Configure NAT64 for IPv4-Initiated Communication with Port Translation

This task builds on the task to Configure NAT64 for IPv4-Initiated Communication, but the organization controlling the IPv6 network prefers to translate the public destination port number to an internal destination port number and thereby keep it private from users on the IPv4 untrust side of the firewall. In this example, port 8080 is translated to port 80. To do that, in the Original Packet of the NAT64 policy rule, create a new Service that specifies the destination port is 8080. For the Translated Packet, the translated port is 80.

Enable IPv6 to operate on the firewall.

Select
Device
Setup
Session
and edit the Session Settings.
Select
Enable IPv6 Firewalling
.
Click
OK
.

(

Optional

) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the destination IPv6 network.

Select
Device
Setup
Session
and edit Session Settings.
For
NAT64 IPv6 Minimum Network MTU
, enter the smallest number of byes into which the firewall will fragment IPv4 packets for translation to IPv6 (range is 1280-9216, default is 1280).
If you don’t want the firewall to fragment an IPv4 packet prior to translation, set the MTU to 9216. If the translated IPv6 packet still exceeds this value, the firewall drops the packet and issues an ICMP packet indicating destination unreachable - fragmentation needed.
Click
OK
.

Create an address object for the IPv4 destination address (pre-translation).

Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object, for example, nat64_ip4server.
For
Type
, select
IP Netmask
and enter the IPv4 address and netmask of the firewall interface in the Untrust zone. This example uses 198.51.19.1/24.
Click
OK
.

Create an address object for the IPv6 source address (translated).

Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object, for example, nat64_ip6source.
For
Type
, select
IP Netmask
and enter the NAT64 IPv6 address with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
For this example, enter 64:FF9B::/96.
(The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is C001:0208 in hexadecimal.)
Click
OK
.

Create an address object for the IPv6 destination address (translated).

Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object, for example, nat64_server_2.
For
Type
, select
IP Netmask
and enter the IPv6 address of the IPv6 server (destination). This example uses 2001:DB8::2/64.
The source and destination must have the same netmask (prefix length).
Click
OK
.

Create the NAT64 rule.

Select
Policies
NAT
and click
Add
.
On the
General
tab, enter a
Name
for the NAT64 rule, for example, nat64_ipv4_init.
For
NAT Type
, select
nat64
.

Specify the original source and destination information, and create a service to limit the translation to a single ingress port number.

For the
Original Packet
,
Add
the
Source Zone
, likely an untrust zone.
Select the
Destination Zone
, likely a trust or DMZ zone.
For
Service
, select New
Service
.
Enter a
Name
for the Service, such as Port_8080.
Select
TCP
as the
Protocol
.
For
Destination Port
, enter 8080.
Click
OK
to save the Service.
For
Source Address
, select
Any
or
Add
the address object for the IPv4 host.
For
Destination Address
,
Add
the address object for the IPv4 destination, in this example, nat64_ip4server.

Specify the translated packet information.

For the
Translated Packet
, in the
Source Address Translation
,
Translation Type
, select
Static IP
.
For
Translated Address
, select the source translated address object you created, nat64_ip6source.
For
Destination Address Translation
, for
Translated Address
, specify a single IPv6 address (the address object, in this example, nat64_server_2, or the IPv6 address of the server).
Specify the private destination
Translated Port
number to which the firewall translates the public destination port number, in this example, 80.
Click
OK
.

Create a security policy to allow the NAT traffic from the Untrust zone.

Select
Policies
Security
and
Add
a rule
Name
.
Select
Source
and
Add
a
Source Zone
; select
Untrust
.
For
Source Address
, select
Any
.
Select
Destination
and
Add
a
Destination Zone
; select
DMZ
.
For
Actions
, select
Allow
.
Click
OK
.

Commit your changes.

Click

Commit

.

Troubleshoot or view a NAT64 session.

> 
show session id 
<session-id>