Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic
Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic
If NAT64 is used on Juniper SRX with action “static-nat inet”, then IPv4 traffic hitting the security zone of NAT64 towards destinations from other zone, will be dropped due to an internal miss-behavior of the SRX.
Enabling SRX flow traces will show
The packet destination ip is not same as source ip version, drop it. This means that SRX tries to apply a NAT46 action on the IPv4 traffic and evaluates resulted IP packet with ipv4 source and IPv6 destination. But this traffic should not be natted (example: from INTERNET to LAN).
This is caused by the following:
Code:
static {
rule-set NAT64-ruleset {
from zone LAN;
rule NAT64-rule {
match {
destination-address 64:ff9b::/96;
}
then {
static-nat {
inet;
}
}
}
}
}
> show security nat static rule all
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
Static NAT rule: NAT64-test Rule-set: NAT64
Rule-Id : 1
Rule position : 1
From zone : LAN
Destination addresses : 64:ff9b::
Host addresses : 0.0.0.0
Netmask : 96
Host routing-instance : N/A
Translation hits : 9
Successful sessions : 0
Failed sessions : 9
Number of sessions : 0
The above rule, while correct, causes the SRX to do half translation of the IPv4->IPv4 traffic from INTERNET->LAN zones. To fix this, we need to make the static NAT64 rule a little more specific and add a match term for source-address ANY IPv6 ::/0:
Code:
# set security nat static rule-set NAT64 rule NAT64-test match source-address ::/0
# show security nat static
static {
rule-set NAT64-ruleset {
from zone LAN;
rule NAT64-rule {
match {
source-address ::/0;
destination-address 64:ff9b::/96;
}
then {
static-nat {
inet;
}
}
}
}
}
# run show security nat static rule all
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1
Static NAT rule: NAT64-rule Rule-set: NAT64-ruleset
Rule-Id : 1
Rule position : 1
From zone : LAN
Source addresses : :: - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
Destination addresses : 64:ff9b::
Host addresses : 0.0.0.0
Netmask : 96
Host routing-instance : N/A
Translation hits : 0
Successful sessions : 0
Failed sessions : 0
Number of sessions : 0
Notice now that the static NAT64 rule (NAT64-rule) is more specific and matches strictly IPv6 source traffic, leaving IPv4 traffic untouched.
Links:
http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#rule_setshttp://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipv6-initiated-connection-ipv4-node-using-default-destination-addess-configuring.html
_________________
VPSie - SSD VPS servers in AMS-IX, LINX, DE-CIX
https://vpsie.com