You can configure two types of NAT64 translation on the firewall; each one is doing a bi-directional translation between the two IP address families. Configure one of the following, depending on whether the initial translation is from IPv6 to IPv4 or from IPv4 to IPv6. IPv4-initiated communication offers an additional option to translate port numbers.
IPv6-Initiated Communication
IPv6-initiated communication to the firewall is similar to source NAT for an IPv4 topology. Configure NAT64 for IPv6-Initiated Communication when your IPv6 host needs to communicate with an IPv4 server.
In the NAT64 policy rule, configure the original source to be an IPv6 host address or Any. Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)
If you need to use a DNS, you need to use a DNS64 Server to convert an IPv4 DNS “A” result into an “AAAA” result merged with the NAT64 prefix. If you don’t use a DNS, you need to create the address using the IPv4 destination address and the NAT64 prefix configured on the firewall, following RFC 6052 rules.
For environments that use a DNS, the example topology below illustrates communication with the DNS64 Server. The DNS64 server must be set up to use the Well-Known Prefix 64:FF9B::/96 or your Network-Specific Prefix, which must comply with RFC 6052 (/32, /40,/48,/56,/64, or /96).
On the translated side of the firewall, the translation type must be Dynamic IP and Port in order to implement stateful NAT64. You configure the source translated address to be the IPv4 address of the egress interface on the firewall. You do not configure the destination translation field; the firewall translates the address by first finding the prefix length in the original destination address of the rule and then based on the prefix, extracting the encoded IPv4 address from the original destination IPv6 address in the incoming packet.
Before the firewall looks at the NAT64 rule, the firewall must do a route lookup to find the destination security zone for an incoming packet. You must ensure that the NAT64 prefix can be reached through the destination zone assignment because the NAT64 prefix should not be routable by the firewall. The firewall would likely assign the NAT64 prefix to the default route or drop the NAT64 prefix because there is no route for it. The firewall will not find a destination zone because the NAT64 prefix is not in its routing table, associated with an egress interface and zone.
You must also configure a tunnel interface (with no termination point). You apply the NAT64 prefix to the tunnel and apply the appropriate zone to ensure that IPv6 traffic with the NAT64 prefix is assigned to the proper destination zone. The tunnel also has the advantage of dropping IPv6 traffic with the NAT64 prefix if the traffic does not match the NAT64 rule.Your configured routing protocol on the firewall looks up the IPv6 prefix in its routing table to find the destination zone and then looks at the NAT64 rule.
The figure below illustrates the role of the DNS64 server in the name resolution process. In this example, the DNS64 server is configured to use Well-Known Prefix 64:FF9B::/96.
1. A user at the IPv6 host enters the URL www.abc.com, which generates a name server lookup (nslookup) to the DNS64 server.
2. The DNS64 Server sends an nslookup to the public DNS server for www.abc.com, requesting its IPv4 address.
3. The DNS server returns an A record that provides the IPv4 address to the DNS64 server.
4. The DNS64 server sends an AAAA record to the IPv6 user, converting the IPv4 dotted decimal address 198.51.100.1 into C633:6401 hexadecimal and embedding it into its own IPv6 prefix, 64:FF9B::/96. [198 = C6 hex; 51 = 33 hex; 100 = 64 hex; 1 = 01 hex.] The result is IPv4-Embedded IPv6 Address 64:FF9B::C633:6401.
Keep in mind that in a /96 prefix, the IPv4 address is the last four octets encoded in the IPv6 address. If the DNS64 server uses a /32, /40, /48, /56 or /64 prefix, the IPv4 address is encoded as shown in RFC 6052.
Upon the transparent name resolution, the IPv6 host sends a packet to the firewall containing its IPv6 source address and destination IPv6 address 64:FF9B::C633:6401 as determined by the DNS64 server. The firewall performs the NAT64 translation based on your NAT64 rule.
Configure NAT64 for IPv6-Initiated Communication
Enable IPv6 to operate on the firewall. Select Device > Setup > Session and edit the Session Settings. Select Enable IPv6 Firewalling. Click OK.
