This is an illustrated guide that shows how to configure the various types of Network Address Translation (NAT) on the Juniper SRX series. Each example lists the configuration on the SRX, as well as what the client and server on either side of the SRX doing the NATing see and experience through working examples.
The DNS Application Layer Gateway is an integral part of an IPv6 to IPv6 NAT setup. It intercepts DNS queries and translates any IPv4 responses back into IPv6 addresses. This helps to make the IPv6 to IPv4 NAT experience for the user more or less seamless.
To see the DNS-ALG in action with NAT-PT, we will conduct the following demonstration. First we will setup SRX-12 to provide IPv4 Internet access to our lab setup. Note that SRX-12 does not support IPv6 in any capacity; there isn't an inet6.0 table present.
SRX-12's lack of IPv6 support
juniper@SRX-12> show route summary
Autonomous system number: 65100
Router ID: 10.0.99.12
inet.0: 66 destinations, 67 routes (66 active, 0 holddown, 0 hidden)
Direct: 3 routes, 3 active
Local: 3 routes, 3 active
BGP: 56 routes, 55 active
Static: 2 routes, 2 active
IS-IS: 3 routes, 3 active
iso.0: 1 destinations, 1 routes (1 active, 0 holddown, 0 hidden)
Direct: 1 routes, 1 active
juniper@SRX-12>
Our nameserver can transport traffic only with IPv4 as well, but has the ability to return both A and AAAA records. It resides at IP address 10.0.0.53 (just pretend RFC 1918 doesn't exist for this example), or 2002::A00:35 with our version of 6 to 4 mapping. We will configure our client to use it as a nameserver.
configuring client resolver
root@client:~# echo "nameserver 2002::A00:35" > /etc/resolv.conf
We perform a quick connectivity test from the client to the namesever using the mapped IPv6 address.
client connectivity test to nameserver
juniper@client:~$ ping6 -c 3 2002::A00:35 PING 2002::A00:35(2002::a00:35) 56 data bytes 64 bytes from 2002::a00:35: icmp_seq=1 ttl=59 time=11.4 ms 64 bytes from 2002::a00:35: icmp_seq=2 ttl=59 time=10.5 ms 64 bytes from 2002::a00:35: icmp_seq=3 ttl=59 time=8.75 ms --- 2002::A00:35 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2002ms rtt min/avg/max/mdev = 8.752/10.253/11.458/1.124 ms juniper@client:~$
Next, we lookup the address of an IPv4 only machine, ipv4.whatismyv6.com, on the client.
resolving IPv4 only host on client
juniper@client:~$ host ipv4.whatismyv6.com ipv4.whatismyv6.com has address 66.117.47.214 juniper@client:~$
Now, we translate the IPv4 address we resolved for ipv4.whatismyv6.com to our IPv6 NAT mapping, and try a basic connectivity test.
client connectivity test to IPv4 only host on the Internet
juniper@client:~$ ping6 -c 1 2002::4275:2FD6 PING 2002::4275:2FD6(2002::4275:2fd6) 56 data bytes 64 bytes from 2002::4275:2fd6: icmp_seq=1 ttl=46 time=117 ms --- 2002::4275:2FD6 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 117.112/117.112/117.112/0.000 ms juniper@client:~$
Pinging it shows that we have the basic datapath in place, but when we try to fetch the webpage we find that it' doesn't exist. This will happen with alot of webservers that are using virtual hosting that need the hostname of the URL passed to it so it can tell which virtual host to retreive the pages for.
http access fails to retrievie proper page
juniper@client:~$ wget ipv4.whatismyv6.com --2014-01-25 12:46:42-- http://ipv4.whatismyv6.com/ Resolving ipv4.whatismyv6.com (ipv4.whatismyv6.com)... 66.117.47.214 Connecting to ipv4.whatismyv6.com (ipv4.whatismyv6.com)|66.117.47.214|:80... failed: Network is unreachable. juniper@client:~$ wget http://[2002::4275:2FD6] --2014-01-25 12:40:47-- http://[2002::4275:2fd6]/ Connecting to 2002::4275:2fd6:80... connected. HTTP request sent, awaiting response... 301 Moved Permanently Location: http://whatismyv6.com/ [following] --2014-01-25 12:40:47-- http://whatismyv6.com/ Resolving whatismyv6.com (whatismyv6.com)... 2001:4810::110, 66.117.47.214 Connecting to whatismyv6.com (whatismyv6.com)|2001:4810::110|:80... failed: Connection refused. Connecting to whatismyv6.com (whatismyv6.com)|66.117.47.214|:80... failed: Network is unreachable. juniper@client:~$
The solution to this problem is the DNS Application Layer Gateway, the DNS-ALG. On the SRX the DNS-ALG performs several functions, one of which is that it will perform IPv4 to IPv6 address transformations and modify the DNS payload to match the NAT parameters. This actually on by default. We disabled to the DNS-ALG for the above tests to demonstrate how it functions in this capacity. After we re-anable the DNS-ALG, we repeat the tests from the client.
