Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Tue Sep 28, 2021 2:26 am


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic
Author Message
Post subject: Re: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic  |  Post Posted: Wed May 11, 2016 9:15 pm
Guest wrote:
I am not seeing match source-address, which version are you using this option on?

It is only available from 12.1X46 onward.
12.1X44:
Code:
# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port


12.1X46:
Code:
# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port
+ source-address       Source address
+ source-address-name  Address from address book
> source-port          Source port


12.3X48:
Code:
# set security nat static rule-set test rule 0 match ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Destination address
> destination-address-name  Address from address book
> destination-port     Destination port
+ source-address       Source address
+ source-address-name  Address from address book
> source-port          Source port



What Junos version are you on ?
Post subject: Re: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic  |  Post Posted: Wed May 11, 2016 11:52 am
I am not seeing match source-address, which version are you using this option on?
Post subject: Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic  |  Post Posted: Thu Mar 10, 2016 10:56 am
Juniper SRX NAT64 static-nat inet impacts non-nat IPv4 traffic

If NAT64 is used on Juniper SRX with action “static-nat inet”, then IPv4 traffic hitting the security zone of NAT64 towards destinations from other zone, will be dropped due to an internal miss-behavior of the SRX.

Enabling SRX flow traces will show The packet destination ip is not same as source ip version, drop it. This means that SRX tries to apply a NAT46 action on the IPv4 traffic and evaluates resulted IP packet with ipv4 source and IPv6 destination. But this traffic should not be natted (example: from INTERNET to LAN).


This is caused by the following:
Code:
static {
    rule-set NAT64-ruleset {
        from zone LAN;
        rule NAT64-rule {
            match {
                destination-address 64:ff9b::/96;
            }
            then {
                static-nat {           
                    inet;               
                }                       
            }                           
        }                               
    }                                   
}             
> show security nat static rule all
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1

Static NAT rule: NAT64-test           Rule-set: NAT64
  Rule-Id                    : 1 
  Rule position              : 1
  From zone                  : LAN
  Destination addresses      : 64:ff9b::
  Host addresses             : 0.0.0.0
  Netmask                    : 96
  Host routing-instance      : N/A
  Translation hits           : 9
    Successful sessions      : 0
    Failed sessions          : 9
  Number of sessions         : 0




The above rule, while correct, causes the SRX to do half translation of the IPv4->IPv4 traffic from INTERNET->LAN zones. To fix this, we need to make the static NAT64 rule a little more specific and add a match term for source-address ANY IPv6 ::/0:
Code:
# set security nat static rule-set NAT64 rule NAT64-test match source-address ::/0
# show security nat static
static {
    rule-set NAT64-ruleset {
        from zone LAN;
        rule NAT64-rule {
            match {
                source-address ::/0;
                destination-address 64:ff9b::/96;
            }
            then {
                static-nat {           
                    inet;               
                }                       
            }                           
        }                               
    }                                   
}           
# run show security nat static rule all
node0:
--------------------------------------------------------------------------
Total static-nat rules: 1
Total referenced IPv4/IPv6 ip-prefixes: 1/1

Static NAT rule: NAT64-rule           Rule-set: NAT64-ruleset
  Rule-Id                    : 1 
  Rule position              : 1
  From zone                  : LAN
  Source addresses           : ::              - ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
  Destination addresses      : 64:ff9b::
  Host addresses             : 0.0.0.0
  Netmask                    : 96
  Host routing-instance      : N/A
  Translation hits           : 0
    Successful sessions      : 0
    Failed sessions          : 0
  Number of sessions         : 0


Notice now that the static NAT64 rule (NAT64-rule) is more specific and matches strictly IPv6 source traffic, leaving IPv4 traffic untouched.

Links:
http://chimera.labs.oreilly.com/books/1234000001633/ch09.html#rule_sets
http://www.juniper.net/techpubs/en_US/junos12.1x46/topics/example/ipv6-initiated-connection-ipv4-node-using-default-destination-addess-configuring.html
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO