Configure NAT64 for IPv4-Initiated Communication with Port Translation
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Configure NAT64 for IPv4-Initiated Communication with Port
Translation
This task builds on the task to Configure
NAT64 for IPv4-Initiated Communication, but the organization
controlling the IPv6 network prefers to translate the public destination
port number to an internal destination port number and thereby keep
it private from users on the IPv4 untrust side of the firewall.
In this example, port 8080 is translated to port 80. To do that,
in the Original Packet of the NAT64 policy rule, create a new Service
that specifies the destination port is 8080. For the Translated
Packet, the translated port is 80.

- Enable IPv6 to operate on the firewall.
- Selectand edit the Session Settings.DeviceSetupSession
- SelectEnable IPv6 Firewalling.
- ClickOK.
- (Optional) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the destination IPv6 network.
- Selectand edit Session Settings.DeviceSetupSession
- ForNAT64 IPv6 Minimum Network MTU, enter the smallest number of byes into which the firewall will fragment IPv4 packets for translation to IPv6 (range is 1280-9216, default is 1280).If you don’t want the firewall to fragment an IPv4 packet prior to translation, set the MTU to 9216. If the translated IPv6 packet still exceeds this value, the firewall drops the packet and issues an ICMP packet indicating destination unreachable - fragmentation needed.
- ClickOK.
- Create an address object for the IPv4 destination address (pre-translation).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object, for example, nat64_ip4server.
- ForType, selectIP Netmaskand enter the IPv4 address and netmask of the firewall interface in the Untrust zone. This example uses 198.51.19.1/24.
- ClickOK.
- Create an address object for the IPv6 source address (translated).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object, for example, nat64_ip6source.
- ForType, selectIP Netmaskand enter the NAT64 IPv6 address with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).For this example, enter 64:FF9B::/96.(The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is C001:0208 in hexadecimal.)
- ClickOK.
- Create an address object for the IPv6 destination address (translated).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object, for example, nat64_server_2.
- ForType, selectIP Netmaskand enter the IPv6 address of the IPv6 server (destination). This example uses 2001:DB8::2/64.The source and destination must have the same netmask (prefix length).
- ClickOK.
- Create the NAT64 rule.
- Selectand clickPoliciesNATAdd.
- On theGeneraltab, enter aNamefor the NAT64 rule, for example, nat64_ipv4_init.
- ForNAT Type, selectnat64.
- Specify the original source and destination information, and create a service to limit the translation to a single ingress port number.
- For theOriginal Packet,AddtheSource Zone, likely an untrust zone.
- Select theDestination Zone, likely a trust or DMZ zone.
- ForService, select NewService.
- Enter aNamefor the Service, such as Port_8080.
- SelectTCPas theProtocol.
- ForDestination Port, enter 8080.
- ClickOKto save the Service.
- ForSource Address, selectAnyorAddthe address object for the IPv4 host.
- ForDestination Address,Addthe address object for the IPv4 destination, in this example, nat64_ip4server.
- Specify the translated packet information.
- For theTranslated Packet, in theSource Address Translation,Translation Type, selectStatic IP.
- ForTranslated Address, select the source translated address object you created, nat64_ip6source.
- ForDestination Address Translation, forTranslated Address, specify a single IPv6 address (the address object, in this example, nat64_server_2, or the IPv6 address of the server).
- Specify the private destinationTranslated Portnumber to which the firewall translates the public destination port number, in this example, 80.
- ClickOK.
- Create a security policy to allow the NAT traffic from the Untrust zone.
- SelectandPoliciesSecurityAdda ruleName.
- SelectSourceandAddaSource Zone; selectUntrust.
- ForSource Address, selectAny.
- SelectDestinationandAddaDestination Zone; selectDMZ.
- ForActions, selectAllow.
- ClickOK.
- Commit your changes.ClickCommit.
- Troubleshoot or view a NAT64 session.>show session id<session-id>