Hurricane Electric's IPv6 Tunnel Broker Forums

Please login or register.

Login with username, password and session length
Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: JUNOS SRX IPv6 Tunnel NAT  (Read 2640 times)

disneycheng

  • Newbie
  • *
  • Posts: 3
  • IPv6 newbie
    • View Profile
JUNOS SRX IPv6 Tunnel NAT
« on: July 18, 2011, 09:04:20 PM »

Hi All

My HE tunnel setup on my SRX 210 (11.1 R3) as below:

Host A fc00:10::a <> (vlan.0,trust zone) fc00:10::1 -- (ip-0/0/0.0 untrust0 2001:470::2/64 )

The tunnel is working fine and I can ping ipv6.google.com and also access some IPv6 web on the SRX

And then I have configure a source NAT from trust to untrust zone so my fc00:10::/64 client access IPv6 resources will be source NAT.
When I see the traffic flow and it seems return traffic cannot pass back. Did anyone try similar configuration?

Please advise.
Cheers,

Fai
Logged

jrocha

  • Network Architect
  • Jr. Member
  • **
  • Posts: 66
    • View Profile
Re: JUNOS SRX IPv6 Tunnel NAT
« Reply #1 on: July 21, 2011, 05:46:26 PM »

Is there any particular reason you are using NAT instead of the /64 you get for free from the tunnel? And are you doing NAT-PT?
Logged

maestroevolution

  • Newbie
  • *
  • Posts: 49
    • View Profile
Re: JUNOS SRX IPv6 Tunnel NAT
« Reply #2 on: July 25, 2011, 09:55:00 AM »

Hi Disneycheng,

Before getting into NAT66 (which the SRX can do), do you have basic IPv6 connectivity?

I have not played with NAT66, as I don't see the need.. .my IPv6 work is all un-natted.  Before testing the NAT, I would ensure that you have basic IPv6 connectivity through the firewall.

If you're using 10.2R3 or later, you will need the following config to 'fix' the v6-in-v4 tunnel: put this on the untrusted interface (or whatever interface you're binding the tunnel to).  This tells the SRX that the outer packet (IPv4 protocol 41) is treated statelessly and destined for the SRX itself.  The inner packet (IPv6) is treated statefully as it should.

Replace 1.2.3.4 with your Ipv4 address.

joel@chilis220> show configuration interfaces ge-0/0/7 
unit 0 {
    description Comcast;
    family inet {
        filter {
            input fix-v6v4-tunnel;
        }
        dhcp {
            update-server;
        }
    }
}

joel@chilis220> show configuration firewall family inet filter fix-v6v4-tunnel
term one {
    from {
        destination-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term one.five {
    from {
        source-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term two {
    then accept;
}




Logged