source { pool client8-ipv4-pool { address { 10.1.1.8/32; } } rule-set client8-rs { from zone untrust; to zone trust; rule client8-rule { match { source-address 2001:db8::8/128; destination-address 10.1.1.5/32; } then { source-nat { pool { client8-ipv4-pool; persistent-nat { permit any-remote-host; } } } } } } }
NAT64 configuration example – proxy arp n  Enable the SRX to respond to requests on behalf of the NATs n  Both the static and source NAT IP addresses are on the same subnets as the interface IP addresses on the SRX. n  For the IPv4 address configure Proxy ARP n  Fort the IPv6 address configure Proxy NDP security { nat { proxy-arp { interface ge-0/0/1.0 { address { 10.1.1.8/32; } } } proxy-ndp { interface ge-0/0/0.0 { address { 2001:db8::5/128; } } } } }
NAT64 configuration example – policies n  Configure a Security Policy from zone untrust to zone trust n  Can use the key word "any" n  Example is explicit using n  IPv6 address 2001:db8::8 for client8 n  IPv4 address 10.1.1.5 for server5 security { policies { from-zone untrust to-zone trust { policy client8-to-server5 { match { source-address client8; destination-address server5; application any; } then { permit; log { session-init; session-close; } count; } } } }
NAT64 validation – session table (brief) n  Once Client8 initiates an SSH session to Server5 you can view the session entry in the flow table admin@srx210> show security flow session Session ID: 1612, Policy name: client8-to-server5/6, Timeout: 1794, Valid In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, If: ge-0/0/1.0, Pkts: 17, Bytes: 3205
NAT64 validation – session table (detailed) n  Detailed view of the session table admin@srx210-1> show security flow session session-identifier 1612 Session ID: 1612, Status: Normal Flag: 0x0 Policy name: client8-to-server5/6 Source NAT pool: client8-ipv4-pool Dynamic application: junos:UNKNOWN, Maximum timeout: 1800, Current timeout: 1746 Session State: Valid Start time: 3476, Duration: 63 In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, Interface: ge-0/0/0.0, Session token: 0x7, Flag: 0x0x623 Route: 0xc0010, Gateway: 2001:db8::8, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, Interface: ge-0/0/1.0, Session token: 0x8, Flag: 0x0x620 Route: 0xa0010, Gateway: 10.1.1.5, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 17, Bytes: 3205 Total sessions: 1
NAT64 validation – static nat n  View statistics for the Static NAT admin@srx210-1> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 Static NAT rule: server5 Rule-set: static64 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 2001:db8::5 Host addresses : 10.1.1.5 Netmask : 128 Host routing-instance : N/A Translation hits : 16
NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 source NAT rule: client8-rule Rule-set: client8-rs Rule-Id : 1 Rule position : 1 From zone : untrust To zone : trust Match Source addresses : 2001:db8::8 - 2001:db8::8 Destination addresses : 10.1.1.5 - 10.1.1.5 Destination port : 0 - 0 Action : client8-ipv4-pool Persistent NAT type : any-remote-host Persistent NAT mapping type : address-port-mapping Inactivity timeout : 300 Max session number : 30 Translation hits : 13
NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source persistent-nat-table all Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool Conf_time Max_Sess_Num NAT Rule 2001:db8::8 56604 tcp 10.1.1.8 18750 tcp client8-ipv4-pool any-remote-host -/300 1/30 client8-rule
NAT64 validation – traffic logs n  Traffic logs are generated by the security policy (if enabled) admin@srx210-1> show log traffic-log Oct 11 22:03:22 srx210-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 2001:db8:0:0:0:0:0:8/56604->2001:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 N/A(N/A) ge-0/0/0.0 Oct 11 22:07:09 srx210-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 2001:db8:0:0:0:0:0:8/56604->2001:db8:0:0:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 76(8337) 48(9057) 228 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0:db8:0:0
NAT64 validation – NAT logs n  Below is an example of the logs generated by the persistent NATs: admin@srx210-1> show log nat64-log Oct 11 21:25:58 srx210-1 RT_NAT: RT_PST_NAT_BINDING_CREATE: Pst NAT (Active ) binding created, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:29:10 srx210-1 RT_NAT: RT_PST_NAT_BINDING_MATCH: Pst NAT (Active ) binding matched, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:34:20 srx210-1 RT_NAT: RT_PST_NAT_BINDING_DELETE: Pst NAT (Invalid_1) binding deleted, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6

