NPT66 config for ScreenOS, anyone?
Gert Doering
gert at space.net
Fri May 4 15:24:32 CEST 2012
Hi Erik,
On Fri, May 04, 2012 at 09:31:57PM +0900, Erik Kline wrote:
> > What I want is "the host part and the ports stay the same, just the prefix
> > gets swapped".
>
> I know nothing about ScreenOS config, but I think that if you want
> these parts to remain the same you'll need to specify the source and
> destination prefix somewhere as being shorter than or equal to /48s.
Well, mapping /64-to-/64 should work - not with NPT66, but the Netscreen
doesn't claim to support that. It's more "stateful NAT66 without changing
host part or port number".
Indeed it works, if one doesn't use "DIP" (which is the "use that for
dynamic source translation for outgoing connections" thingie), but uses
a "MIP" instead - that's a "Mapped IP", and this is what works:
set interface "ethernet0/0" mip 2001:608:0:cfe::/64 ipv6 prefix 2001:db8:8::/64 vr "trust-vr"
set policy id 2 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log
set policy id 3 from "Untrust" to "Trust" "Any-IPv6" "MIP(2001:608:0:cfe::/64)" "ANY" permit log
establishes bi-directional NAT66 mappings between internal (2001:db8:)
and external (2001:608:) /64, keeping host bits and port number intact.
Now, since I can't seem to tie this to DHCP-PD assigned prefixes, I'm not
sure this is exactly what I *want* ("small network connecting to two
different ISPs with two DHCP-PD-assigned prefixes and no configuration
on the CPE") - but it does what I asked for :-)
thanks,
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (89) 32356-444 USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
URL: <https://lists.cluenet.de/pipermail/ipv6-ops/attachments/20120504/fb2bb0f3/attachment.sig>
More information about the ipv6-ops
mailing list