IPv6 NAT helps to translate IPv4 addressesto IPv6 addresses of network devices. IPv6 NAT also helps to translatethe address between IPv6 hosts. IPv6 NAT supports source NAT, destinationNAT, and static NAT.
IPv6 NAT Overview
IPv6 has a vastly larger address space than the impending exhaustedIPv4 address space. IPv4 has been extended using techniques such asNetwork Address Translation (NAT), which allows for ranges of privateaddresses to be represented by a single public address, and temporaryaddress assignment. There are a lot of technologies to provide thetransition mechanism for the legacy IPv4 host to keep the connectionto the Internet. IPv6 NAT provides address translation between IPv4and IPv6 addressed network devices. It also provides address translationbetween IPv6 hosts. NAT between IPv6 hosts is done in a similar mannerand for similar purposes as IPv4 NAT.
IPv6 NAT in Junos OS provides the following NAT types:
Source NAT
Destination NAT
Static NAT
- Source NAT Translations Supported by IPv6 NAT
- Destination NAT Mappings Supported by IPv6 NAT
- Static NAT Mappings Supported by IPv6 NAT
Source NAT Translations Supported by IPv6 NAT
Source NAT is the translation of the source IP address of apacket leaving the Juniper Networks device. Source NAT is used toallow hosts with private IP addresses to access a public network.
IPv6 NAT in Junos OS supports the following source NAT translations:
Translation of one IPv6 subnet to another IPv6 subnetwithout port address translation
Translation of IPv4 addresses to IPv6 prefix + IPv4 addresses
Translation of IPv6 hosts to IPv6 hosts with or withoutport address translation
Translation of IPv6 hosts to IPv4 hosts with or withoutport address translation
Translation of IPv4 hosts to IPv6 hosts with or withoutport address translation
Destination NAT Mappings Supported by IPv6 NAT
Destination NAT is the translation of the destination IP addressof a packet entering the Juniper Networks device. Destination NATis used to redirect traffic destined to a virtual host (identifiedby the original destination IP address) to the real host (identifiedby the translated destination IP address).
IPv6 NAT in Junos OS supports the following destination NATtranslations:
Prefix translation between IPv4 and IPv6 prefix
Mapping of one IPv6 subnet to another IPv6 subnet
Mapping of one IPv6 subnet to an IPv6 host
Mapping of one IPv6 subnet to one IPv4 subnet
Mapping of one IPv4 subnet to one IPv6 subnet
Mapping of one IPv6 host (and optional port number) toone special IPv6 host (and optional port number)
Mapping of one IPv6 host (and optional port number) toone special IPv4 host (and optional port number)
Mapping of one IPv4 host (and optional port number) toone special IPv6 host (and optional port number)
Static NAT Mappings Supported by IPv6 NAT
Static NAT defines a one-to-one mapping from one IP subnet toanother IP subnet. The mapping includes destination IP address translationin one direction and source IP address translation in the reversedirection. From the NAT device, the original destination address isthe virtual host IP address while the mapped-to address is the realhost IP address.
IPv6 NAT in Junos OS supports the following static NAT translations:
Translation of one IPv6 subnet to another IPv6 subnet
Translation of one IPv6 host to another IPv6 host
Translation of one IPv4 address a.b.c.d to IPv6 addressPrefix::a.b.c.d
Translation of IPv4 hosts to IPv6 hosts
Translation of IPv6 hosts to IPv4 hosts
Mapping of one IPv6 prefix to one IPv4 prefix
Mapping of one IPv4 prefix to one IPv6 prefix
IPv6 NAT PT Overview
Starting in Junos OS Release 20.2R1 you can run IPv6NAT-PT Next Gen Services on MX240, MX480, and MX960 routers.
IPv6 Network Address Translation-Protocol Translation (NAT-PT)provides address allocation and protocol translation between IPv4and IPv6 addressed network devices. The translation process is basedon the Stateless IP/ICMP Translation (SIIT) method; however, the stateand the context of each communication are retained during the sessionlifetime. IPv6 NAT-PT supports Internet Control Message Protocol (ICMP),TCP, and UDP packets.
