NPT66 config for ScreenOS, anyone?

Gert Doering gert at space.net
Fri May 4 15:24:32 CEST 2012 

Hi Erik,

On Fri, May 04, 2012 at 09:31:57PM +0900, Erik Kline wrote:
> > What I want is "the host part and the ports stay the same, just the prefix
> > gets swapped".
> 
> I know nothing about ScreenOS config, but I think that if you want
> these parts to remain the same you'll need to specify the source and
> destination prefix somewhere as being shorter  than or equal to /48s.

Well, mapping /64-to-/64 should work - not with NPT66, but the Netscreen
doesn't claim to support that.  It's more "stateful NAT66 without changing
host part or port number".

Indeed it works, if one doesn't use "DIP" (which is the "use that for
dynamic source translation for outgoing connections" thingie), but uses
a "MIP" instead - that's a "Mapped IP", and this is what works:

set interface "ethernet0/0" mip 2001:608:0:cfe::/64 ipv6 prefix 2001:db8:8::/64 vr "trust-vr"
set policy id 2 from "Trust" to "Untrust"  "Any-IPv6" "Any-IPv6" "ANY" permit log 
set policy id 3 from "Untrust" to "Trust"  "Any-IPv6" "MIP(2001:608:0:cfe::/64)" "ANY" permit log 

establishes bi-directional NAT66 mappings between internal (2001:db8:)
and external (2001:608:) /64, keeping host bits and port number intact.

Now, since I can't seem to tie this to DHCP-PD assigned prefixes, I'm not 
sure this is exactly what I *want* ("small network connecting to two
different ISPs with two DHCP-PD-assigned prefixes and no configuration
on the CPE") - but it does what I asked for :-)

thanks,

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                        Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14          Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                   HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444            USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : http://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120504/fb2bb0f3/attachment.bin

More information about the ipv6-ops mailing list