Enhancing Traffic Engineering by Configuring NAT-PT Between an IPv4 and an IPv6 Endpoint with SCTP Multihoming
This example shows how to enhance traffic engineering by configuring NAT-PT between an IPv4 endpoint and an IPv6 endpoint. NAT-PT is a protocol translation mechanism that allows communication between IPv6-only and IPv4-only nodes through protocol-independent translation of IPv4 and IPv6 datagrams, requiring no state information for the session. NAT-PT binds the addresses in the IPv6 network with addresses in the IPv4 network and vice versa to provide transparent routing for the datagrams traversing between address realms. The main advantage of NAT-PT is that the end devices and networks can run either IPv4 addresses or IPv6 addresses and traffic can be started from any side.
Requirements
This example uses the following hardware and software components:
- A high-end SRX Series device
- Endpoint A connected to an SRX Series device using two IPv6 addresses
- Endpoint B connected to an SRX Series device using two IPv4 addresses
Overview
In this example, you configure NAT-PT between an IPv4 endpoint and an IPv6 endpoint. Endpoint A is connected to the SRX Series device using two IPv6 addresses and endpoint B is connected to the SRX Series device using two IPv4 addresses.
You can configure the SRX Series device to translate the IP header and IP address list (located in the INIT/INT-ACK message) between an IPv4 address format and an IPv6 address format. In each direction, static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes destination IP address translation in one direction and source IP address translation in the opposite direction.
Figure 1 illustrates the network topology used in this example.
Figure 1: NAT-PT Between an IPv4 Endpoint and an IPv6 Endpoint
For configuring NAT-PT details between IPv4 and IPv6 endpoints, seeTable 1.
Table 1: Configuring NAT-PT Details Between IPv4 and IPv6 Endpoints
Endpoints | Address One | Address Two |
|---|---|---|
A (IPv6) | 2a.1.1.1/96 | 2c.3.3.3/96 |
B (IPv4) | 2.2.2.2/24 | 4.4.4.4/34 |
Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the edit hierarchy level, and then enter commit from configuration mode.
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure NAT-PT between an IPv4 endpoint and an IPv6 endpoint:
- Configure interfaces.[edit interfaces]user@host# set ge-4/0/0 unit 0 family inet address 1.1.1.100/24user@host# set ge-4/0/0 unit 0 family inet6 address 2a::1:1:100/96user@host# set ge-4/0/1 unit 0 family inet address 2.2.2.100/24user@host# set ge-4/0/1 unit 0 family inet6 address 2b::2:2:100/96user@host# set ge-4/0/2 unit 0 family inet address 3.3.3.100/24user@host# set ge-4/0/2 unit 0 family inet6 address 2c::3:3:100/96user@host# set ge-4/0/3 unit 0 family inet address 4.4.4.100/24user@host# set ge-4/0/3 unit 0 family inet6 address 2d::4:4:100/96
- Configure zones.[edit security zones]user@host# set security-zone sctp_zone1 host-inbound-traffic system-services alluser@host# set security-zone sctp_zone1 host-inbound-traffic protocols alluser@host# set security-zone sctp_zone1 interfaces ge-4/0/0.0user@host# set security-zone sctp_zone1 interfaces ge-4/0/2.0user@host# set security-zone sctp_zone2 host-inbound-traffic system-services alluser@host# set security-zone sctp_zone2 host-inbound-traffic protocols alluser@host# set security-zone sctp_zone2 interfaces ge-4/0/1.0user@host# set security-zone sctp_zone2 interfaces ge-4/0/3.0
- Configure rules for the first static NAT zone.[edit security nat]user@host# set static rule-set sctp-natpt-from-zone1 from zone sctp_zone1
- Specify the static NAT rule match criteria for the traffic
coming from zone 1.[edit security nat]user@host# set static rule-set sctp-natpt-from-zone1 rule r1-dst match destination-address 2b::2:2:2/128user@host# set static rule-set sctp-natpt-from-zone1 rule r1-dst then static-nat prefix 2.2.2.2/32user@host# set static rule-set sctp-natpt-from-zone1 rule r3-dst match destination-address 2d::4:4:4/128user@host# set static rule-set sctp-natpt-from-zone1 rule r3-dst then static-nat prefix 4.4.4.4/32
- Configure rules for the second static NAT zone.[edit security nat]user@host# set static rule-set sctp-natpt-from-zone2 from zone sctp_zone2
- Specify the static NAT rule match criteria for the traffic
coming from zone 2.[edit security nat]user@host# set static rule-set sctp-natpt-from-zone2 rule r2-dst match destination-address 1.1.1.1/32user@host# set static rule-set sctp-natpt-from-zone2 rule r2-dst then static-nat prefix 2a::1:1:1/128user@host# set static rule-set sctp-natpt-from-zone2 rule r4-dst match destination-address 3.3.3.3/32user@host# set static rule-set sctp-natpt-from-zone2 rule r4-dst then static-nat prefix 2c::3:3:3/128
Results
From configuration mode, confirm your configuration by entering the show interfaces, show security zones, and show security nat static commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.
Verification
Verifying the Configuration
Purpose
Verify that the NAT-PT configuration between an IPv4 endpoint and an IPv6 endpoint is correct.
Action
From operational mode, enter the show security zones and show security nat static rule all commands.
user@host> show security zonesSecurity zone: sctp_zone1
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
ge-4/0/0.0
ge-4/0/2.0
Security zone: sctp_zone2
Send reset for non-SYN session TCP packets: Off
Policy configurable: Yes
Interfaces bound: 2
Interfaces:
ge-4/0/1.0
ge-4/0/3.0
user@host> show security nat static rule allTotal static-nat rules: 4
Total referenced IPv4/IPv6 ip-prefixes: 4/4
Static NAT rule: r1-dst Rule-set: sctp-natpt-from-zone1
Rule-Id : 1
Rule position : 1
From zone : sctp_zone1
Destination addresses : 2b::2:2:2
Host addresses : 2.2.2.2
Netmask : 128
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Static NAT rule: r3-dst Rule-set: sctp-natpt-from-zone1
Rule-Id : 2
Rule position : 2
From zone : sctp_zone1
Destination addresses : 2d::4:4:4
Host addresses : 4.4.4.4
Netmask : 128
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Static NAT rule: r2-dst Rule-set: sctp-natpt-from-zone2
Rule-Id : 3
Rule position : 3
From zone : sctp_zone2
Destination addresses : 1.1.1.1
Host addresses : 2a::1:1:1
Netmask : 32
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Static NAT rule: r4-dst Rule-set: sctp-natpt-from-zone2
Rule-Id : 4
Rule position : 4
From zone : sctp_zone2
Destination addresses : 3.3.3.3
Host addresses : 2c::3:3:3
Netmask : 32
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Meaning
The show security zones command displays all the zones configured and the interfaces associated with the zone. The show security nat static rule all command displays all the static NAT rules configured.
