Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Stateful NAT64 for Handling IPv4 Address Depletion

 

This example configures stateful NAT64 on an MX Series 3D Universal Edge router with a Services DPC. The configuration replicates the example flow found in draft-ietf-behave-v6v4-xlate-stateful-12 and RFC 6146 Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers.

This example contains the following sections:

Requirements

This example uses the following hardware and software components:

  • An MX Series 3D Universal Edge router with a Services DPC or an M Series Multiservice Edge router with a services PIC

  • Junos OS Release 10.2 or later

  • A name server that supports DNS64

Note

This configuration example has been tested using the software release listed and is assumed to work on all later releases.

Implementation

Juniper Networks routers with a Services PIC or Services Dense Port Concentrator (DPC) support stateful NAT64. The system directs IPv6 packets coming from IPv6-only hosts to a Services DPC where the packets are translated to IPv4 according to the configuration. In the reverse path, the system sends IPv4 packets to the Services DPC where additional system processes reverse the translation and send the corresponding IPv6 packet back to the client.

Configuration Overview and Topology

Figure 1 shows an MX Series router, Router R2, implementing NAT64 with two Gigabit Ethernet interfaces and a Services DPC. The interface connected to the IPv4 network is ge-1/3/6, and the interface connected to the IPv6 network is ge-1/3/5.

Also shown is a local name server with DNS64 functionality, which the system uses as part of the translation process. The local name server is configured with the /96 prefix assigned to the local NAT64 router.

Figure 1: NAT64 Topology
NAT64 Topology

Configuration

Configuring stateful NAT64 involves the following tasks:

Configuring the PIC and the Interfaces

Step-by-Step Procedure

To configure the PIC and interfaces on Router R2:

  1. Edit the chassis configuration to enable a Layer 3 service package. The service package with its associated service package (sp-) interface is used to manipulate traffic before it is delivered to its destination. For details about configuring packages, see the Junos OS Services Interfaces Configuration Guide.
  2. Configure the service package at the [edit chassis fpc pic adaptive-services] hierarchy level. This example assumes that the PIC is in FPC 5, slot 0.
  3. Configure the ge-1/3/5 interface connected to the IPv6 network:

    1. Include the family inet (IPv4) and family inet6 (IPv6) statements at the [edit interfaces interface-name unit unit-number] hierarchy level.

    2. Include the IPv6 address at the [edit interfaces unit unit-number family inet6 address] hierarchy level.

    3. Configure a service set at the [edit interfaces interface-name unit unit-number family service input service-set] and the [edit interfaces interface-name unit unit-number family service output service-set] hierarchy levels.

  4. Configure the ge-1/3/6 interface connected to the IPv4 network:

    1. Include the family inet statement at the [edit interfaces unit unit-number] hierarchy level.

    2. Include the IPv4 address at the [edit interfaces unit unit-number family inet] hierarchy level.

  5. Configure the services interface, in this example, sp-5/0/0. This example configures a system log for any services on the local host.

    The service package associated with this interface was configured in Step 2. Specify both the IPv4 and IPv6 address families at the [edit interfaces interface-name unit unit-number] hierarchy level. The service set you configure in Configuring the Service Set is associated with this interface.

Configuring the NAT64 Pool

Step-by-Step Procedure

Use this procedure to configure the NAT64 router, Router R2, with the /96 prefix to represent IPv4 addresses in the IPv6 address space. IPv6 packets addressed to a destination address containing the /96 prefix are then routed to the IPv6 interface of the NAT router. You also configure one or more IPv4 transport addresses for the NAT pool.

This example shows how to configure the network address translation for the IPv4 address 203.0.113.1/32. It also shows how to configure the IPv6 prefix 64:FF9B::/96. To configure the NAT64 pool:

  1. Configure an IPv4 transport address for the pool at the [edit services nat pool pool-name] hierarchy level. Configure the NAT pool port to be automatically assigned.
  2. Configure a NAT rule to translate the packets from the IPv6 network. NAT rules specify the traffic to be matched and the action to be taken when traffic matches the rule.

