Example: Configuring Address Persistent NAT64 Pools

This example shows how to configure address persistent NAT64 pools to ensure a sticky mapping relationship between one specific IPv6 prefix, which is calculated by the configured IPv6 prefix length, and one translated IPv4 address.

Requirements

Before you begin, be sure the existing NAT rules and pool configuration do not conflict with the new one.

Overview

In this example, you configure an IPv6 prefix length of /64 in an IPv4 source NAT pool for NAT IPv6 to IPv4 translations. Traffic matching the NAT rule and NAT pool perform address persistent translation between the IPv6 prefix and the IPv4 translated address. This configuration can be used on the provider-side translator (PLAT) in a dual-translation scenario, 464XLAT, to enable IPv4 services to work over IPv6-only networks.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

set security nat source pool NAT64 address 31.61.129.240/32 to 31.61.129.254/32set security nat source pool NAT64 address-persistent subscriber ipv6-prefix-length 64set security nat source rule-set RS1 from zone trustset security nat source rule-set RS1 to zone untrustset security nat source rule-set RS1 rule R1 match source-address 2a00:f41::/32set security nat source rule-set RS1 rule R1 match destination-address 31.61.132.198/32set security nat source rule-set RS1 rule R1 then source-nat pool NAT64

Step-by-Step Procedure

The following example requires you to navigate throughout various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Create a source NAT pool.
    [edit security nat source]user@host# set pool NAT64 address 31.61.129.240/32 to 31.61.129.254/32
  2. Specify the IPv6 prefix length for the source NAT pool.
    [edit security nat source]user@host# set pool NAT64 address-persistent subscriber ipv6-prefix-length 64
  3. Create a rule set.
    [edit security nat source]user@host# set rule-set RS1 from zone trustuser@host# set rule-set RS1 to zone untrust
  4. Match the rule.
    [edit security nat source]user@host# set rule-set RS1 rule R1 match source-address 2a00:f41::/32user@host# set rule-set RS1 rule R1 match destination-address 31.61.132.198/32
  5. Provide the action to be performed when the rule matches.
    [edit security nat source]user@host# set security nat source rule-set RS1 rule R1 then source-nat pool NAT64

Results

From configuration mode, confirm your configuration by entering the show security nat command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show security nat
source {pool NAT64 {address {31.61.129.240/32 to 31.61.129.254/32;}address-persistent subscriber ipv6-prefix-length 64;}rule-set RS1 {from zone trust;to zone untrust;rule R1 {match {source-address 2a00:f41::/32;destination-address 31.61.132.198/32;}then {source-nat {pool {NAT64;}}}}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Verifying NAT Application to Traffic

Purpose

Verify that the same IPv6 prefix is translated to the persistent IPv4 address.

Action

From operational mode, enter the show security flow session command.

Related Documentation