NPT66 config for ScreenOS, anyone?
Gert Doering
gert at space.net
Fri May 4 14:20:39 CEST 2012
Hi,
I'm trying (mostly to figure out "which variant is more broken") to set up
a setup with a Juniper SSG140 / ScreenOS 6.3, and NPT66, or any other sort
of "N:N" IPv6 NAT - and I can't find the right invocations.
N:1 IPv6 NAT to the external interface IP works just fine, but no, we
do not want to go there.
What I want is "the host part and the ports stay the same, just the prefix
gets swapped".
The documentation suggests it should be doable, by something like this:
set interface "ethernet0/0" ipv6 ip 2001:608:0:cff::1/64
set interface ethernet0/0 dip 4 ipv6 prefix 2001:608:0:cff::/64
set policy from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" nat src dip-id permit log
... but it doesn't work. "debug flow basic" fails with
...
Permitted by policy 2
flow_first_reverse_mip_v6: in <bgroup0>, out <ethernet0/0>
flow_first_policy_dst_xlate_v6: in <bgroup0>, out <ethernet0/0>
flow_first_src_xlate_v6: in <bgroup0>, out <ethernet0/0>
dip alloc failed. dip_id = 5
packet dropped, dip alloc failed
packet dropped, unkown type packet
(The available documentation talks at length about v4->v6 and v6->v4
translation, but never v6->v6...)
So - if one of you has a working configuration and could share the trick
that is needed to make this work, I'd appreciate it :-)
(And if you feel like flaming me for even trying to do IPv6 NAT, well,
go ahead, saves on heating :) ).
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
More information about the ipv6-ops
mailing list