IPv6 NAT-PT supports the following types of NAT-PT:
Traditional NAT-PT—In traditional NAT-PT, the sessionsare unidirectional and outbound from the IPv6 network . TraditionalNAT-PT allows hosts within an IPv6 network to access hosts in an IPv4network. There are two variations to traditional NAT-PT: basic NAT-PTand NAPT-PT.
In basic NAT-PT, a block of IPv4 addresses at an IPv4 interfaceis set aside for translating addresses as IPv6 hosts as they initiatesessions to the IPv4 hosts. The basic NAT-PT translates the sourceIP address and related fields such as IP, TCP, UDP, and ICMP headerchecksums for packets outbound from the IPv6 domain . For inboundpackets, it translates the the destination IP address and the checksums.
Network Address Port Translation-Protocol Translation (NAPT-PT) can be combined with basic NAT-PTso that a pool of external addresses is used in conjunction withport translation. NAPT-PT allows a set of IPv6 hosts to share a singleIPv4 address. NAPT-PT translates the source IP address, source transportidentifier, and related fields such as IP, TCP, UDP, and ICMP headerchecksums, for packets outbound from the IPv6 network. The transportidentifier can be a TCP/UDP port or an ICMP query ID. For inboundpackets, it translates the destination IP address, destination transportidentifier, and the IP and the transport header checksums.
Bidirectional NAT-PT—In bidirectional NAT-PT, sessionscan be initiated from hosts in the IPv4 network as well as the IPv6network. IPv6 network addresses are bound to IPv4 addresses, eitherstatically or dynamically as connections are established in eitherdirection. The static configuration is similar to static NAT translation.Hosts in IPv4 realm access hosts in the IPv6 realm using DNS for addressresolution. A DNS ALG must be employed in conjunction with bidirectionalNAT-PT to facilitate name-to-address mapping. Specifically, the DNSALG must be capable of translating IPv6 addresses in DNS queries andresponses into their IPv4 address bindings, and vice versa, as DNSpackets traverse between IPv6 and IPv4 realms.
Note:
The devices partially support the bidirectional NAT-PT specification. It supports flow of bidirectional traffic assumingthat there are other ways to convey the mapping between the IPv6 addressand the dynamically allocated IPv4 address. For example, a local DNScan be configured with the mapped entries for IPv4 nodes to identifythe addresses.
NAT- PT Operation—The devices support the traditionalNAT-PT and allow static mapping for the user to communicate from IPv4to IPv6 . The user needs to statically configure the DNS server withan IPv4 address for the hostname and then create a static NAT on thedevice for the IPv6-only node to communicate from an IPv4-only nodeto an IPv6-only node based on the DNS.
IPv6 NAT-PT Communication Overview
NAT-PT communication with static mapping— Network Address Translation-Protocol Translation (NAT-PT)can be done in two directions, from IPv6 to IPv4 and vice versa. Foreach direction, static NAT is used to map the destination host toa local address and a source address NAT is used to translate thesource address. There are two types of static NAT and source NATmapping: one-to-one mapping and prefix-based mapping.
NAT- PT communication with DNS ALG—A DNS-based mechanism dynamically maps IPv6 addresses toIPv4-only servers. NAT-PT uses the DNS ALG to transparently do thetranslations. For example, a company using an internal IPv6 networkneeds to be able to communicate with external IPv4 servers that donot yet have IPv6 addresses.
To support the dynamic address binding, a DNS should be usedfor name resolution. The IPv4 host looks up the name of the IPv6 nodein its local configured IPv4 DNS server, which then passes the queryto the IPv6 DNS server through a device using NAT-PT.
The DNS ALG in NAT device :
Translates the IPv6 address resolution back to IPv4 addressresolution.
Allocates an IPv6 address for the mapping.
