SlideShare a Scribd company logo

NAT64 Overview

Salachudin Emir
Salachudin Emir
Technology
1 of 16
Download to read offline
NAT64 Overview
NAT64 example n  SSH from an IPv6 client to an IPv4 server using NAT64 n  Use Static NAT on the Untrust side n  SRX presents an IPv6 destination to the client n  Translates the IPv6 destination address to the actual IPv4 address of server n  Use Source NAT with Persistence n  SRX translates the client's IPv6 address to an IPv4 address so the server can accept the connection n  Example NATs: n  Client8 from 2001:db8::8 to 10.1.1.8 n  Server5 from 10.1.1.5 to 2001:db8:5 SSH via NAT64 Client8 Server5 2001:db8::8 10.1.1.5 Untrust 2001:db8::1 10.1.1.1 Trust ge-0/0/0.0 ge-0/0/1.0 Step 1 Step 2 Step 3 Step 4 Src IP 2001:db8::8 Src IP 2001:db8::8 Src IP 10.1.1.8 Src IP 10.1.1.8 Src Port 56604 Src Port 56604 Src Port 18750 Src Port 18750 Dst IP 2001:db8::5 Dst IP 2001:db8::5 Dst IP 10.1.1.5 Dst IP 10.1.1.5 Dst Port 22 Dst Port 22 Dest Port 22 Dest Port 22
NAT64 configuration example – IPv6 Flow n  Ensure the SRX is configured for IPv6 Flow Mode n  One time setting to enable flow mode for IPv6 n  Not enabled by default n  Requires a reboot security { forwarding-options { family { inet6 { mode flow-based; } } } }
NAT64 configuration example - Interfaces n  Configure the SRX Interfaces n  ge-0/0/0.0 = 2001:db8::164 n  ge-0/0/1.0 = 10.1.1.1/24 interfaces { ge-0/0/0 { unit 0 { family inet6 { address 2001:db8::1/64; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.1.1/24; } } } }
NAT64 configuration example - zones n  Configure the SRX Security Zones security { security-zone untrust { address-book { address client8 2001:db8::8/128; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { address-book { address server5 10.1.1.5/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } }
NAT64 configuration example – static nat n  Configure Static NAT for Server5 n  Traffic is coming from the client on the untrust zone n  NAT Server5's 10.1.1.5 IPv4 address to the IPv6 2001:db8::5 address security { nat { static { rule-set static64 { from zone untrust; rule server5 { match { destination-address 2001:db8::5/128; } then { static-nat prefix 10.1.1.5/32; } } } } } }
NAT64 configuration example – source nat n  Configure Source NAT for Client8 n  Traffic is coming from the client on the untrust zone going to the server on the trust zone n  NAT Client8's 2001:db8::8 IPv6 address to the IPv4 10.1.1.8 address security { nat { source { pool client8-ipv4-pool { address { 10.1.1.8/32; } } rule-set client8-rs { from zone untrust; to zone trust; rule client8-rule { match { source-address 2001:db8::8/128; destination-address 10.1.1.5/32; } then { source-nat { pool { client8-ipv4-pool; persistent-nat { permit any-remote-host; } } } } } } }
NAT64 configuration example – proxy arp n  Enable the SRX to respond to requests on behalf of the NATs n  Both the static and source NAT IP addresses are on the same subnets as the interface IP addresses on the SRX. n  For the IPv4 address configure Proxy ARP n  Fort the IPv6 address configure Proxy NDP security { nat { proxy-arp { interface ge-0/0/1.0 { address { 10.1.1.8/32; } } } proxy-ndp { interface ge-0/0/0.0 { address { 2001:db8::5/128; } } } } }
NAT64 configuration example – policies n  Configure a Security Policy from zone untrust to zone trust n  Can use the key word "any" n  Example is explicit using n  IPv6 address 2001:db8::8 for client8 n  IPv4 address 10.1.1.5 for server5 security { policies { from-zone untrust to-zone trust { policy client8-to-server5 { match { source-address client8; destination-address server5; application any; } then { permit; log { session-init; session-close; } count; } } } }
