SRX Services Gateway
Highlighted
SRX Services Gateway

NAT64 on SRX 240H2 in Cluster

‎04-03-2016 07:08 AM

 

I am facing the following issue when I was setting up ipv6 NAT64 , VPN does not work when the below rule is enabled , I removed the below  Static Nat statement and VPN started working again , here  is the command I removed from the SRX 

"

 

 

set security nat static rule-set nat64-static  from zone TRUST

set security nat static rule-set nat64-static rule ipv6-clients match destination-address 64:ff9b::/96

set security nat static rule-set nat64-static rule ipv6-clients then static-nat inet 

"

Now question is why did the VPN stop when I issued the above command , secondly  I am not able to configure source-address in the static Nat, I see that this is possible in VSRX and in SRX240H,  We have two SRX240H2 in cluster  the version is as below , refer to the url below a source-address is required for smooth working .

 

So My questions are 

1) why did the above Static NAT configuration stop VPN

2) Why is the SRX static NAT not allowing source address - I believe if source address is added it should solve the issue.

 

https://forum.ivorde.com/juniper-srx-nat64-static-nat-inet-impacts-non-nat-ipv4-traffic-t19837.html

 

root@SRX-HA1# set security nat static rule-set nat64 rule NAT64Static match ?       

Possible completions:

+ apply-groups         Groups from which to inherit configuration data

+ apply-groups-except  Don't inherit configuration data from these groups

> destination-address  Destination address

> destination-address-name  Address from address book

> destination-port     Destination port

{primary:node0}[edit]

 

root@SRX-HA1> show version 

node0:

--------------------------------------------------------------------------

Hostname: SRX-HA1

Model: srx240h2

JUNOS Software Release [12.1X44-D35.5]

 

node1:

--------------------------------------------------------------------------

Hostname: SRX-HA2

Model: srx240h2

JUNOS Software Release [12.1X44-D35.5]

 

{primary:node0}

 

 

 

I have the below static NAT for VPN

set security nat static rule-set one-to-one-nat from zone UNTRUST

set security nat static rule-set one-to-one-nat rule SSLVPN match destination-address x.x.x.x/32

set security nat static rule-set one-to-one-nat rule SSLVPN then static-nat prefix 10.10.10.10/32

set security nat proxy-arp interface reth1.0 address x.x.x.x/32

1 REPLY 1
Highlighted
SRX Services Gateway

Re: NAT64 on SRX 240H2 in Cluster

‎04-03-2016 12:00 PM

you need an extra source nat to also convert the ipv6 source address toi ipv4

 

see my learning byte on exactly that topic NAT64 with DNS64

 

https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=8996

 

regards

 

alexander