Stores a mapping of the allocated IPv4 address to theIPv6 address returned in the IPv6 address resolution so that the sessioncan be established from any-IPv4 hosts to the IPv6 host.
See Also
Example: Configuring an IPv4-Initiated Connection to an IPv6Node Using Default Destination Address Prefix Static Mapping
This example shows how to configure an IPv4-initiatedconnection to an IPv6 node using default destination address prefixstatic mapping.
- Requirements
- Overview
- Configuration
- Verification
Requirements
Before you begin, configure interfaces andassign them to security zones.
Overview
The following example describes how to configure an IPv4-initiatedconnection to an IPv6 node that has a static mapping 126-based IPv6address defined on its interface and static mapping /126 set up onthe device. This example assumes that the IPv6 addresses to be mappedto IPv4 addresses make the IPv4 addresses part of the IPv6 addressspace.
Configuring an IPv4-initiated connection to an IPv6 node isuseful when the devices on the IPv4 network must be interconnectedto the devices on the IPv6 network and during migration of an IPv4network to an IPv6 network. The mapping can be used for DNS ALG forreverse lookup of IPv4 addresses from IPv6 addresses, for the trafficinitiated from the IPv6 network. This process also provides connectivityfor sessions initiated from IPv4 nodes with IPv6 nodes on the otherside of the NAT/PT device.
Configuration
Procedure
- CLI Quick Configuration
- Step-by-Step Procedure
- Results
CLI Quick Configuration
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.
set security nat static rule-set test_rs from interface ge-0/0/0.0set security nat static rule-set test_rs rule test_rule match destination-address 10.1.1.0/30 set security nat static rule-set test_rs rule test_rule then static-nat prefix 2001:db8::/126 set security nat source pool myipv6_prefix address 2001:db8::/126set security nat source rule-set myipv6_rs from interface ge-0/0/0.0 set security nat source rule-set myipv6_rs to interface ge-0/0/1.0 set security nat source rule-set myipv6_rs rule ipv6_rule match source-address 10.1.1.45/30set security nat source rule-set myipv6_rs rule ipv6_rule match destination-address 2001:db8::/96 set security nat source rule-set myipv6_rs rule ipv6_rule then source-nat pool myipv6_prefix
Step-by-Step Procedure
The following example requires you to navigate variouslevels in the configuration hierarchy.
To configure an IPv4-initiated connection to an IPv6 node usingstatic destination address one-to-one mapping:
-
Configure the static NAT rule set for an interface.
[edit security nat static]user@host# set rule-set test_rs from interface ge-0/0/0.0
-
Define the rule to match the destination address prefix.
Note:
The destination address number in the match rule must be a number equal to the static-nat prefix range.
There is no limitation on the source address number in the match rule.
[edit security nat static rule-set test_rs]user@host# set rule test_rule match destination-address 10.1.1.0/30
Define the static NAT prefix for the device.
[edit security nat static rule-set test_rs]user@host# set rule test_rule then static-nat prefix 2001:db8::/126
-
Configure the source NAT pool with an IPv6 address prefix.
[edit security nat source]user@host# set pool myipv6_prefix address 2001:db8::/126
-
Configure the source NAT rule set for the interface.
[edit security nat source]user@host# set rule-set myipv6_rs from interface ge-0/0/0.0user@host# set rule-set myipv6_rs to interface ge-0/0/1.0
-
Configure the IPv6 source NAT source address.
Note:
The source address number in the match rule must be an address number equal to the source pool range. For example, ^2(32 – 30) = 2^(128 – 126) =>.
