山石防火墙NAT-NAT64

山石防火墙NAT64测试。测试环境如下：

转换前： 3001::1 -> 2011::1
转换后： 21.1.1.1 -> 30.1.1.1

Cilent配置

# 
interface Vlan-interface10 
 ip address 20.1.1.2 255.255.255.0 
# 
interface LoopBack0
 ip address 30.1.1.1 255.255.255.255 
# 
ip route-static 0.0.0.0 0 20.1.1.1 #

Server配置

#  
interface Vlan-interface10
 ipv6 address 2001::2/64 
# 
interface LoopBack0
 ipv6 address 3001::1/128 
# 
ipv6 route-static :: 0 2001::1 
# 

防火墙配置

interface ethernet0/0
 zone "untrust"
 ipv6 enable
 ipv6 address 2001::1/64
 ipv6 address autoconfig 
exit 
interface ethernet0/1
 zone "trust"
 ip address 20.1.1.1 255.255.255.0 
exit 

//安全策略放通数据包原始的ipv6源目地址 
rule id 1
 action permit
 log policy-deny
 log session-start
 src-zone "untrust"
 dst-zone "trust"
 src-addr "IPv6-any"
 dst-addr "2011::1"
 service "Any"
 name "ipv6" 
exit 
ip vrouter "trust-vr"
 snatrule id 1 from-zone "untrust" to-zone "trust" from address-book "IPv6-any" to address-book "IPv6-any" service "Any" trans-to address-book "21.1.1.1" mode dynamicip log
 dnatrule id 1 from address-book "IPv6-any" to address-book "2011::1" service "Any" trans-to address-book "30.1.1.1" log
 ip route 30.1.1.1/32 20.1.1.2
 ipv6 route 3001::1/128 2001::2 
exit 

ssh访问测试： 使用3001::1 ssh访问2011::1。

登陆后，查看登陆源ip地址，发现为转换后的ipv4源地址。

查看日志服务器，可以看到先做了dnat，将2011::1转换为30.1.1.1。接着做snat，将3001::1转换为21.1.1.1。最后命中安全策略。