NAT64 validation – session table (brief) n  Once Client8 initiates an SSH session to Server5 you can view the session entry in the flow table admin@srx210> show security flow session Session ID: 1612, Policy name: client8-to-server5/6, Timeout: 1794, Valid In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, If: ge-0/0/1.0, Pkts: 17, Bytes: 3205
NAT64 validation – session table (detailed) n  Detailed view of the session table admin@srx210-1> show security flow session session-identifier 1612 Session ID: 1612, Status: Normal Flag: 0x0 Policy name: client8-to-server5/6 Source NAT pool: client8-ipv4-pool Dynamic application: junos:UNKNOWN, Maximum timeout: 1800, Current timeout: 1746 Session State: Valid Start time: 3476, Duration: 63 In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, Interface: ge-0/0/0.0, Session token: 0x7, Flag: 0x0x623 Route: 0xc0010, Gateway: 2001:db8::8, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, Interface: ge-0/0/1.0, Session token: 0x8, Flag: 0x0x620 Route: 0xa0010, Gateway: 10.1.1.5, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 17, Bytes: 3205 Total sessions: 1
NAT64 validation – static nat n  View statistics for the Static NAT admin@srx210-1> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 Static NAT rule: server5 Rule-set: static64 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 2001:db8::5 Host addresses : 10.1.1.5 Netmask : 128 Host routing-instance : N/A Translation hits : 16
NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 source NAT rule: client8-rule Rule-set: client8-rs Rule-Id : 1 Rule position : 1 From zone : untrust To zone : trust Match Source addresses : 2001:db8::8 - 2001:db8::8 Destination addresses : 10.1.1.5 - 10.1.1.5 Destination port : 0 - 0 Action : client8-ipv4-pool Persistent NAT type : any-remote-host Persistent NAT mapping type : address-port-mapping Inactivity timeout : 300 Max session number : 30 Translation hits : 13
NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source persistent-nat-table all Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool Conf_time Max_Sess_Num NAT Rule 2001:db8::8 56604 tcp 10.1.1.8 18750 tcp client8-ipv4-pool any-remote-host -/300 1/30 client8-rule
NAT64 validation – traffic logs n  Traffic logs are generated by the security policy (if enabled) admin@srx210-1> show log traffic-log Oct 11 22:03:22 srx210-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 2001:db8:0:0:0:0:0:8/56604->2001:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 N/A(N/A) ge-0/0/0.0 Oct 11 22:07:09 srx210-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 2001:db8:0:0:0:0:0:8/56604->2001:db8:0:0:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 76(8337) 48(9057) 228 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0:db8:0:0
NAT64 validation – NAT logs n  Below is an example of the logs generated by the persistent NATs: admin@srx210-1> show log nat64-log Oct 11 21:25:58 srx210-1 RT_NAT: RT_PST_NAT_BINDING_CREATE: Pst NAT (Active ) binding created, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:29:10 srx210-1 RT_NAT: RT_PST_NAT_BINDING_MATCH: Pst NAT (Active ) binding matched, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:34:20 srx210-1 RT_NAT: RT_PST_NAT_BINDING_DELETE: Pst NAT (Invalid_1) binding deleted, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6