There is no limitation on the destination address number in the match rule.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule match source-address 10.1.1.45/30
-
Configure the IPv6 source NAT destination address.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule match destination-address 2001:db8::/96
-
Define the configured source NAT IPv6 pool in the rule.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule then source-nat pool myipv6_prefix
Results
From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
source { pool myipv6_prefix { address { 2001:db8::/126; } } rule-set myipv6_rs { from interface ge-0/0/0.0; to interface ge-0/0/1.0; rule ipv6_rule { match { source-address 10.1.1.45/30; destination-address 2001:db8::/96; } then { source-nat { pool { myipv6_prefix; } } } } }}static { rule-set test_rs { from interface ge-0/0/0.0; rule test_rule { match { destination-address 10.1.1.0/30; } then { static-nat { prefix { 2001:db8::/126; } } } } }}If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is workingproperly, perform these tasks:
- Verifying That Static NAT Is Configured
- Verifying That Source NAT Is Configured
Verifying That Static NAT Is Configured
- Purpose
- Action
Purpose
Verify whether static NAT is configured with an interface,a destination address, and a prefix.
Action
From operational mode, enter the show securitynat static command.
Verifying That Source NAT Is Configured
- Purpose
- Action
Purpose
Verify whether source NAT is configured.
Action
From operational mode, enter the show securitynat source command.
Example: Configuring an IPv4-Initiated Connection to an IPv6Node Using Static Destination Address One-to-One Mapping
This example shows how to configure an IPv4-initiatedconnection to an IPv6 node using static destination address one-to-onemapping.
- Requirements
- Overview
- Configuration
- Verification
Requirements
Before you begin, configure the interfacesand assign the interfaces to security zones.
Overview
The following example describes how to configure an IPv4 nodeto communicate with an IPv6 node using one-to-one static NAT on thedevice.
The communication of an IPv4 node with an IPv6 node is usefulfor IPv4 hosts accessing an IPv6 server, for new servers that supportIPv6 only and that need to be connected to the IPv6 network, and formigrating of old hosts to the new server when most of the machineshave already moved to IPv6. For example, you can use this featureto connect an IPv4-only node to an IPv6-only printer. This mappingcan also be used for DNS ALG for reverse lookup of IPv4 addressesfrom IPv6 addresses for traffic that is initiated from the IPv6 network.
In this example, the source IPv4 address matching the prefix10.10.10.1/30 is added with the IPv6 prefix 2001:db8::/96 to formthe translated source IPv6 address and the destination IPv4 address10.1.1.25/32 is translated to IPv6 address 2001:db8::25/128.
Configuration
Procedure
- CLI Quick Configuration
- Step-by-Step Procedure
- Results
CLI Quick Configuration
To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.
set security nat static rule-set test_rs from interface ge-0/0/1set security nat static rule-set test_rs rule test_rule match destination-address 10.1.1.25/32 set security nat static rule-set test_rs rule test_rule then static-nat prefix 2001:db8::25/128 set security nat source pool myipv6_prefix address 2001:db8::/96set security nat source rule-set myipv6_rs from interface ge-0/0/1 set security nat source rule-set myipv6_rs to interface ge-0/0/2 set security nat source rule-set myipv6_rs rule ipv6_rule match source-address 10.10.10.1/30set security nat source rule-set myipv6_rs rule ipv6_rule match destination-address 2001:db8::25 set security nat source rule-set myipv6_rs rule ipv6_rule then source-nat pool myipv6_prefix
Step-by-Step Procedure
The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode.
To configure an IPv4-initiated connection to an IPv6 node usingstatic destination address one-to-one mapping:
Configure the static NAT rule set for an interface.
[edit security nat static]user@host# set rule-set test_rs from interface ge-0/0/1
Define the rule and the destination address.
[edit security nat static rule-set test_rs]user@host# set rule test_rule match destination-address 10.1.1.25/32
Define the static NAT prefix.
[edit security nat static rule-set test_rs]user@host# set rule test_rule then static-nat prefix 2001:db8::25/128
Configure a source NAT pool with an IPv6 prefix address.
[edit security]user@host# set nat source pool myipv6_prefix address 2001:db8::/96
Configure the source NAT rule set.
[edit security nat source]user@host# set rule-set myipv6_rs from interface ge-0/0/1user@host# set rule-set myipv6_rs to interface ge-0/0/2
Configure the source NAT source address.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule match source-address 10.10.10.1/30
Configure the source NAT destination address.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule match destination-address 2001:db8::25
Define a configured source NAT IPv6 pool in the rule.
