• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

JUNOS SRX IPv6 Tunnel NAT

Started by disneycheng, July 18, 2011, 09:04:20 PM

Previous topic - Next topic

disneycheng

Hi All

My HE tunnel setup on my SRX 210 (11.1 R3) as below:

Host A fc00:10::a <> (vlan.0,trust zone) fc00:10::1 -- (ip-0/0/0.0 untrust0 2001:470::2/64 )

The tunnel is working fine and I can ping ipv6.google.com and also access some IPv6 web on the SRX

And then I have configure a source NAT from trust to untrust zone so my fc00:10::/64 client access IPv6 resources will be source NAT.
When I see the traffic flow and it seems return traffic cannot pass back. Did anyone try similar configuration?

Please advise.
Cheers,

Fai

jrocha

Is there any particular reason you are using NAT instead of the /64 you get for free from the tunnel? And are you doing NAT-PT?

maestroevolution

Hi Disneycheng,

Before getting into NAT66 (which the SRX can do), do you have basic IPv6 connectivity?

I have not played with NAT66, as I don't see the need.. .my IPv6 work is all un-natted.  Before testing the NAT, I would ensure that you have basic IPv6 connectivity through the firewall.

If you're using 10.2R3 or later, you will need the following config to 'fix' the v6-in-v4 tunnel: put this on the untrusted interface (or whatever interface you're binding the tunnel to).  This tells the SRX that the outer packet (IPv4 protocol 41) is treated statelessly and destined for the SRX itself.  The inner packet (IPv6) is treated statefully as it should.

Replace 1.2.3.4 with your Ipv4 address.

joel@chilis220> show configuration interfaces ge-0/0/7 
unit 0 {
    description Comcast;
    family inet {
        filter {
            input fix-v6v4-tunnel;
        }
        dhcp {
            update-server;
        }
    }
}

joel@chilis220> show configuration firewall family inet filter fix-v6v4-tunnel
term one {
    from {
        destination-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term one.five {
    from {
        source-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term two {
    then accept;
}