Recommended

2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...APNIC
 
Seacurity Hacking for Defense 2017
Seacurity Hacking for Defense 2017Seacurity Hacking for Defense 2017
Seacurity Hacking for Defense 2017Stanford University
 
40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazine40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazineBradford Sims
 

Recommended

2 Security Architecture+Design
2 Security Architecture+Design2 Security Architecture+Design
2 Security Architecture+DesignAlfred Ouyang
 
Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...Application Security - Dont leave your AppSec for the last moment Meetup 2104...
Application Security - Dont leave your AppSec for the last moment Meetup 2104...lior mazor
 
Threat Modeling 101
Threat Modeling 101Threat Modeling 101
Threat Modeling 101Atlassian
 
Security services mind map
Security services mind mapSecurity services mind map
Security services mind mapDavid Kennedy
 
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsDAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & Limitations
DAST, SAST, Hybrid, Hybrid 2.0 & IAST - Methodology & LimitationsiAppSecure Solutions
 
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...
Presentation on 'Understanding and Utilising Threat Intelligence in Cybersecu...APNIC
 
Seacurity Hacking for Defense 2017
Seacurity Hacking for Defense 2017Seacurity Hacking for Defense 2017
Seacurity Hacking for Defense 2017Stanford University
 
40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazine40 under 40 in cybersecurity. top cyber news magazine
40 under 40 in cybersecurity. top cyber news magazineBradford Sims
 
How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MABEmerson Barros Rivas
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security InvestmentConferencias FIST
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint SecurityAhmed Hashem El Fiky
 
Limitless xdr meetup
Limitless xdr meetupLimitless xdr meetup
Limitless xdr meetupDaliya Spasova
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Twofish
TwofishTwofish
Twofishghanbarianm
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 
NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesIvan Pepelnjak
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Ratan Mohapatra
 

More Related Content

What's hot

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeAdam Barrera
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALCYBER SENSE
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityPECB
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityThe Open Group SA
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWYudi Arijanto
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSFDigital Bond
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Donald E. Hester
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security InvestmentConferencias FIST
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Frances Coronel
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareThomas Roccia
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Narudom Roongsiriwong, CISSP
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptographyRAMPRAKASHT1
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security ArchitectureCisco Canada
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesSlideTeam
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approachtschraider
 

What's hot (20)

How to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrikeHow to Replace Your Legacy Antivirus Solution with CrowdStrike
How to Replace Your Legacy Antivirus Solution with CrowdStrike
 
IT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSALIT SECURITY ASSESSMENT PROPOSAL
IT SECURITY ASSESSMENT PROPOSAL
 
The difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information SecurityThe difference between Cybersecurity and Information Security
The difference between Cybersecurity and Information Security
 
Enterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber SecurityEnterprise Security Architecture for Cyber Security
Enterprise Security Architecture for Cyber Security
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
How to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFWHow to prevent ssh-tunneling using Palo Alto Networks NGFW
How to prevent ssh-tunneling using Palo Alto Networks NGFW
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)Introduction to NIST’s Risk Management Framework (RMF)
Introduction to NIST’s Risk Management Framework (RMF)
 
Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
 
Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)Security in the Software Development Life Cycle (SDLC)
Security in the Software Development Life Cycle (SDLC)
 
TRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS MalwareTRITON: The Next Generation of ICS Malware
TRITON: The Next Generation of ICS Malware
 
Endpoint Security
Endpoint SecurityEndpoint Security
Endpoint Security
 
Limitless xdr meetup
Limitless xdr meetupLimitless xdr meetup
Limitless xdr meetup
 
Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)Business continuity & disaster recovery planning (BCP & DRP)
Business continuity & disaster recovery planning (BCP & DRP)
 
Block ciphers & public key cryptography
Block ciphers & public key cryptographyBlock ciphers & public key cryptography
Block ciphers & public key cryptography
 
Building a Security Architecture
Building a Security ArchitectureBuilding a Security Architecture
Building a Security Architecture
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)
 
Twofish
TwofishTwofish
Twofish
 
Cyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation SlidesCyber Security For Organization Proposal Powerpoint Presentation Slides
Cyber Security For Organization Proposal Powerpoint Presentation Slides
 
Iso27001 Risk Assessment Approach
Iso27001 Risk Assessment ApproachIso27001 Risk Assessment Approach
Iso27001 Risk Assessment Approach
 

Viewers also liked

NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesIvan Pepelnjak
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Ratan Mohapatra
 
Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)yifeng lee
 
Nat Server Configuration Steps
Nat Server Configuration StepsNat Server Configuration Steps
Nat Server Configuration StepsPasala Jayaraju
 
Cấu hình nat – pt
Cấu hình nat – ptCấu hình nat – pt
Cấu hình nat – ptHate To Love
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)Linh Lê
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challengesIvan Pepelnjak
 
IPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNIPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNMaksim Melnikau
 

Viewers also liked (10)

NAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutesNAT64 and DNS64 in 30 minutes
NAT64 and DNS64 in 30 minutes
 
Router and NAT Server 2012 R2
Router and NAT Server 2012 R2Router and NAT Server 2012 R2
Router and NAT Server 2012 R2
 
Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)Juniper Ssg Policy Based Nat (Server Publish)
Juniper Ssg Policy Based Nat (Server Publish)
 
