Configure NAT64 for IPv6-Initiated Communication
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Configure NAT64 for IPv6-Initiated Communication
This configuration task and its addresses
correspond to the figures in IPv6-Initiated
Communication.
Beginning with PAN-OS 10.2.4, you can enable persistent NAT
for DIPP to mitigate the compatibility issues that symmetric NAT may have
with applications that use STUN.
- Enable IPv6 to operate on the firewall.
- Selectand edit the Session Settings.DeviceSetupSession
- SelectEnable IPv6 Firewalling.
- ClickOK.
- Create an address object for the IPv6 destination address (pre-translation).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object, for example, nat64-IPv4 Server.
- ForType, selectIP Netmaskand enter the IPv6 prefix with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or your Network-Specific Prefix that is configured on the DNS64 Server.For this example, enter 64:FF9B::/96.The source and destination must have the same netmask (prefix length).(You don’t enter a full destination address because, based on the prefix length, the firewall extracts the encoded IPv4 address from the original destination IPv6 address in the incoming packet. In this example, the prefix in the incoming packet is encoded with C633:6401 in hexadecimal, which is the IPv4 destination address 198.51.100.1.)
- ClickOK.
- (Optional) Create an address object for the IPv6 source address (pre-translation).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object.
- ForType, selectIP Netmaskand enter the address of the IPv6 host, in this example, 2001:DB8::5/96.
- ClickOK.
- (Optional) Create an address object for the IPv4 source address (translated).
- Selectand clickObjectsAddressesAdd.
- Enter aNamefor the object.
- ForType, selectIP Netmaskand enter the IPv4 address of the firewall’s egress interface, in this example, 192.0.2.1.
- ClickOK.
- Create the NAT64 rule.
- Selectand clickPoliciesNATAdd.
- On theGeneraltab, enter aNamefor the NAT64 rule, for example, nat64_ipv6_init.
- (Optional) Enter aDescription.
- ForNAT Type, selectnat64.
- Specify the original source and destination information.
- For theOriginal Packet,AddtheSource Zone, likely a trusted zone.
- Select theDestination Zone, in this example, the Untrust zone.
- (Optional) Select aDestination Interfaceor the default (any).
- ForSource Address, selectAnyorAddthe address object you created for the IPv6 host.
- ForDestination Address,Addthe address object you created for the IPv6 destination address, in this example, nat64-IPv4 Server.
- (Optional) ForService, selectany.
- Specify the translated packet information.
- For theTranslated Packet, inSource Address Translation, forTranslation Type, selectDynamic IP and Port.
- ForAddress Type, do one of the following:
- SelectTranslated AddressandAddthe address object you created for the IPv4 source address.
- SelectInterface Address, in which case the translated source address is the IP address and netmask of the firewall’s egress interface. For this choice, select anInterfaceand optionally anIP Addressif the interface has more than one IP address.
- LeaveDestination Address Translationunselected. (The firewall extracts the IPv4 address from the IPv6 prefix in the incoming packet, based on the prefix length specified in the original destination of the NAT64 rule.)
- ClickOKto save the NAT64 policy rule.
- Configure a tunnel interface to emulate a loopback interface with a netmask other than 128.
- SelectandNetworkInterfacesTunnelAdda tunnel.
- ForInterface Name, enter a numeric suffix, such as .2.
- On theConfigtab, select theVirtual Routerwhere you are configuring NAT64.
- ForSecurity Zone, select the destination zone associated with the IPv4 server destination (Trust zone).
- On theIPv6tab, selectEnable IPv6 on the interface.
- ClickAddand for theAddress, selectNew Address.
- Enter aNamefor the address.
- (Optional) Enter aDescriptionfor the tunnel address.
- ForType, selectIP Netmaskand enter your IPv6 prefix and prefix length, in this example, 64:FF9B::/96.
- ClickOK.
- SelectEnable address on interfaceand clickOK.
- ClickOK.
- ClickOKto save the tunnel.
- Create a security policy to allow NAT traffic from the trust zone.
- SelectandPoliciesSecurityAdda ruleName.
- SelectSourceandAddaSource Zone; selectTrust.
- ForSource Address, selectAny.
- SelectDestinationandAddaDestination Zone; selectUntrust.
- ForApplication, selectAny.
- ForActions, selectAllow.
- ClickOK.
- Commit your changes.ClickCommit.
- (PAN-OS 10.2.4 and later 10.2 releases) Enable persistent NAT for DIPP.
- >set system setting persistent-dipp enable yes
- >request restart system
- If you have HA configured, repeat this step on the other HA peer.
- Troubleshoot or view a NAT64 session.>show session id<session-id>