About NAT64

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

About NPTv6

Routing and Interfaces

About NAT64

Learn more about translating IPv4 and IPv6 IP addresses, and vice verse, for your managed firewalls.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
NGFW, including those funded by Software NGFW Credits	One of these: AIOps for NGFW Premium or Strata Cloud Manager Pro Strata Cloud Manager Essentials (Supports only NGFWs)

NAT64 provides a way to transition to IPv6 while you still need to communicate with IPv4 networks. When you need to communicate from an IPv6-only network to an IPv4 network, you use NAT64 to translate source and destination addresses from IPv6 to IPv4 and vice versa. NAT64 allows IPv6 clients to access IPv4 servers and allows IPv4 clients to access IPv6 servers. Understand NAT before configuring NAT64.

Palo Alto Networks supports the following NAT64 features:

Hairpinning (NAT U-Turn); additionally, NAT64 prevents hairpinning loop attacks by dropping all incoming IPv6 packets that have a source prefix of 64::/n.
Translation of TCP/UDP/ICMP packets per RFC 6146 and the firewall makes a best effort to translate other protocols that don’t use an application-level gateway (ALG). For example, the firewall can translate a GRE packet. This translation has the same limitation as NAT44: if you don’t have an ALG for a protocol that can use a separate control and data channel, the firewall might not understand the return traffic flow.
Translation between IPv4 and IPv6 of the ICMP length attribute of the original datagram field, per RFC 4884.

DNS64 Server

If you need to use a DNS and you want to perform NAT64 translation using IPv6-Initiated Communication, you must use a third-party DNS64 server or other DNS64 solution that is set up with the Well-Known Prefix or your NSP. When an IPv6 host attempts to access an IPv4 host or domain on the internet, the DNS64 server queries an authoritative DNS server for the IPv4 address mapped to that hostname. The DNS server returns an Address record (A record) to the DNS64 server containing the IPv4 address for the hostname.

NAT64 operates on Layer 3 interfaces, subinterfaces, and tunnel interfaces. To use NAT64 on a Palo Alto Networks firewall for IPv6-initiated communication, you must have a third-party DNS64 server or a solution in place to separate the DNS query function from the NAT function. The DNS64 server translates between your IPv6 host and an IPv4 DNS server by encoding the IPv4 address that it receives from a public DNS server into an IPv6 address for the IPv6 host.

The DNS64 server in turn converts the IPv4 address to hexadecimal and encodes it into the appropriate octets of the IPv6 prefix it’s set up to use (the Well-Known Prefix or your NSP) based on the prefix length. This results in an IPv4-Embedded IPv6 Address. The DNS64 server sends an AAAA record to the IPv6 host who maps the IPv4-embedded IPv6 address to the IPv4 hostname.

About NPTv6

Routing and Interfaces

Next-Generation Firewall Docs

About NAT64

Next-Generation Firewall Docs

About NAT64

DNS64 Server

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner