Hurricane Electric's IPv6 Tunnel Broker Forums
May 22, 2013, 08:00:47 pm *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome to Hurricane Electric's Tunnelbroker.net forums!
 
   Home   Help Search Login Register  
Hurricane Electric's IPv6 Tunnel Broker Forums > General IPv6 Topics > IPv6 on Routing Platforms > JUNOS SRX IPv6 Tunnel NAT
Pages: [1]
« previous next »
  Print  
Author Topic: JUNOS SRX IPv6 Tunnel NAT  (Read 1835 times)
disneycheng
Newbie
*
Posts: 3

IPv6 newbie


View Profile
« on: July 18, 2011, 09:04:20 pm »
Hi All

My HE tunnel setup on my SRX 210 (11.1 R3) as below:

Host A fc00:10::a <> (vlan.0,trust zone) fc00:10::1 -- (ip-0/0/0.0 untrust0 2001:470::2/64 )

The tunnel is working fine and I can ping ipv6.google.com and also access some IPv6 web on the SRX

And then I have configure a source NAT from trust to untrust zone so my fc00:10::/64 client access IPv6 resources will be source NAT.
When I see the traffic flow and it seems return traffic cannot pass back. Did anyone try similar configuration?

Please advise.
Cheers,

Fai
Logged
jrocha
Network Engineer, Hurricane Electric
Administrator
Jr. Member
*****
Posts: 66



View Profile WWW
« Reply #1 on: July 21, 2011, 05:46:26 pm »
Is there any particular reason you are using NAT instead of the /64 you get for free from the tunnel? And are you doing NAT-PT?
Logged
maestroevolution
Newbie
*
Posts: 49


View Profile
« Reply #2 on: July 25, 2011, 09:55:00 am »
Hi Disneycheng,

Before getting into NAT66 (which the SRX can do), do you have basic IPv6 connectivity?

I have not played with NAT66, as I don't see the need.. .my IPv6 work is all un-natted.  Before testing the NAT, I would ensure that you have basic IPv6 connectivity through the firewall.

If you're using 10.2R3 or later, you will need the following config to 'fix' the v6-in-v4 tunnel: put this on the untrusted interface (or whatever interface you're binding the tunnel to).  This tells the SRX that the outer packet (IPv4 protocol 41) is treated statelessly and destined for the SRX itself.  The inner packet (IPv6) is treated statefully as it should.

Replace 1.2.3.4 with your Ipv4 address.

joel@chilis220> show configuration interfaces ge-0/0/7 
unit 0 {
    description Comcast;
    family inet {
        filter {
            input fix-v6v4-tunnel;
        }
        dhcp {
            update-server;
        }
    }
}

joel@chilis220> show configuration firewall family inet filter fix-v6v4-tunnel
term one {
    from {
        destination-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term one.five {
    from {
        source-address {
            1.2.3.4/32;
        }
        protocol 41;
    }
    then packet-mode;
}
term two {
    then accept;
}
Logged
Pages: [1]
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!