Strata Cloud Manager

1. Enable IPv6.

   1. Select ConfigurationNGFW and Prisma Access.
   2. Select DeviceDevice SetupSession and edit Session Settings. Select Customize.
   3. Enable IPv6 Firewalling.
   4. Save the setting.
2. Configure the interface with IPv6 addressing.

   1. Select Device SettingsInterfacesEthernet and select or add the interface to use for NAT64.
   2. Ensure the Interface Type is Layer3.
   3. In the IPv6 section, Enable IPv6 on the interface.
   4. Select Type of address as Static.
   5. Select Address Assignment and Add your private IPv6 prefix.
   6. Add the well-known prefix 64:ff9b::/96.
   7. Save the setting.
3. Create an address object for the IPv6 destination address (pre-translation).

   1. Select ObjectsAddressAddresses and Add Address.
   2. Enter the Name for the object, for example, nat64-IPv4-Server.
   3. For Type, select IP Netmask and enter the IPv6 prefix with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or your Network-Specific Prefix that is configured on the DNS64 Server. For example, enter 64:FF9B::/96.

      The source and destination must have the same netmask (prefix length).

      You don't enter a full destination address because, based on the prefix length, the firewall extracts the encoded IPv4 address from the original destination IPv6 address in the incoming packet. In this example, the prefix in the incoming packet is encoded with C633:6401 in hexadecimal, which is the IPv4 destination address 198.51.100.1.
   4. Save.
4. (Optional) Create an address object for the IPv6 source address (pre-translation).

   1. Select ObjectsAddressAddresses and Add Address.
   2. Enter the Name for the object,
   3. For Type, select IP Netmask and enter the address of the IPv6 host, in this example, 2001:DB8::5/96.
   4. Save.
5. (Optional) Create an address object for the IPv4 source address (translated).

   1. Select ObjectsAddressAddresses and Add Address.
   2. Enter the Name for the object,
   3. For Type, select IP Netmask and enter the IPv4 address of the firewall's egress interface, in this example, 192.0.2.1.
   4. Save.
6. Create the NAT64 rule.

   1. Select Network PoliciesNAT and Add Rule.
   2. Enter a Name for the rule, for example, nat64_ipv6_init.
   3. Select Enabled.
   4. Select Nat64.
7. Specify the original source and destination information.

   1. In the Original Packet section, Add Zones and add the source zone, likely a trusted zone.
   2. To add a source address, Add Addresses and add the address object you created for the IPv6 host or select Any Address.
   3. Select the Destination Zone, in this example, the Untrust zone.
   4. (Optional) Select a destination Interface or the default (any).
   5. To enter the destination address, select Add Addresses and add the address object you created for the IPv6 destination address, in this example, nat64-IPv4-Server.
   6. (Optional) For Service, select any.
8. Specify the translated packet information.

   1. In the Translated Packet section, select Source Address Only, Destination Address Only, or Both. Default is None.
   2. To configure source address translation, select the translation type: Dynamic IP and Port, Dynamic IP, or Static IP.

      • For Dynamic IP and Port, enable Persistent NAT. Select the Translated Address object and enter the Translated Address, or select Interface Address address and select an interface. Then select IP or Floating IP and enter the corresponding address.
      • For Dynamic IP, add a Translated Address. Also select a Dynamic IP/Port Fallback: Translated Address or Interface Address. Default is None.
      • For Static IP, select the Translated Address object or Create New address. Static IP allows you to select Bi-direction to have the translation occur in both directions.
9. Save the rule.