Create an address object for the IPv6 destination address (pre-translation). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64-IPv4 Server. For Type, select IP Netmask and enter the IPv6 prefix with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or your Network-Specific Prefix that is configured on the DNS64 Server. For this example, enter 64:FF9B::/96. NOTE: The source and destination must have the same netmask (prefix length). (You don’t enter a full destination address because, based on the prefix length, the firewall extracts the encoded IPv4 address from the original destination IPv6 address in the incoming packet. In this example, the prefix in the incoming packet is encoded with C633:6401 in hexadecimal, which is the IPv4 destination address 198.51.100.1.) Click OK.
(Optional) Create an address object for the IPv6 source address (pre-translation). Select Objects > Addresses and click Add. Enter a Name for the object. For Type, select IP Netmask and enter the address of the IPv6 host, in this example, 2001:DB8::5/96. Click OK.
(Optional) Create an address object for the IPv4 source address (translated). Select Objects > Addresses and click Add. Enter a Name for the object. For Type, select IP Netmask and enter the IPv4 address of the firewall’s egress interface, in this example, 192.0.2.1. Click OK.
Create the NAT64 rule. Select Policies > NAT and click Add. On the General tab, enter a Name for the NAT64 rule, for example, nat64_ipv6_init. (Optional) Enter a Description. For NAT Type, select nat64.
Specify the original source and destination information. For the Original Packet, Add the Source Zone, likely a trusted zone. Select the Destination Zone, in this example, the Untrust zone. (Optional) Select a Destination Interface or the default ( any). For Source Address, select Any or Add the address object you created for the IPv6 host. For Destination Address, Add the address object you created for the IPv6 destination address, in this example, nat64-IPv4 Server. (Optional) For Service, select any.
Specify the translated packet information. For the Translated Packet, in Source Address Translation, for Translation Type, select Dynamic IP and Port. For Address Type, do one of the following: Select Translated Address and Add the address object you created for the IPv4 source address. Select Interface Address, in which case the translated source address is the IP address and netmask of the firewall’s egress interface. For this choice, select an Interface and optionally an IP Address if the interface has more than one IP address. Leave Destination Address Translation unselected. (The firewall extracts the IPv4 address from the IPv6 prefix in the incoming packet, based on the prefix length specified in the original destination of the NAT64 rule.) Click OK to save the NAT64 policy rule.
Configure a tunnel interface to emulate a loopback interface with a netmask other than 128. Select Network > Interfaces > Tunnel and Add a tunnel. For Interface Name, enter a numeric suffix, such as .2. On the Config tab, select the Virtual Router where you are configuring NAT64. For Security Zone, select the destination zone associated with the IPv4 server destination (Trust zone). On the IPv6 tab, select Enable IPv6 on the interface. Click Add and for the Address, select New Address. Enter a Name for the address. (Optional) Enter a Description for the tunnel address. For Type, select IP Netmask and enter your IPv6 prefix and prefix length, in this example, 64:FF9B::/96. Click OK. Select Enable address on interface and click OK. Click OK. Click OK to save the tunnel.
Create a security policy rule to allow NAT traffic from the trust zone. Select Policies > Security and Add a rule Name. Select Source and Add a Source Zone ; select Trust. For Source Address, select Any. Select Destination and Add a Destination Zone ; select Untrust. For Application, select Any. For Actions, select Allow. Click OK.
Commit. Click Commit.
Troubleshoot or view a NAT64 session. > show session id <session-id>
IPv4-Initiated Communication
IPv4-initiated communication to an IPv6 server is similar to destination NAT in an IPv4 topology. The destination IPv4 address maps to the destination IPv6 address through a one-to-one, static IP translation (not a many-to-one translation).
The firewall encodes the source IPv4 address into Well-Known Prefix 64:FF9B::/96 as defined in RFC 6052. The translated destination address is the actual IPv6 address. The use case for IPv4-initiated communication is typically when an organization is providing access from the public, untrust zone to an IPv6 server in the organization’s DMZ zone. This topology does not use a DNS64 server.
