Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ

It is currently Tue Jun 06, 2023 7:08 am

ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP ‹ Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

Post a reply

3 posts • Page 1 of 1

Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

« Previous topic | Next topic »

Author

Message

admin

Post subject: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic | Posted: Thu Mar 10, 2016 10:56 am

Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

If NAT64 is used on Juniper SRX with action “static-nat inet”, then IPv4 traffic hitting the security zone of NAT64 towards destinations from other zone, will be dropped due to an internal miss-behavior of the SRX.

Enabling SRX flow traces will show The packet destination ip is not same as source ip version, drop it. This means that SRX tries to apply a NAT46 action on the IPv4 traffic and evaluates resulted IP packet with ipv4 source and IPv6 destination. But this traffic should not be natted (example: from INTERNET to LAN).

This is caused by the following:

Code:

static {
    rule-set NAT64-ruleset {
        from zone LAN;
        rule NAT64-rule {
            match {
                destination-address 64:ff9b::/96;
            }
            then {
                static-nat {            
                    inet;               
                }                       
            }                           
        }                               
    }                                   
}             
> show security nat static rule all 
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
 
Static NAT rule: NAT64-test           Rule-set: NAT64 
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : LAN
  Destination addresses      : 64:ff9b::
  Host addresses             : 0.0.0.0
  Netmask                    : 96
  Host routing-instance      : N/A
  Translation hits           : 9
    Successful sessions      : 0
    Failed sessions          : 9
  Number of sessions         : 0

The above rule, while correct, causes the SRX to do half translation of the IPv4->IPv4 traffic from INTERNET->LAN zones. To fix this, we need to make the static NAT64 rule a little more specific and add a match term for source-address ANY IPv6 ::/0:

Code:

# set security nat static rule-set NAT64 rule NAT64-test match source-address ::/0
# show security nat static 
static {
    rule-set NAT64-ruleset {
        from zone LAN;
        rule NAT64-rule {
            match {
                source-address ::/0;
                destination-address 64:ff9b::/96;
            }
            then {
                static-nat {            
                    inet;               
                }                       
            }                           
        }                               
    }                                   
}           
# run show security nat static rule all 
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
 
Static NAT rule: NAT64-rule           Rule-set: NAT64-ruleset
  Rule-Id                    : 1  
  Rule position              : 1
  From zone                  : LAN
  Source addresses           : ::              - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  Destination addresses      : 64:ff9b::
  Host addresses             : 0.0.0.0
  Netmask                    : 96
  Host routing-instance      : N/A
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0

Notice now that the static NAT64 rule (NAT64-rule) is more specific and matches strictly IPv6 source traffic, leaving IPv4 traffic untouched.

Links:
http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#rule_sets
http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipv6-initiated-connection-ipv4-node-using-default-destination-addess-configuring.html

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com

			Tweet
Follow @IvordeCom

You might also be interested in:
Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets. Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface. BGP Blackhole (RTBH) with Juniper SRX firewall. Juniper SRX firewall debug: packet dropped: for self but not interested. Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX. Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check). Juniper SRX packet mode switch back to flow mode (verification). Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4.

Top

Guest

Post subject: Re: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic | Posted: Wed May 11, 2016 11:52 am

I am not seeing match source-address, which version are you using this option on?

Top

admin

Post subject: Re: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic | Posted: Wed May 11, 2016 9:15 pm

Site Admin

Joined: Mon Aug 03, 2009 8:43 am
Posts: 104

Guest wrote:

I am not seeing match source-address, which version are you using this option on?

It is only available from 12.1X46 onward.
12.1X44:

Code:

# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port

12.1X46:

Code:

# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port
+ source-address       Source address
+ source-address-name  Address from address book
> source-port          Source port

12.3X48:

Code:

# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port
+ source-address       Source address
+ source-address-name  Address from address book
> source-port          Source port

What Junos version are you on ?

_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com

Top

Post a reply

3 posts • Page 1 of 1

Topics		Author	Replies	Views	Last post
Topics related to - "Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic"
	Juniper SRX NAT64 behavior in relation to DF (Don’t Fragment) bit on incoming IPv4 packets	admin	0	2681	Thu Mar 10, 2016 11:31 am admin
	Junos 11.4 - SRX flow mode - traffic destined for loopback lo0 interface	mandrei99	0	6866	Thu May 30, 2013 9:20 am mandrei99
	BGP Blackhole (RTBH) with Juniper SRX firewall	mandrei99	0	7969	Thu May 29, 2014 6:45 am mandrei99
	Juniper SRX firewall debug: packet dropped: for self but not interested	admin	0	4553	Mon Jun 23, 2014 3:52 am admin
	Configuring and verifying unicast reverse path filter (uRPF) on Juniper SRX	admin	1	5736	Fri Feb 01, 2013 12:09 pm admin
	Juniper SRX testcase - How to block TCP SYN packets with data/segment bytes (strict-syn-check)	admin	0	3062	Tue Jun 19, 2012 8:38 am admin
	Juniper SRX packet mode switch back to flow mode (verification)	mandrei99	1	6952	Tue May 28, 2013 11:10 am mandrei99
	Juniper SRX - How to perform source nat on Junos self originated packets - Junos 11.4	debuser	0	3289	Sun Jun 03, 2012 3:46 pm debuser

Who is online

Users browsing this forum: No registered users and 0 guests

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:

Channel list

ROOT ‹ Network Security & Routing & Switching ‹ Security, NAT, Policies, Screen, Flow, TCP

Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]