NAT-PT Setup

Here we will explore Network Address Translation - Protocol Translation, better known as NAT-PT. NAT-PT is defined in RFC 2766 and is an IPv4 to IPv6 transition method. NAT-PT attempts to provide a seamless communication path between hosts with only an IPv6 procotol stack and hosts with only an IPv4 protocol stack. This is done by not only doing address translation, but also protocol translation of the different fields in the headers between the two versions of IP.

The following network diagram will be used for this exploration:

The client is an IPv6 only node assigned the really clever IPv6 address of fd00:dead:babe::81/64, which is connected to SRX-11 via ge-0/0/4 through the TRUST security zone. SRX-11 is connected to an IPv4 only network via ge-0/0/5 on in the UNTRUST security zone. SRX-12 serves as the core of the network, connecting SRX-11 and SRX-13 indirectly to each other and the Internet. SRX-12 is an IPv4 only node, as is SRX-13. SRX-13 hosts a server farm using the addresses 10.80.80.80 through 10.80.80.89 in it's TRUST zone. All of the servers are IPv4 only nodes. A nameserver with the IPv4 address of 10.0.0.53 resides out on the Internet somewhere (just ignore RFC 1918 for now), and although only connected via IPv4 is capable of serving up not on IPv4 A records, but IPv6 AAAA records.

All of our configuration work will be on SRX-11, trying to get the IPv6 only host to be able to talk to the IPv4 only world, and answer back to any requests from it. SRX-11 has the following baseline configuration.

SRX-11 configuration

interfaces {
    ge-0/0/4 {
        description "Connection to Client";
        unit 0 {
            family inet6 {
                address fd00:dead:babe::1/64;
            }
        }
    }                                   
    ge-0/0/5 {
        description "Connection to SRX-12";
        unit 0 {
            family inet {
                address 172.18.1.11/24;
            }
            family iso;
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 192.168.11.11/32;
            }
            family iso {
                address 49.0000.0000.0000.0011.00;
            }
        }
    }
}
protocols {
    isis {
        level 2 disable;
        interface ge-0/0/5.0;
        interface lo0.0 {
            passive;
        }
    }
    neighbor-discovery;
}
security {
    forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
            iso {
                mode packet-based;
            }
        }
    }
    policies {
        from-zone TRUST to-zone UNTRUST {
            policy ACCEPT-ICMP {
                match {
                    source-address any;
                    destination-address any;
                    application junos-ping;
                }
                then {
                    permit;
                }
            }
        }
        default-policy {
            permit-all;
        }
    }
    zones {
        security-zone UNTRUST {
            host-inbound-traffic {
                system-services {
                    ping;
                    traceroute;
                    ike;
                }
            }
            interfaces {
                ge-0/0/5.0;
                lo0.0;
            }
        }
        security-zone TRUST {
            host-inbound-traffic {
                system-services {
                    ping;               
                    traceroute;
                }
            }
            interfaces {
                ge-0/0/4.0;
            }
        }
    }
}
[edit]
juniper@SRX-11#