[edit security nat source rule-set myipv6_rs]user@host# set rule ipv6_rule then source-nat pool myipv6_prefix
Results
From configuration mode, confirm your configurationby entering the show security nat command. If the outputdoes not display the intended configuration, repeat the configurationinstructions in this example to correct it.
[edit]user@host# show security natsource { pool myipv6_prefix { address { 2001:db8::/96; } } rule-set myipv6_rs { from interface ge-0/0/1.0; to interface ge-0/0/2.0; rule ipv6_rule { match { source-address 10.10.10.1/30; destination-address 2001:db8::25; } then { source-nat { pool { myipv6_prefix; } } } } }}static { rule-set test_rs { from interface ge-0/0/1.0; rule test_rule { match { destination-address 10.1.1.25/32; } then { static-nat prefix 2001:db8::25/128; } } }}If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is workingproperly, perform these tasks:
- Verifying That Static NAT Is Configured
- Verifying That Source NAT Is Configured
Verifying That Static NAT Is Configured
- Purpose
- Action
Purpose
Verify whether static NAT is configured with an interface,a destination address, and a prefix.
Action
From operational mode, enter the show securitynat static command.
Verifying That Source NAT Is Configured
- Purpose
- Action
Purpose
Verify whether source NAT is configured.
Action
From operational mode, enter the show securitynat source command.
Example: Configuring an IPv6-Initiated Connection to an IPv4Node Using Default Destination Address Prefix Static Mapping
This example shows how to configure an IPv6-initiatedconnection to an IPv4 node using default destination address prefixstatic mapping. Thisexample does not show how to configure the NAT translation for thereverse direction.
- Requirements
- Overview
- Configuration
- Verification
Requirements
Before you begin, configure the interfacesand assign the interfaces to security zones.
Overview
The following example describes the communication of an IPv6node with an IPv4 node that has prefix-based static NAT defined onthe device. The static NAT assumes that the IPv4 network is a specialIPv6 network (that is, an IPv4-mapped IPv6 network), and hides theentire IPv4 network behind an IPv6 prefix.
The communication of an IPv6 node with an IPv4 node is usefulwhen IPv6 is used in the network and must be connected to the IPv4network, or when both IPv4 and IPv6 are used in the network and amechanism is required to interconnect the two networks during migration.This also provides connectivity for sessions initiated from IPv6 nodeswith IPv4 nodes on the other side of the NAT/PT device.
Configuration
Procedure
- CLI Quick Configuration
- Step-by-Step Procedure
- Results
CLI Quick Configuration
To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.
set security nat static rule-set test_rs from interface ge-0/0/1set security nat static rule-set test_rs rule test_rule match destination-address 2001:db8::1/96 set security nat static rule-set test_rs rule test_rule then static-nat inet set security nat source pool myipv4 address 203.0.113.2 to 203.0.113.5set security nat source rule-set myipv4_rs from interface ge-0/0/1 set security nat source rule-set myipv4_rs to interface ge-0/0/2 set security nat source rule-set myipv4_rs rule ipv4_rule match destination-address 10.1.1.15/30set security nat source rule-set myipv4_rs rule ipv4_rule match source-address 2001:db8::2/96 set security nat source rule-set myipv4_rs rule ipv4_rule then source-nat pool myipv4
Step-by-Step Procedure
The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode.
To configure an IPv6-initiated connection to an IPv4 node usingdefault destination address prefix static mapping:
Configure the static NAT for an interface.
[edit security nat static]user@host# set rule test_rs from interface ge-0/0/1
Define the rule and destination address with the prefixfor the static NAT translation defined on the device.
[edit security nat static rule-set test_rs]user@host# set rule test_rule match destination-address 2001:db8::1/96
Define the static NAT as inet to translate to an IPv4address.
