Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

IPv6 NAT

IPv6 NAT helps to translate IPv4 addresses to IPv6 addresses of network devices. IPv6 NAT also helps to translate the address between IPv6 hosts. IPv6 NAT supports source NAT, destination NAT, and static NAT.

IPv6 NAT Overview

IPv6 has a vastly larger address space than the impending exhausted IPv4 address space. IPv4 has been extended using techniques such as Network Address Translation (NAT), which allows for ranges of private addresses to be represented by a single public address, and temporary address assignment. There are a lot of technologies to provide the transition mechanism for the legacy IPv4 host to keep the connection to the Internet. IPv6 NAT provides address translation between IPv4 and IPv6 addressed network devices. It also provides address translation between IPv6 hosts. NAT between IPv6 hosts is done in a similar manner and for similar purposes as IPv4 NAT.

IPv6 NAT in Junos OS provides the following NAT types:

  • Source NAT

  • Destination NAT

  • Static NAT

Source NAT Translations Supported by IPv6 NAT

Source NAT is the translation of the source IP address of a packet leaving the Juniper Networks device. Source NAT is used to allow hosts with private IP addresses to access a public network.

IPv6 NAT in Junos OS supports the following source NAT translations:

  • Translation of one IPv6 subnet to another IPv6 subnet without port address translation

  • Translation of IPv4 addresses to IPv6 prefix + IPv4 addresses

  • Translation of IPv6 hosts to IPv6 hosts with or without port address translation

  • Translation of IPv6 hosts to IPv4 hosts with or without port address translation

  • Translation of IPv4 hosts to IPv6 hosts with or without port address translation

Destination NAT Mappings Supported by IPv6 NAT

Destination NAT is the translation of the destination IP address of a packet entering the Juniper Networks device. Destination NAT is used to redirect traffic destined to a virtual host (identified by the original destination IP address) to the real host (identified by the translated destination IP address).

IPv6 NAT in Junos OS supports the following destination NAT translations:

  • Prefix translation between IPv4 and IPv6 prefix

  • Mapping of one IPv6 subnet to another IPv6 subnet

  • Mapping of one IPv6 subnet to an IPv6 host

  • Mapping of one IPv6 subnet to one IPv4 subnet

  • Mapping of one IPv4 subnet to one IPv6 subnet

  • Mapping of one IPv6 host (and optional port number) to one special IPv6 host (and optional port number)

  • Mapping of one IPv6 host (and optional port number) to one special IPv4 host (and optional port number)

  • Mapping of one IPv4 host (and optional port number) to one special IPv6 host (and optional port number)

Static NAT Mappings Supported by IPv6 NAT

Static NAT defines a one-to-one mapping from one IP subnet to another IP subnet. The mapping includes destination IP address translation in one direction and source IP address translation in the reverse direction. From the NAT device, the original destination address is the virtual host IP address while the mapped-to address is the real host IP address.

IPv6 NAT in Junos OS supports the following static NAT translations:

IPv6 NAT PT Overview

Starting in Junos OS Release 20.2R1 you can run IPv6 NAT-PT Next Gen Services on MX240, MX480, and MX960 routers.

IPv6 Network Address Translation-Protocol Translation (NAT-PT) provides address allocation and protocol translation between IPv4 and IPv6 addressed network devices. The translation process is based on the Stateless IP/ICMP Translation (SIIT) method; however, the state and the context of each communication are retained during the session lifetime. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP), TCP, and UDP packets.

IPv6 NAT-PT supports the following types of NAT-PT:

  • Traditional NAT-PT—In traditional NAT-PT, the sessions are unidirectional and outbound from the IPv6 network . Traditional NAT-PT allows hosts within an IPv6 network to access hosts in an IPv4 network. There are two variations to traditional NAT-PT: basic NAT-PT and NAPT-PT.

    In basic NAT-PT, a block of IPv4 addresses at an IPv4 interface is set aside for translating addresses as IPv6 hosts as they initiate sessions to the IPv4 hosts. The basic NAT-PT translates the source IP address and related fields such as IP, TCP, UDP, and ICMP header checksums for packets outbound from the IPv6 domain . For inbound packets, it translates the the destination IP address and the checksums.

    Network Address Port Translation-Protocol Translation (NAPT-PT) can be combined with basic NAT-PT so that a pool of external addresses is used in conjunction with port translation. NAPT-PT allows a set of IPv6 hosts to share a single IPv4 address. NAPT-PT translates the source IP address, source transport identifier, and related fields such as IP, TCP, UDP, and ICMP header checksums, for packets outbound from the IPv6 network. The transport identifier can be a TCP/UDP port or an ICMP query ID. For inbound packets, it translates the destination IP address, destination transport identifier, and the IP and the transport header checksums.

  • Bidirectional NAT-PT—In bidirectional NAT-PT, sessions can be initiated from hosts in the IPv4 network as well as the IPv6 network. IPv6 network addresses are bound to IPv4 addresses, either statically or dynamically as connections are established in either direction. The static configuration is similar to static NAT translation. Hosts in IPv4 realm access hosts in the IPv6 realm using DNS for address resolution. A DNS ALG must be employed in conjunction with bidirectional NAT-PT to facilitate name-to-address mapping. Specifically, the DNS ALG must be capable of translating IPv6 addresses in DNS queries and responses into their IPv4 address bindings, and vice versa, as DNS packets traverse between IPv6 and IPv4 realms.

    Note:

    The devices partially support the bidirectional NAT-PT specification. It supports flow of bidirectional traffic assuming that there are other ways to convey the mapping between the IPv6 address and the dynamically allocated IPv4 address. For example, a local DNS can be configured with the mapped entries for IPv4 nodes to identify the addresses.

NAT- PT Operation—The devices support the traditional NAT-PT and allow static mapping for the user to communicate from IPv4 to IPv6 . The user needs to statically configure the DNS server with an IPv4 address for the hostname and then create a static NAT on the device for the IPv6-only node to communicate from an IPv4-only node to an IPv6-only node based on the DNS.

IPv6 NAT-PT Communication Overview

NAT-PT communication with static mapping— Network Address Translation-Protocol Translation (NAT-PT) can be done in two directions, from IPv6 to IPv4 and vice versa. For each direction, static NAT is used to map the destination host to a local address and a source address NAT is used to translate the source address. There are two types of static NAT and source NAT mapping: one-to-one mapping and prefix-based mapping.

NAT- PT communication with DNS ALG—A DNS-based mechanism dynamically maps IPv6 addresses to IPv4-only servers. NAT-PT uses the DNS ALG to transparently do the translations. For example, a company using an internal IPv6 network needs to be able to communicate with external IPv4 servers that do not yet have IPv6 addresses.

To support the dynamic address binding, a DNS should be used for name resolution. The IPv4 host looks up the name of the IPv6 node in its local configured IPv4 DNS server, which then passes the query to the IPv6 DNS server through a device using NAT-PT.

The DNS ALG in NAT device :

  • Translates the IPv6 address resolution back to IPv4 address resolution.

  • Allocates an IPv6 address for the mapping.

  • Stores a mapping of the allocated IPv4 address to the IPv6 address returned in the IPv6 address resolution so that the session can be established from any-IPv4 hosts to the IPv6 host.

Example: Configuring an IPv4-Initiated Connection to an IPv6 Node Using Default Destination Address Prefix Static Mapping

This example shows how to configure an IPv4-initiated connection to an IPv6 node using default destination address prefix static mapping.

Requirements

Before you begin, configure interfaces and assign them to security zones.

Overview

The following example describes how to configure an IPv4-initiated connection to an IPv6 node that has a static mapping 126-based IPv6 address defined on its interface and static mapping /126 set up on the device. This example assumes that the IPv6 addresses to be mapped to IPv4 addresses make the IPv4 addresses part of the IPv6 address space.

Configuring an IPv4-initiated connection to an IPv6 node is useful when the devices on the IPv4 network must be interconnected to the devices on the IPv6 network and during migration of an IPv4 network to an IPv6 network. The mapping can be used for DNS ALG for reverse lookup of IPv4 addresses from IPv6 addresses, for the traffic initiated from the IPv6 network. This process also provides connectivity for sessions initiated from IPv4 nodes with IPv6 nodes on the other side of the NAT/PT device.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy.

To configure an IPv4-initiated connection to an IPv6 node using static destination address one-to-one mapping:

  1. Configure the static NAT rule set for an interface.

  2. Define the rule to match the destination address prefix.

    Note:

    The destination address number in the match rule must be a number equal to the static-nat prefix range.

    There is no limitation on the source address number in the match rule.

  3. Define the static NAT prefix for the device.

  4. Configure the source NAT pool with an IPv6 address prefix.

  5. Configure the source NAT rule set for the interface.

  6. Configure the IPv6 source NAT source address.

    Note:

    The source address number in the match rule must be an address number equal to the source pool range. For example, ^2(32 – 30) = 2^(128 – 126) =>.

    There is no limitation on the destination address number in the match rule.

  7. Configure the IPv6 source NAT destination address.

  8. Define the configured source NAT IPv6 pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Static NAT Is Configured

Purpose

Verify whether static NAT is configured with an interface, a destination address, and a prefix.

Action

From operational mode, enter the show security nat static command.

Verifying That Source NAT Is Configured

Purpose

Verify whether source NAT is configured.

Action

From operational mode, enter the show security nat source command.

Example: Configuring an IPv4-Initiated Connection to an IPv6 Node Using Static Destination Address One-to-One Mapping

This example shows how to configure an IPv4-initiated connection to an IPv6 node using static destination address one-to-one mapping.

Requirements

Before you begin, configure the interfaces and assign the interfaces to security zones.

Overview

The following example describes how to configure an IPv4 node to communicate with an IPv6 node using one-to-one static NAT on the device.

