Document:PAN-OS® Networking Administrator’s Guide

Configure NAT64 for IPv6-Initiated Communication

Download PDF

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Configure NAT64 for IPv6-Initiated Communication

This configuration task and its addresses correspond to the figures in IPv6-Initiated Communication.

Enable IPv6 to operate on the firewall.

Select

Device

Setup

Session

and edit the Session Settings.

Select

Enable IPv6 Firewalling

Click

Create an address object for the IPv6 destination address (pre-translation).

Select

Objects

Addresses

and click

Add

Enter a

Name

for the object, for example, nat64-IPv4 Server.

For

Type

, select

IP Netmask

and enter the IPv6 prefix with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or your Network-Specific Prefix that is configured on the DNS64 Server.

For this example, enter 64:FF9B::/96.

The source and destination must have the same netmask (prefix length).

(You don’t enter a full destination address because, based on the prefix length, the firewall extracts the encoded IPv4 address from the original destination IPv6 address in the incoming packet. In this example, the prefix in the incoming packet is encoded with C633:6401 in hexadecimal, which is the IPv4 destination address 198.51.100.1.)

Click

(Optional) Create an address object for the IPv6 source address (pre-translation).

Select

Objects

Addresses

and click

Add

Enter a

Name

for the object.

For

Type

, select

IP Netmask

and enter the address of the IPv6 host, in this example, 2001:DB8::5/96.

Click

(Optional) Create an address object for the IPv4 source address (translated).

Select

Objects

Addresses

and click

Add

Enter a

Name

for the object.

For

Type

, select

IP Netmask

and enter the IPv4 address of the firewall’s egress interface, in this example, 192.0.2.1.

Click

Create the NAT64 rule.

Select

Policies

NAT

and click

Add

On the

General

tab, enter a

Name

for the NAT64 rule, for example, nat64_ipv6_init.

(Optional) Enter a

Description

For

NAT Type

, select

nat64

Specify the original source and destination information.

For the

Original Packet

Add

the

Source Zone

, likely a trusted zone.

Select the

Destination Zone

, in this example, the Untrust zone.

(Optional) Select a

Destination Interface

or the default (

any

For

Source Address

, select

Any

Add

the address object you created for the IPv6 host.

For

Destination Address

Add

the address object you created for the IPv6 destination address, in this example, nat64-IPv4 Server.

(Optional) For

Service

, select

any

Specify the translated packet information.

For the

Translated Packet

, in

Source Address Translation

, for

Translation Type

, select

Dynamic IP and Port

For

Address Type

, do one of the following:

Select

Translated Address

and

Add

the address object you created for the IPv4 source address.

Select

Interface Address

, in which case the translated source address is the IP address and netmask of the firewall’s egress interface. For this choice, select an

Interface

and optionally an

IP Address

if the interface has more than one IP address.

Leave

Destination Address Translation

unselected. (The firewall extracts the IPv4 address from the IPv6 prefix in the incoming packet, based on the prefix length specified in the original destination of the NAT64 rule.)

Click

to save the NAT64 policy rule.

Configure a tunnel interface to emulate a loopback interface with a netmask other than 128.

Select

Network

Interfaces

Tunnel

and

Add

a tunnel.

For

Interface Name

, enter a numeric suffix, such as .2.

On the

Config

tab, select the

Virtual Router

where you are configuring NAT64.

For

Security Zone

, select the destination zone associated with the IPv4 server destination (Trust zone).

On the

IPv6

tab, select

Enable IPv6 on the interface

Click

Add

and for the

Address

, select

New Address

Enter a

Name

for the address.

(Optional) Enter a

Description

for the tunnel address.

For

Type

, select

IP Netmask

and enter your IPv6 prefix and prefix length, in this example, 64:FF9B::/96.

Click

Select

Enable address on interface

and click

Click

to save the tunnel.

Create a security policy to allow NAT traffic from the trust zone.

Select

Policies

Security

and

Add

a rule

Name

Select

Source

and

Add

Source Zone

; select

Trust

For

Source Address

, select

Any

Select

Destination

and

Add

Destination Zone

; select

Untrust

For

Application

, select

Any

For

Actions

, select

Allow

Click

Commit your changes.

Click

Commit

Enable persistent NAT for DIPP.

Access the CLI.

set system setting persistent-dipp enable yes

request restart system

If you have HA configured, repeat this step on the other HA peer.

Troubleshoot or view a NAT64 session.

> show session id <session-id>

Document:PAN-OS® Networking Administrator’s Guide

Configure NAT64 for IPv6-Initiated Communication

Table of Contents

Configure NAT64 for IPv6-Initiated Communication

Most Popular

Recommended For You