SRX Services Gateway
SRX Services Gateway

Reverse 6to4 NAT?

[ Edited ]
‎06-10-2014 11:52 AM

Here's what I'm aiming for,  I have an trusted network that is IPV4 only.  Runs some software that is not IPV6 compatible.

 

I have an untrusted network that is IPv6 only.  No IPV4 period.

 

Is there a way to have the untrust interface be IPV6, and the inside interface IPV4, and NAT this?  I only need to be able to reach ONE specific server on the untrusted network from one specific address on the trusted network.

 

I haven't tested this (I need to build an IPV6 environment first):

 

NOTE, I know this the documentation prefix, I'm not using it in real life.

Also note, I'm making all of these addresses up, so I might be very wrong and not know it.

 

 

Assuming:

fe-0/0/0 is assigned an IPV6 address

fe-0/0/1 is assigned an IPV4 address

 

Outside server is 2001Smiley Very HappyB8:1000:9002::cafe/128

Inside server Fake address for NAT replacement 192.168.203.10

 

My attempt is that the inside client, will attemp to send to 192.168.203.10, and the SRX will NAT the address to it's real IPV6 address.  Responses coming back will seem to orgininate from 192.168.203.10.

 

 

set routing-options rib inet6.0 static route ::/0 next-hop 2001:DB8:1000:9002::abcd
set security nat destination pool ipPool-1 address 2001:DB8:1000:9002::cafe/128
set security nat destination rule-set test-1 from zone trust
set security nat destination rule-set test-1 rule rule-1 match destination-address 192.168.203.10/32
set security nat destination rule-set test-1 rule rule-1 then destination-nat pool ipPool-1

set security nat source rule-set test-2 from zone trust
set security nat source rule-set test-2 to zone untrust
set security nat source rule-set test-2 rule rule-2 match source-address 0/0
set security nat source rule-set test-2 rule rule-2 match destination-address 2001:DB8:1000:9002::cafe
set security nat source rule-set test-2 rule rule-2 then source-nat interface