The communication of an IPv4 node with an IPv6 node is useful for IPv4 hosts accessing an IPv6 server, for new servers that support IPv6 only and that need to be connected to the IPv6 network, and for migrating of old hosts to the new server when most of the machines have already moved to IPv6. For example, you can use this feature to connect an IPv4-only node to an IPv6-only printer. This mapping can also be used for DNS ALG for reverse lookup of IPv4 addresses from IPv6 addresses for traffic that is initiated from the IPv6 network.

In this example, the source IPv4 address matching the prefix 10.10.10.1/30 is added with the IPv6 prefix 2001:db8::/96 to form the translated source IPv6 address and the destination IPv4 address 10.1.1.25/32 is translated to IPv6 address 2001:db8::25/128.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IPv4-initiated connection to an IPv6 node using static destination address one-to-one mapping:

  1. Configure the static NAT rule set for an interface.

  2. Define the rule and the destination address.

  3. Define the static NAT prefix.

  4. Configure a source NAT pool with an IPv6 prefix address.

  5. Configure the source NAT rule set.

  6. Configure the source NAT source address.

  7. Configure the source NAT destination address.

  8. Define a configured source NAT IPv6 pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Static NAT Is Configured

Purpose

Verify whether static NAT is configured with an interface, a destination address, and a prefix.

Action

From operational mode, enter the show security nat static command.

Verifying That Source NAT Is Configured

Purpose

Verify whether source NAT is configured.

Action

From operational mode, enter the show security nat source command.

Example: Configuring an IPv6-Initiated Connection to an IPv4 Node Using Default Destination Address Prefix Static Mapping

This example shows how to configure an IPv6-initiated connection to an IPv4 node using default destination address prefix static mapping. This example does not show how to configure the NAT translation for the reverse direction.

Requirements

Before you begin, configure the interfaces and assign the interfaces to security zones.

Overview

The following example describes the communication of an IPv6 node with an IPv4 node that has prefix-based static NAT defined on the device. The static NAT assumes that the IPv4 network is a special IPv6 network (that is, an IPv4-mapped IPv6 network), and hides the entire IPv4 network behind an IPv6 prefix.

The communication of an IPv6 node with an IPv4 node is useful when IPv6 is used in the network and must be connected to the IPv4 network, or when both IPv4 and IPv6 are used in the network and a mechanism is required to interconnect the two networks during migration. This also provides connectivity for sessions initiated from IPv6 nodes with IPv4 nodes on the other side of the NAT/PT device.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IPv6-initiated connection to an IPv4 node using default destination address prefix static mapping:

  1. Configure the static NAT for an interface.

  2. Define the rule and destination address with the prefix for the static NAT translation defined on the device.

  3. Define the static NAT as inet to translate to an IPv4 address.

  4. Configure the IPv4 source NAT pool address.

  5. Configure the source NAT rule set.

  6. Configure the IPv4 source NAT destination address.

  7. Define the source address with the prefix for the source NAT defined on the device.

  8. Define a configured source NAT IPv4 pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Static NAT Is Configured

Purpose

Verify whether static NAT is configured with an interface, a destination address, and a prefix.

Action

From operational mode, enter the show security nat static rule command.

Verifying That Source NAT Is Configured

Purpose

Verify whether source NAT is configured.

Action

From operational mode, enter the show security nat source rule command.

From operational mode, enter the show security nat source pool command.

Example: Configuring an IPv6-Initiated Connection to an IPv4 Node Using Static Destination Address One-to-One Mapping

This example shows how to configure an IPv6-initiated connection to an IPv4 node using static destination address one-to-one mapping.

Requirements

Before you begin, configure the interfaces and assign the interfaces to security zones.

Overview

The following example describes the communication of an IPv6 node with an IPv4 node that has a one-to-one static NAT address defined on the device. The communication of an IPv6 node with an IPv4 node allows IPv6 hosts to access an IPv4 server when neither of the devices has a dual stack and must depend on the NAT/PT device to communicate. This enables some IPv4 legacy server applications to work even after the network has migrated to IPv6.

Configuration

Procedure

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

To configure an IPv6-initiated connection to an IPv4 node using static destination address one-to-one mapping:

  1. Configure the static NAT rule set for an interface.

  2. Define a rule to match the destination address.

  3. Define the static NAT prefix to the rule.

  4. Configure a source NAT pool with an IPv4 addresses.

  5. Configure the IPv4 address for the interface.

  6. Configure the source address to the IPv4 source NAT address.

  7. Configure the destination address to IPv4 source NAT address.

  8. Define the configured source NAT IPv4 pool in the rule.

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Static NAT Is Configured

Purpose

Verify whether static NAT is configured with an interface, a destination address, and a prefix.

Action

From operational mode, enter the show security nat static command.

Verifying That Source NAT Is Configured

Purpose

Verify whether source NAT is configured.

Action

From operational mode, enter the show security nat source command.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
20.2R1
Starting in Junos OS Release 20.2R1 you can run IPv6 NAT-PT Next Gen Services on MX240, MX480, and MX960 routers.