山石防火墙NAT64测试。测试环境如下:
转换前: 3001::1 -> 2011::1
转换后: 21.1.1.1 -> 30.1.1.1
Cilent配置
#
interface Vlan-interface10 ip address 20.1.1.2 255.255.255.0
#
interface LoopBack0ip address 30.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0 20.1.1.1 #
Server配置
#
interface Vlan-interface10ipv6 address 2001::2/64
#
interface LoopBack0ipv6 address 3001::1/128
#
ipv6 route-static :: 0 2001::1
#
防火墙配置
interface ethernet0/0zone "untrust"ipv6 enableipv6 address 2001::1/64ipv6 address autoconfig
exit
interface ethernet0/1zone "trust"ip address 20.1.1.1 255.255.255.0
exit //安全策略放通数据包原始的ipv6源目地址
rule id 1action permitlog policy-denylog session-startsrc-zone "untrust"dst-zone "trust"src-addr "IPv6-any"dst-addr "2011::1"service "Any"name "ipv6"
exit
ip vrouter "trust-vr"snatrule id 1 from-zone "untrust" to-zone "trust" from address-book "IPv6-any" to address-book "IPv6-any" service "Any" trans-to address-book "21.1.1.1" mode dynamicip logdnatrule id 1 from address-book "IPv6-any" to address-book "2011::1" service "Any" trans-to address-book "30.1.1.1" logip route 30.1.1.1/32 20.1.1.2ipv6 route 3001::1/128 2001::2
exit
ssh访问测试: 使用3001::1 ssh访问2011::1。
登陆后,查看登陆源ip地址,发现为转换后的ipv4源地址。
查看日志服务器,可以看到先做了dnat,将2011::1转换为30.1.1.1。接着做snat,将3001::1转换为21.1.1.1。最后命中安全策略。 