Bao Cao Mang
Bao Cao MangBao Cao Mang
Bao Cao Mang
 
Nat Server Configuration Steps
Nat Server Configuration StepsNat Server Configuration Steps
Nat Server Configuration Steps
 
Dhcp and nat
Dhcp and natDhcp and nat
Dhcp and nat
 
Cấu hình nat – pt
Cấu hình nat – ptCấu hình nat – pt
Cấu hình nat – pt
 
Network Address Translation (NAT)
Network Address Translation (NAT)Network Address Translation (NAT)
Network Address Translation (NAT)
 
Upcoming internet challenges
Upcoming internet challengesUpcoming internet challenges
Upcoming internet challenges
 
IPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPNIPv6 at Home: NAT64, DNS64, OpenVPN
IPv6 at Home: NAT64, DNS64, OpenVPN
 

Similar to NAT64 Overview

PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PROIDEA
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsAkihiro Motoki
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728jieun kim
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPAPNIC
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Hiroshi Ota
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantShixiong Shang
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistancePROIDEA
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Yongyoon Shin
 
Scaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekScaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekRedis Labs
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallCassiano Campes
 
What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?NGINX, Inc.
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatDigicomp Academy AG
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network TroubleshootingOpen Source Consulting
 
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11Nil Menon
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Renaun Erickson
 

Similar to NAT64 Overview (20)

PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
PLNOG 8: Nicolai van der Smagt - IPv6: Transition mechanisms
 
OpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 LessonsOpenStack Neutron IPv6 Lessons
OpenStack Neutron IPv6 Lessons
 
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
OpenStack Korea 2015 상반기스터디(devops) 스크립트로 오픈스택 설치하기 20150728
 
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISPMake Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
Make Internet Safer with DNS Firewall - Implementation Case Study at a Major ISP
 
Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015Network Test Automation - Net Ops Coding 2015
Network Test Automation - Net Ops Coding 2015
 
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud TenantImplementing an IPv6 Enabled Environment for a Public Cloud Tenant
Implementing an IPv6 Enabled Environment for a Public Cloud Tenant
 
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistanceRobert Raszuk - Technologies for IPv4/IPv6 coexistance
Robert Raszuk - Technologies for IPv4/IPv6 coexistance
 
Fedv6tf-fhs
Fedv6tf-fhsFedv6tf-fhs
Fedv6tf-fhs
 
Stun turn poc_pilot
Stun turn poc_pilotStun turn poc_pilot
Stun turn poc_pilot
 
Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1Harmonia open iris_basic_v0.1
Harmonia open iris_basic_v0.1
 
Scaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane PaekScaling Redis To 1M Ops/Sec: Jane Paek
Scaling Redis To 1M Ops/Sec: Jane Paek
 
NAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewallNAT and firewall presentation - how setup a nice firewall
NAT and firewall presentation - how setup a nice firewall
 
Make the internet safe with DNS Firewall
Make the internet safe with DNS FirewallMake the internet safe with DNS Firewall
Make the internet safe with DNS Firewall
 
What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?What’s New in NGINX Plus R16?
What’s New in NGINX Plus R16?
 
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-ReferatNeighbor Discovery Deep Dive – IPv6-Networking-Referat
Neighbor Discovery Deep Dive – IPv6-Networking-Referat
 
Tale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIXTale of a New Bangladeshi NIX
Tale of a New Bangladeshi NIX
 
[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting[오픈소스컨설팅] Linux Network Troubleshooting
[오픈소스컨설팅] Linux Network Troubleshooting
 
CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11CCNA 2 Routing and Switching v5.0 Chapter 11
CCNA 2 Routing and Switching v5.0 Chapter 11
 
Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections Building an ActionScript Game Server with over 15,000 Concurrent Connections
Building an ActionScript Game Server with over 15,000 Concurrent Connections
 