[edit security nat static rule-set test_rs]user@host# set rule test_rule then static-nat inet
Configure the IPv4 source NAT pool address.
[edit security nat source]user@host# set pool myipv4 address 203.0.113.2 to 203.0.113.5
Configure the source NAT rule set.
[edit security nat source ]user@host# set rule-set myipv4_rs from interface ge-0/0/1 user@host# set rule-set myipv4_rs to interface ge-0/0/2
Configure the IPv4 source NAT destination address.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule match destination-address 10.1.1.15/30
Define the source address with the prefix for the sourceNAT defined on the device.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule match source-address 2001:db8::2/96
Define a configured source NAT IPv4 pool in the rule.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule then source-nat pool myipv4
Results
From configuration mode, confirm your configurationby entering the show security nat command. If the outputdoes not display the intended configuration, repeat the configurationinstructions in this example to correct it.
[edit]user@host# show security natsource { pool myipv4 { address { 203.0.113.2/32 to 203.0.113.5/32; } } rule-set myipv4_rs { from interface ge-0/0/1.0; to interface ge-0/0/2.0; rule ipv4_rule { match { source-address 2001:db8::/96; destination-address 10.1.1.15/30; } then { source-nat { pool { myipv4; } } } } }}static { rule-set test_rs { from interface ge-0/0/1.0; rule test_rule { match { destination-address 2001:db8::1/96; } then { static-nat inet; } } }}If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is workingproperly, perform these tasks:
- Verifying That Static NAT Is Configured
- Verifying That Source NAT Is Configured
Verifying That Static NAT Is Configured
- Purpose
- Action
Purpose
Verify whether static NAT is configured with an interface,a destination address, and a prefix.
Action
From operational mode, enter the show securitynat static rule command.
user@host> show security nat static rule test_rule Static NAT rule: test_rule Rule-set: test_rs Rule-Id : 2 Rule position : 2 From interface : ge-0/0/1.0 Destination addresses : 2001:db8::1 Host addresses : 0.0.0.0 Netmask : 96 Host routing-instance : N/A Translation hits : 0 Successful sessions : 0 Failed sessions : 0 Number of sessions : 0
Verifying That Source NAT Is Configured
- Purpose
- Action
Purpose
Verify whether source NAT is configured.
Action
From operational mode, enter the show securitynat source rule command.
user@host> show security nat source rule ipv4_rule source NAT rule: ipv4_rule Rule-set: myipv4_rs Rule-Id : 2 Rule position : 2 From interface : ge-0/0/1.0 To interface : ge-0/0/2.0 Match Source addresses : 2001:db8:: - 2001:db8::ffff:ffff Destination addresses : 10.1.1.15 - 10.1.1.15 Action : myipv4 Persistent NAT type : N/A Persistent NAT mapping type : address-port-mapping Inactivity timeout : 0 Max session number : 0 Translation hits : 0 Successful sessions : 0 Failed sessions : 0 Number of sessions : 0
From operational mode, enter the show security nat sourcepool command.
user@host> show security nat source pool myipv4 Pool name : myipv4Pool id : 5Routing instance : defaultHost address base : 0.0.0.0Port : [1024, 63487] Twin port : [63488, 65535]Port overloading : 1Address assignment : no-pairedTotal addresses : 4Translation hits : 0Address range Single Ports Twin Ports 203.0.113.2 - 203.0.113.5 0 0
Example: Configuring an IPv6-Initiated Connection to an IPv4Node Using Static Destination Address One-to-One Mapping
This example shows how to configure an IPv6-initiatedconnection to an IPv4 node using static destination address one-to-onemapping.
- Requirements
- Overview
- Configuration
- Verification
Requirements
Before you begin, configure the interfacesand assign the interfaces to security zones.
Overview
The following example describes the communication of an IPv6node with an IPv4 node that has a one-to-one static NAT address definedon the device. The communication of an IPv6 node with an IPv4 nodeallows IPv6 hosts to access an IPv4 server when neither of the deviceshas a dual stack and must depend on the NAT/PT device to communicate.This enables some IPv4 legacy server applications to work even afterthe network has migrated to IPv6.