Recommended

Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationMark Niebergall
 
Dns covert channels with scapy
Dns covert channels with scapyDns covert channels with scapy
Dns covert channels with scapyMrArora Arjuna
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 

Recommended

Access Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationAccess Control Models: Controlling Resource Authorization
Access Control Models: Controlling Resource AuthorizationMark Niebergall
 
Dns covert channels with scapy
Dns covert channels with scapyDns covert channels with scapy
Dns covert channels with scapyMrArora Arjuna
 
The Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryThe Unintended Risks of Trusting Active Directory
The Unintended Risks of Trusting Active DirectoryWill Schroeder
 
MySQL Security
MySQL SecurityMySQL Security
MySQL SecurityTed Wennmark
 
DNS & DNSSEC
DNS & DNSSECDNS & DNSSEC
DNS & DNSSECAPNIC
 
Apparmor
ApparmorApparmor
Apparmorn|u - The Open Security Community
 
CSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
DNS Security
DNS SecurityDNS Security
DNS Securityjohnmcclure00
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7 Mark Swarbrick
 
Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기NeoClova
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기NAVER D2
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinuxRene Cunningham
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Overview of the ehcache
Overview of the ehcacheOverview of the ehcache
Overview of the ehcacheHyeonSeok Choi
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)Noor Ul Hudda Memon
 
Getting Started with ThousandEyes
Getting Started with ThousandEyesGetting Started with ThousandEyes
Getting Started with ThousandEyesThousandEyes
 
Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Sveta Smirnova
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXBangladesh Network Operators Group
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
 
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +Julio Zanette
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 
NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesIvan Pepelnjak
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Ratan Mohapatra
 

More Related Content

What's hot

Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기NeoClova
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기NAVER D2
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseScott Sutherland
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRhydham Joshi
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsWill Schroeder
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering conceptMostafa El Lathy
 
Overview of the ehcache
Overview of the ehcacheOverview of the ehcache
Overview of the ehcacheHyeonSeok Choi
 
Getting Started with ThousandEyes
Getting Started with ThousandEyesGetting Started with ThousandEyes
Getting Started with ThousandEyesThousandEyes
 
Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Sveta Smirnova
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"Barry Greene
 
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +Julio Zanette
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Blue Teamer
 

What's hot (20)

DNS Security
DNS SecurityDNS Security
DNS Security
 
Mysql security 5.7
Mysql security 5.7 Mysql security 5.7
Mysql security 5.7
 
Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기Maria db 이중화구성_고민하기
Maria db 이중화구성_고민하기
 
[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기[234]멀티테넌트 하둡 클러스터 운영 경험기
[234]멀티테넌트 하둡 클러스터 운영 경험기
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) FilesRemnux tutorial-1 Statically Analyse Portable Executable(PE) Files
Remnux tutorial-1 Statically Analyse Portable Executable(PE) Files
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security DescriptorsAn ACE in the Hole - Stealthy Host Persistence via Security Descriptors
An ACE in the Hole - Stealthy Host Persistence via Security Descriptors
 
13 palo alto url web filtering concept
13 palo alto url web filtering concept13 palo alto url web filtering concept
13 palo alto url web filtering concept
 
Introduction To SELinux
Introduction To SELinuxIntroduction To SELinux
Introduction To SELinux
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Overview of the ehcache
Overview of the ehcacheOverview of the ehcache
Overview of the ehcache
 
bgp(border gateway protocol)
bgp(border gateway protocol)bgp(border gateway protocol)
bgp(border gateway protocol)
 
Getting Started with ThousandEyes
Getting Started with ThousandEyesGetting Started with ThousandEyes
Getting Started with ThousandEyes
 
Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON? Why Use EXPLAIN FORMAT=JSON?
Why Use EXPLAIN FORMAT=JSON?
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
BIND’s New Security Feature: DNSRPZ - the "DNS Firewall"
 
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
2019 Webinar ZABBIX CERTIFICATIONS - From User to Expert, and +
 
Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)Deploying Privileged Access Workstations (PAWs)
Deploying Privileged Access Workstations (PAWs)
 

Viewers also liked

NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesIvan Pepelnjak
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Ratan Mohapatra
 
Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)yifeng lee
 
Nat Server Configuration Steps
Nat Server Configuration StepsNat Server Configuration Steps
Nat Server Configuration StepsPasala Jayaraju
 
Cấu hình nat – pt
Cấu hình nat – ptCấu hình nat – pt
Cấu hình nat – ptHate To Love
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Linh Lê
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challengesIvan Pepelnjak
 
IPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNIPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNMaksim Melnikau
 

Viewers also liked (10)

NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutes
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2
 
Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)
 
Bao Cao Mang
Bao Cao MangBao Cao Mang
Bao Cao Mang
 
Nat Server Configuration Steps
Nat Server Configuration StepsNat Server Configuration Steps
Nat Server Configuration Steps
 
Dhcp and nat
Dhcp and natDhcp and nat
Dhcp and nat
 
Cấu hình nat – pt
Cấu hình nat – ptCấu hình nat – pt
Cấu hình nat – pt
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
IPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNIPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPN
 

Similar to NAT64 Overview

PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PROIDEA
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728jieun kim
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Hiroshi Ota
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistancePROIDEA
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Scaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekScaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekRedis Labs
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallCassiano Campes
 
What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?NGINX, Inc.
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11Nil Menon
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Renaun Erickson
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6Shixiong Shang
 
File 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsxFile 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsxgaurav201196
 

Similar to NAT64 Overview (20)

PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 Lessons
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
Scaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekScaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane Paek
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections
 
Client server
Client serverClient server
Client server
 
OpenStack Havana over IPv6
OpenStack Havana over IPv6OpenStack Havana over IPv6
OpenStack Havana over IPv6
 
File 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsxFile 10 - CSX 334 _VRA NBO.ppsx
File 10 - CSX 334 _VRA NBO.ppsx
 

Recently uploaded

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Recently uploaded (20)