client connection tests with DNS-ALG enabled
juniper@client:~$ host ipv4.whatismyv6.com ipv4.whatismyv6.com has address 66.117.47.214 ipv4.whatismyv6.com has IPv6 address 2002::4275:2fd6 juniper@client:~$ wget http://ipv4.whatismyv6.com --2014-01-25 12:48:22-- http://ipv4.whatismyv6.com/ Resolving ipv4.whatismyv6.com (ipv4.whatismyv6.com)... 2002::4275:2fd6, 66.117.47.214 Connecting to ipv4.whatismyv6.com (ipv4.whatismyv6.com)|2002::4275:2fd6|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1426 (1.4K) [text/html] Saving to: `index.html' 100%[======================================>] 1,426 --.-K/s in 0s 2014-01-25 12:48:22 (30.1 MB/s) - `index.html' saved [1426/1426] juniper@client:~$
Note that in the above example, that when the client resolved ipv4.whatismyv6.com, an IPv4 entry matching our NAT mapping was inserted in the results. A trace of the DNS-ALG shows it in action for the above test.
DNS-ALG trace on SRX-11
Jan 25 11:43:54 11:43:54.314240:CID-0:RT: name size: 16, remain length: 141 Jan 25 11:43:54 11:43:54.314244:CID-0:RT: type: 1, class: 1 Jan 25 11:43:54 11:43:54.314247:CID-0:RT:===>answers RRs: number = 1 Jan 25 11:43:54 11:43:54.314250:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314253:CID-0:RT: whatismyv6.com Jan 25 11:43:54 11:43:54.314255:CID-0:RT: name size: 2, remain length: 121 Jan 25 11:43:54 11:43:54.314258:CID-0:RT: rr data length: 4 Jan 25 11:43:54 11:43:54.314260:CID-0:RT: type: A (host address) Jan 25 11:43:54 11:43:54.314262:CID-0:RT: addr: 66.117.47.214 Jan 25 11:43:54 11:43:54.314274:CID-0:RT: ip_count: 1,rr_count: 1 Jan 25 11:43:54 11:43:54.314277:CID-0:RT:===>authority RRs: number = 2 Jan 25 11:43:54 11:43:54.314279:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314282:CID-0:RT: whatismyv6.com Jan 25 11:43:54 11:43:54.314284:CID-0:RT: name size: 2, remain length: 105 Jan 25 11:43:54 11:43:54.314287:CID-0:RT: rr data length: 16 Jan 25 11:43:54 11:43:54.314290:CID-0:RT: type: 2 Jan 25 11:43:54 11:43:54.314292:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314294:CID-0:RT: whatismyv6.com Jan 25 11:43:54 11:43:54.314296:CID-0:RT: name size: 2, remain length: 77 Jan 25 11:43:54 11:43:54.314298:CID-0:RT: rr data length: 5 Jan 25 11:43:54 11:43:54.314300:CID-0:RT: type: 2 Jan 25 11:43:54 11:43:54.314302:CID-0:RT: ip_count: 1,rr_count: 3 Jan 25 11:43:54 11:43:54.314305:CID-0:RT:===>additional RRs: number = 3 Jan 25 11:43:54 11:43:54.314307:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314309:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314311:CID-0:RT: ns.hotnic.net Jan 25 11:43:54 11:43:54.314313:CID-0:RT: name size: 2, remain length: 60 Jan 25 11:43:54 11:43:54.314316:CID-0:RT: rr data length: 4 Jan 25 11:43:54 11:43:54.314318:CID-0:RT: type: A (host address) Jan 25 11:43:54 11:43:54.314319:CID-0:RT: addr: 66.117.47.210 Jan 25 11:43:54 11:43:54.314326:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314328:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314331:CID-0:RT: ns.hotnic.net Jan 25 11:43:54 11:43:54.314333:CID-0:RT: name size: 2, remain length: 44 Jan 25 11:43:54 11:43:54.314336:CID-0:RT: rr data length: 16 Jan 25 11:43:54 11:43:54.314338:CID-0:RT: type: AAAA (ipv6 address) Jan 25 11:43:54 11:43:54.314340:CID-0:RT: addr: 2001:4810:0:0:0:0:0:53 Jan 25 11:43:54 11:43:54.314350:CID-0:RT: DNS name has compression pointer Jan 25 11:43:54 11:43:54.314353:CID-0:RT: ns2.hotnic.net Jan 25 11:43:54 11:43:54.314355:CID-0:RT: name size: 2, remain length: 16 Jan 25 11:43:54 11:43:54.314358:CID-0:RT: rr data length: 4 Jan 25 11:43:54 11:43:54.314361:CID-0:RT: type: A (host address) Jan 25 11:43:54 11:43:54.314363:CID-0:RT: addr: 66.117.54.126 Jan 25 11:43:54 11:43:54.314369:CID-0:RT: ip_count: 4,rr_count: 6 Jan 25 11:43:54 11:43:54.314372:CID-0:RT:Handle DNS Reply Packet Jan 25 11:43:54 11:43:54.314374:CID-0:RT:Handle DNS Packet to do NATPT Jan 25 11:43:54 11:43:54.314376:CID-0:RT:Receive an A response from V4 server to V6 client Jan 25 11:43:54 11:43:54.314380:CID-0:RT:The response for the original A query, Forward it Jan 25 11:43:54 11:43:54.314382:CID-0:RT:NAT Session Close on DNS Reply Jan 25 11:43:58 11:43:58.275200:CID-0:RT:dns_alg_data_handler called. data Context 0xbf97dd20, ev 6