Configuration
Procedure
- CLI Quick Configuration
- Step-by-Step Procedure
- Results
CLI Quick Configuration
To quickly configure this example, copy thefollowing commands, paste them into a text file, remove any line breaks,change any details necessary to match your network configuration,copy and paste the commands into the CLI at the [edit] hierarchylevel, and then enter commit from configuration mode.
set security nat static rule test_rs from interface ge-0/0/1set security nat static rule test_rs rule test_rule match destination-address 2001:db8::15/128 set security nat static rule test_rs rule test_rule then static-nat prefix 10.2.2.15/32 set security nat source pool myipv4 address 203.0.113.2 to 203.0.113.3set security nat source rule myipv4_rs from interface ge-0/0/1 set security nat source rule myipv4_rs to interface ge-0/0/2 set security nat source rule myipv4_rs rule ipv4_rule match source-address 2001:db8::/96set security nat source rule myipv4_rs rule ipv4_rule match destination-address 10.2.2.15 set security nat source rule myipv4_rs rule ipv4_rule then source-nat pool myipv4
Step-by-Step Procedure
The following example requires you to navigate variouslevels in the configuration hierarchy. For instructions on how todo that, see Using the CLI Editor in ConfigurationMode.
To configure an IPv6-initiated connection to an IPv4 node usingstatic destination address one-to-one mapping:
Configure the static NAT rule set for an interface.
[edit security nat static]user@host# set rule-set test_rs from interface ge-0/0/1
Define a rule to match the destination address.
[edit security nat static rule-set test_rs]user@host# set rule test_rule match destination-address 2001:db8::15/128
Define the static NAT prefix to the rule.
[edit security nat static rule-set test_rs]user@host# set rule test_rule then static-nat prefix 10.2.2.15/32
Configure a source NAT pool with an IPv4 addresses.
[edit security nat]user@host# set source pool myipv4 address 203.0.113.2 203.0.113.3
Configure the IPv4 address for the interface.
[edit security nat source ]user@host# set rule-set myipv4_rs from interface ge-0/0/1
Configure the source address to the IPv4 source NAT address.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule match source-address 2001:db8::/96
Configure the destination address to IPv4 source NAT address.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule match destination-address 10.2.2.15
Define the configured source NAT IPv4 pool in the rule.
[edit security nat source rule-set myipv4_rs]user@host# set rule ipv4_rule then source-nat pool myipv4
Results
From configuration mode, confirm your configurationby entering the show security nat command. If the outputdoes not display the intended configuration, repeat the configurationinstructions in this example to correct it.
[edit]user@host# show security natsource { pool myipv4 { address { 203.0.113.2/32 to 203.0.113.3/32; } } rule-set myipv4_rs { from interface ge-0/0/1.0; to interface ge-0/0/2.0; rule ipv4_rule { match { source-address 2001:db8::/96; destination-address 10.2.2.15/32; } then { source-nat { pool { myipv4; } } } } }}static { rule-set test_rs { from interface ge-0/0/1.0; rule test_rule { match { destination-address 2001:db8::15/128; } then { static-nat prefix 10.2.2.15/32; } } }}If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is workingproperly, perform these tasks:
- Verifying That Static NAT Is Configured
- Verifying That Source NAT Is Configured
Verifying That Static NAT Is Configured
- Purpose
- Action
Purpose
Verify whether static NAT is configured with an interface,a destination address, and a prefix.
Action
From operational mode, enter the show securitynat static command.
Verifying That Source NAT Is Configured
- Purpose
- Action
Purpose
Verify whether source NAT is configured.
Action
From operational mode, enter the show securitynat source command.
Related Documentation
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
Release
Description
20.2R1
Starting in Junos OS Release 20.2R1 you can run IPv6NAT-PT Next Gen Services on MX240, MX480, and MX960 routers.