Client server
Client serverClient server
Client server
 

Recently uploaded

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

NAT64 Overview

  • 2. NAT64 example n  SSH from an IPv6 client to an IPv4 server using NAT64 n  Use Static NAT on the Untrust side n  SRX presents an IPv6 destination to the client n  Translates the IPv6 destination address to the actual IPv4 address of server n  Use Source NAT with Persistence n  SRX translates the client's IPv6 address to an IPv4 address so the server can accept the connection n  Example NATs: n  Client8 from 2001:db8::8 to 10.1.1.8 n  Server5 from 10.1.1.5 to 2001:db8:5 SSH via NAT64 Client8 Server5 2001:db8::8 10.1.1.5 Untrust 2001:db8::1 10.1.1.1 Trust ge-0/0/0.0 ge-0/0/1.0 Step 1 Step 2 Step 3 Step 4 Src IP 2001:db8::8 Src IP 2001:db8::8 Src IP 10.1.1.8 Src IP 10.1.1.8 Src Port 56604 Src Port 56604 Src Port 18750 Src Port 18750 Dst IP 2001:db8::5 Dst IP 2001:db8::5 Dst IP 10.1.1.5 Dst IP 10.1.1.5 Dst Port 22 Dst Port 22 Dest Port 22 Dest Port 22
  • 3. NAT64 configuration example – IPv6 Flow n  Ensure the SRX is configured for IPv6 Flow Mode n  One time setting to enable flow mode for IPv6 n  Not enabled by default n  Requires a reboot security { forwarding-options { family { inet6 { mode flow-based; } } } }
  • 4. NAT64 configuration example - Interfaces n  Configure the SRX Interfaces n  ge-0/0/0.0 = 2001:db8::164 n  ge-0/0/1.0 = 10.1.1.1/24 interfaces { ge-0/0/0 { unit 0 { family inet6 { address 2001:db8::1/64; } } } ge-0/0/1 { unit 0 { family inet { address 10.1.1.1/24; } } } }
  • 5. NAT64 configuration example - zones n  Configure the SRX Security Zones security { security-zone untrust { address-book { address client8 2001:db8::8/128; } interfaces { ge-0/0/0.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } security-zone trust { address-book { address server5 10.1.1.5/32; } interfaces { ge-0/0/1.0 { host-inbound-traffic { system-services { all; } protocols { all; } } } } } } }
  • 6. NAT64 configuration example – static nat n  Configure Static NAT for Server5 n  Traffic is coming from the client on the untrust zone n  NAT Server5's 10.1.1.5 IPv4 address to the IPv6 2001:db8::5 address security { nat { static { rule-set static64 { from zone untrust; rule server5 { match { destination-address 2001:db8::5/128; } then { static-nat prefix 10.1.1.5/32; } } } } } }
  • 7. NAT64 configuration example – source nat n  Configure Source NAT for Client8 n  Traffic is coming from the client on the untrust zone going to the server on the trust zone n  NAT Client8's 2001:db8::8 IPv6 address to the IPv4 10.1.1.8 address security { nat { source { pool client8-ipv4-pool { address { 10.1.1.8/32; } } rule-set client8-rs { from zone untrust; to zone trust; rule client8-rule { match { source-address 2001:db8::8/128; destination-address 10.1.1.5/32; } then { source-nat { pool { client8-ipv4-pool; persistent-nat { permit any-remote-host; } } } } } } }
  • 8. NAT64 configuration example – proxy arp n  Enable the SRX to respond to requests on behalf of the NATs n  Both the static and source NAT IP addresses are on the same subnets as the interface IP addresses on the SRX. n  For the IPv4 address configure Proxy ARP n  Fort the IPv6 address configure Proxy NDP security { nat { proxy-arp { interface ge-0/0/1.0 { address { 10.1.1.8/32; } } } proxy-ndp { interface ge-0/0/0.0 { address { 2001:db8::5/128; } } } } }
  • 9. NAT64 configuration example – policies n  Configure a Security Policy from zone untrust to zone trust n  Can use the key word "any" n  Example is explicit using n  IPv6 address 2001:db8::8 for client8 n  IPv4 address 10.1.1.5 for server5 security { policies { from-zone untrust to-zone trust { policy client8-to-server5 { match { source-address client8; destination-address server5; application any; } then { permit; log { session-init; session-close; } count; } } } }