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

NAT64 Overview

  • 2. NAT64 example n  SSH from an IPv6 client to an IPv4 server using NAT64 n  Use Static NAT on the Untrust side n  SRX presents an IPv6 destination to the client n  Translates the IPv6 destination address to the actual IPv4 address of server n  Use Source NAT with Persistence n  SRX translates the client's IPv6 address to an IPv4 address so the server can accept the connection n  Example NATs: n  Client8 from 2001:db8::8 to 10.1.1.8 n  Server5 from 10.1.1.5 to 2001:db8:5 SSH via NAT64 Client8 Server5 2001:db8::8 10.1.1.5 Untrust 2001:db8::1 10.1.1.1 Trust ge-0/0/0.0 ge-0/0/1.0 Step 1 Step 2 Step 3 Step 4 Src IP 2001:db8::8 Src IP 2001:db8::8 Src IP 10.1.1.8 Src IP 10.1.1.8 Src Port 56604 Src Port 56604 Src Port 18750 Src Port 18750 Dst IP 2001:db8::5 Dst IP 2001:db8::5 Dst IP 10.1.1.5 Dst IP 10.1.1.5 Dst Port 22 Dst Port 22 Dest Port 22 Dest Port 22
  • 3. NAT64 configuration example – IPv6 Flow n  Ensure the SRX is configured for IPv6 Flow Mode n  One time setting to enable flow mode for IPv6 n  Not enabled by default n  Requires a reboot security { forwarding-options { family { inet6 { mode flow-based; } } } }
  • 4. NAT64 configuration example - Interfaces n  Configure the SRX Interfaces n  ge-0/0/0.0 = 2001:db8::164 n  ge-0/0/1.0 = 10.1.1.1/24 interfaces { ge-0/0/0 { unit 0 { family inet6 { address 2001:db8::1/64; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.1.1/24; } } } }
  • 5. NAT64 configuration example - zones n  Configure the SRX Security Zones security { security-zone untrust { address-book { address client8 2001:db8::8/128; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { address-book { address server5 10.1.1.5/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } }
  • 6. NAT64 configuration example – static nat n  Configure Static NAT for Server5 n  Traffic is coming from the client on the untrust zone n  NAT Server5's 10.1.1.5 IPv4 address to the IPv6 2001:db8::5 address security { nat { static { rule-set static64 { from zone untrust; rule server5 { match { destination-address 2001:db8::5/128; } then { static-nat prefix 10.1.1.5/32; } } } } } }
  • 7. NAT64 configuration example – source nat n  Configure Source NAT for Client8 n  Traffic is coming from the client on the untrust zone going to the server on the trust zone n  NAT Client8's 2001:db8::8 IPv6 address to the IPv4 10.1.1.8 address security { nat { source { pool client8-ipv4-pool { address { 10.1.1.8/32; } } rule-set client8-rs { from zone untrust; to zone trust; rule client8-rule { match { source-address 2001:db8::8/128; destination-address 10.1.1.5/32; } then { source-nat { pool { client8-ipv4-pool; persistent-nat { permit any-remote-host; } } } } } } }
  • 8. NAT64 configuration example – proxy arp n  Enable the SRX to respond to requests on behalf of the NATs n  Both the static and source NAT IP addresses are on the same subnets as the interface IP addresses on the SRX. n  For the IPv4 address configure Proxy ARP n  Fort the IPv6 address configure Proxy NDP security { nat { proxy-arp { interface ge-0/0/1.0 { address { 10.1.1.8/32; } } } proxy-ndp { interface ge-0/0/0.0 { address { 2001:db8::5/128; } } } } }
  • 9. NAT64 configuration example – policies n  Configure a Security Policy from zone untrust to zone trust n  Can use the key word "any" n  Example is explicit using n  IPv6 address 2001:db8::8 for client8 n  IPv4 address 10.1.1.5 for server5 security { policies { from-zone untrust to-zone trust { policy client8-to-server5 { match { source-address client8; destination-address server5; application any; } then { permit; log { session-init; session-close; } count; } } } }
  • 10. NAT64 validation – session table (brief) n  Once Client8 initiates an SSH session to Server5 you can view the session entry in the flow table admin@srx210> show security flow session Session ID: 1612, Policy name: client8-to-server5/6, Timeout: 1794, Valid In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, If: ge-0/0/1.0, Pkts: 17, Bytes: 3205
  • 11. NAT64 validation – session table (detailed) n  Detailed view of the session table admin@srx210-1> show security flow session session-identifier 1612 Session ID: 1612, Status: Normal Flag: 0x0 Policy name: client8-to-server5/6 Source NAT pool: client8-ipv4-pool Dynamic application: junos:UNKNOWN, Maximum timeout: 1800, Current timeout: 1746 Session State: Valid Start time: 3476, Duration: 63 In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, Interface: ge-0/0/0.0, Session token: 0x7, Flag: 0x0x623 Route: 0xc0010, Gateway: 2001:db8::8, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, Interface: ge-0/0/1.0, Session token: 0x8, Flag: 0x0x620 Route: 0xa0010, Gateway: 10.1.1.5, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 17, Bytes: 3205 Total sessions: 1
  • 12. NAT64 validation – static nat n  View statistics for the Static NAT admin@srx210-1> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 Static NAT rule: server5 Rule-set: static64 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 2001:db8::5 Host addresses : 10.1.1.5 Netmask : 128 Host routing-instance : N/A Translation hits : 16
  • 13. NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 source NAT rule: client8-rule Rule-set: client8-rs Rule-Id : 1 Rule position : 1 From zone : untrust To zone : trust Match Source addresses : 2001:db8::8 - 2001:db8::8 Destination addresses : 10.1.1.5 - 10.1.1.5 Destination port : 0 - 0 Action : client8-ipv4-pool Persistent NAT type : any-remote-host Persistent NAT mapping type : address-port-mapping Inactivity timeout : 300 Max session number : 30 Translation hits : 13
  • 14. NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source persistent-nat-table all Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool Conf_time Max_Sess_Num NAT Rule 2001:db8::8 56604 tcp 10.1.1.8 18750 tcp client8-ipv4-pool any-remote-host -/300 1/30 client8-rule
  • 15. NAT64 validation – traffic logs n  Traffic logs are generated by the security policy (if enabled) admin@srx210-1> show log traffic-log Oct 11 22:03:22 srx210-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 2001:db8:0:0:0:0:0:8/56604->2001:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 N/A(N/A) ge-0/0/0.0 Oct 11 22:07:09 srx210-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 2001:db8:0:0:0:0:0:8/56604->2001:db8:0:0:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 76(8337) 48(9057) 228 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0:db8:0:0
  • 16. NAT64 validation – NAT logs n  Below is an example of the logs generated by the persistent NATs: admin@srx210-1> show log nat64-log Oct 11 21:25:58 srx210-1 RT_NAT: RT_PST_NAT_BINDING_CREATE: Pst NAT (Active ) binding created, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:29:10 srx210-1 RT_NAT: RT_PST_NAT_BINDING_MATCH: Pst NAT (Active ) binding matched, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:34:20 srx210-1 RT_NAT: RT_PST_NAT_BINDING_DELETE: Pst NAT (Invalid_1) binding deleted, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6