    In this example, only one rule is required to accomplish the address translation. The rule selects all traffic coming from the source address on the IPv6 network, 2001:DB8::1/128. The transport address configured in Step 1 is then specified for the translation using the /96 prefix.

    Configure the rule at the [edit services nat rule rule-name] hierarchy level as follows:

Configuring the Service Set

Step-by-Step Procedure

To configure the service set for the NAT service on Router R2, you must associate the previously configured rule (nat64) and service interface (sp-5/0/0) with the service set. You also include a system log configuration.

To configure these settings at the [edit services service-set service-set-name] hierarchy level:

  1. Configure the system log.
  2. Associate the NAT rule and the service interface with the service set at the [edit services service-set service-set-name] hierarchy level.
  3. On Router R2, commit the configuration.

Verifying NAT64 Operation

You can use the following features to verify your NAT64 configuration:

  • CLI commands on the router

  • Logging

You can also use a test tool that can generate IPv6 flows directed to the MX Series router, using the well-known prefix (64:FF9B::/96) as the destination.

Among others, you can use the following CLI commands to verify your NAT64 configuration:

  • show services stateful-firewall flows

  • show services stateful-firewall conversations

  • show services nat pool detail

  • show services stateful-firewall statistics extensive

In this example:

  • In the input direction, the IPv4 destination address is fetched from the IPv6 destination address whose prefix matches the destination-prefix configured from the specified prefix length.

  • In the reverse or output direction, the IPv4 address is suffixed to the destination-prefix at the prefix length specified.

To confirm the NAT64 configuration, perform these tasks:

Display NAT64 Flows

Purpose

Display and verify that the NAT64 flows are created and contain correct network address translation.

Action

To display the NAT64 flows on Router R2, use the show services stateful-firewall flows command.

user@R2> show services stateful-firewall flows

Meaning

In the sample output, the NAT source and NAT destination addresses of the Input (I) and Output (O) directions are displayed. The NAT64 flows listed in this output are in no specific order.

Display NAT64 Conversations

Purpose

Display and verify that the NAT64 conversations (collections of related flows) are correct.

Action

To display NAT64 conversations on Router R2, use the show services stateful-firewall conversations command. In contrast to the flows command that reports all flows in no specific order, the output of the conversations command groups the flows that belong to a conversation for easy troubleshooting of communication between a specific pair of hosts.

user@R2> show services stateful-firewall conversations

Meaning

The sample output displays the NAT64 conversations between specific pairs of hosts.

Display Global NAT Pool-Related Statistics

Purpose

Display and verify global NAT statistics related to pool usage.

Action

To display global NAT pool-related statistics on Router R2, use the show services nat pool detail command. You normally use this command in conjunction with the show services stateful-firewall flows command used in Display NAT64 Flows, which displays the source and output of the translation.

user@R2> show services nat pool detail

Meaning

The sample output displays relevant statistics and information about the NAT64 pools.

Check System Logs

Purpose

Check the system logs because the system creates detailed logs as sessions are created and deleted.

Action

When a session is created based on the example setup, two logs are provided. The first log indicates the rule and term that the packet matched. The second log indicates the flow creation.

user@R2> show log messages

When the sessions end, the system creates a log indicating the NAT pool address and port release in addition to the delete flow log, as follows:

Meaning

The sample output displays the log messages that can be seen when a session is created and when a session ends.

Verify That NAT64 Conversations Take Place

Purpose

Verify that the NAT64 conversations are taking place. Current support for the application-layer gateway (ALG) is limited to ICMP and traceroute.

Action

To verify that the NAT64 conversations are occuring on Router R2, use the show services stateful-firewall conversations command. The following is sample output for an ICMP echo test (ping).

user@R2> show services stateful-firewall conversations

Meaning

The sample output displays the results of the ICMP echo test.