  • 10. NAT64 validation – session table (brief) n  Once Client8 initiates an SSH session to Server5 you can view the session entry in the flow table admin@srx210> show security flow session Session ID: 1612, Policy name: client8-to-server5/6, Timeout: 1794, Valid In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, If: ge-0/0/0.0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, If: ge-0/0/1.0, Pkts: 17, Bytes: 3205
  • 11. NAT64 validation – session table (detailed) n  Detailed view of the session table admin@srx210-1> show security flow session session-identifier 1612 Session ID: 1612, Status: Normal Flag: 0x0 Policy name: client8-to-server5/6 Source NAT pool: client8-ipv4-pool Dynamic application: junos:UNKNOWN, Maximum timeout: 1800, Current timeout: 1746 Session State: Valid Start time: 3476, Duration: 63 In: 2001:db8::8/56604 --> 2001:db8::5/22;tcp, Interface: ge-0/0/0.0, Session token: 0x7, Flag: 0x0x623 Route: 0xc0010, Gateway: 2001:db8::8, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 24, Bytes: 3601 Out: 10.1.1.5/22 --> 10.1.1.8/18750;tcp, Interface: ge-0/0/1.0, Session token: 0x8, Flag: 0x0x620 Route: 0xa0010, Gateway: 10.1.1.5, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 17, Bytes: 3205 Total sessions: 1
  • 12. NAT64 validation – static nat n  View statistics for the Static NAT admin@srx210-1> show security nat static rule all Total static-nat rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 Static NAT rule: server5 Rule-set: static64 Rule-Id : 1 Rule position : 1 From zone : untrust Destination addresses : 2001:db8::5 Host addresses : 10.1.1.5 Netmask : 128 Host routing-instance : N/A Translation hits : 16
  • 13. NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source rule all Total rules: 1 Total referenced IPv4/IPv6 ip-prefixes: 1/1 source NAT rule: client8-rule Rule-set: client8-rs Rule-Id : 1 Rule position : 1 From zone : untrust To zone : trust Match Source addresses : 2001:db8::8 - 2001:db8::8 Destination addresses : 10.1.1.5 - 10.1.1.5 Destination port : 0 - 0 Action : client8-ipv4-pool Persistent NAT type : any-remote-host Persistent NAT mapping type : address-port-mapping Inactivity timeout : 300 Max session number : 30 Translation hits : 13
  • 14. NAT64 validation – source nat n  View statistics for the Source NAT admin@srx210-1> show security nat source persistent-nat-table all Internal Reflective Source Type Left_time/ Curr_Sess_Num/ Source In_IP In_Port I_Proto Ref_IP Ref_Port R_Proto NAT Pool Conf_time Max_Sess_Num NAT Rule 2001:db8::8 56604 tcp 10.1.1.8 18750 tcp client8-ipv4-pool any-remote-host -/300 1/30 client8-rule
  • 15. NAT64 validation – traffic logs n  Traffic logs are generated by the security policy (if enabled) admin@srx210-1> show log traffic-log Oct 11 22:03:22 srx210-1 RT_FLOW: RT_FLOW_SESSION_CREATE: session created 2001:db8:0:0:0:0:0:8/56604->2001:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 N/A(N/A) ge-0/0/0.0 Oct 11 22:07:09 srx210-1 RT_FLOW: RT_FLOW_SESSION_CLOSE: session closed TCP FIN: 2001:db8:0:0:0:0:0:8/56604->2001:db8:0:0:0:0:0:5/22 None 10.1.1.8/18750->10.1.1.5/22 client8-rule server5 6 client8-to-server5 untrust trust 1612 76(8337) 48(9057) 228 UNKNOWN UNKNOWN N/A(N/A) ge-0/0/0.0:db8:0:0
  • 16. NAT64 validation – NAT logs n  Below is an example of the logs generated by the persistent NATs: admin@srx210-1> show log nat64-log Oct 11 21:25:58 srx210-1 RT_NAT: RT_PST_NAT_BINDING_CREATE: Pst NAT (Active ) binding created, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:29:10 srx210-1 RT_NAT: RT_PST_NAT_BINDING_MATCH: Pst NAT (Active ) binding matched, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6 Oct 11 21:34:20 srx210-1 RT_NAT: RT_PST_NAT_BINDING_DELETE: Pst NAT (Invalid_1) binding deleted, lsys_id: 0, internal ip/port/protocol: 2001:db8:0:0:0:0:0:8/56599/6, reflexive ip/port/protocol: 10.1.1.8/12689/6