Configure NAT64 for IPv4-Initiated Communication
Enable IPv6 to operate on the firewall. Select Device > Setup > Session and edit the Session Settings. Select Enable IPv6 Firewalling. Click OK.
(Optional) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the destination IPv6 network. Select Device > Setup > Session and edit Session Settings. For NAT64 IPv6 Minimum Network MTU, enter the smallest number of bytes into which the firewall will fragment IPv4 packets for translation to IPv6 (range is 1280-9216, default is 1280). TIP: If you don’t want the firewall to fragment an IPv4 packet prior to translation, set the MTU to 9216. If the translated IPv6 packet still exceeds this value, the firewall drops the packet and issues an ICMP packet indicating destination unreachable - fragmentation needed. Click OK.
Create an address object for the IPv4 destination address (pre-translation). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_ip4server. For Type, select IP Netmask and enter the IPv4 address and netmask of the firewall interface in the Untrust zone. This example uses 198.51.19.1/24. Click OK.
Create an address object for the IPv6 source address (translated). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_ip6source. For Type, select IP Netmask and enter the NAT64 IPv6 address with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). For this example, enter 64:FF9B::/96. (The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is C001:0208 in hexadecimal.) Click OK.
Create an address object for the IPv6 destination address (translated). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_server_2. For Type, select IP Netmask and enter the IPv6 address of the IPv6 server (destination). This example uses 2001:DB8::2/64. NOTE: The source and destination must have the same netmask (prefix length). Click OK.
Create the NAT64 rule. Select Policies > NAT and click Add. On the General tab, enter a Name for the NAT64 rule, for example, nat64_ipv4_init. For NAT Type, select nat64.
Specify the original source and destination information. For the Original Packet, Add the Source Zone, likely an untrust zone. Select the Destination Zone, likely a trust or DMZ zone. For Source Address, select Any or Add the address object for the IPv4 host. For Destination Address, Add the address object for the IPv4 destination, in this example, nat64_ip4server. For Service, select any.
Specify the translated packet information. For the Translated Packet, in the Source Address Translation, Translation Type, select Static IP. For Translated Address, select the source translated address object you created, nat64_ip6source. For Destination Address Translation, for Translated Address, specify a single IPv6 address (the address object, in this example, nat64_server_2, or the IPv6 address of the server). Click OK.
Create a security policy rule to allow the NAT traffic from the Untrust zone. Select Policies > Security and Add a rule Name. Select Source and Add a Source Zone ; select Untrust. For Source Address, select Any. Select Destination and Add a Destination Zone ; select DMZ. For Actions, select Allow. Click OK.
Commit. Click Commit.
Troubleshoot or view a NAT64 session. > show session id <session-id>
IPv4-Initiated Communication with Port Translation
This use case builds on the prior use case, but the organization controlling the IPv6 network prefers to translate the public destination port number to an internal destination port number and thereby keep it private from users on the IPv4 untrust side of the firewall. In this example, port 8080 is translated to port 80. To do that, in the Original Packet of the NAT64 policy rule, create a new Service that specifies the destination port is 8080. For the Translated Packet, the translated port is 80.
Configure NAT64 for IPv4-Initiated Communication with Port Translation
Enable IPv6 to operate on the firewall. Select Device > Setup > Session and edit the Session Settings. Select Enable IPv6 Firewalling. Click OK.
(Optional) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the destination IPv6 network. Select Device > Setup > Session and edit Session Settings. For NAT64 IPv6 Minimum Network MTU, enter the smallest number of byes into which the firewall will fragment IPv4 packets for translation to IPv6 (range is 1280-9216, default is 1280). TIP: If you don’t want the firewall to fragment an IPv4 packet prior to translation, set the MTU to 9216. If the translated IPv6 packet still exceeds this value, the firewall drops the packet and issues an ICMP packet indicating destination unreachable - fragmentation needed. Click OK.
Create an address object for the IPv4 destination address (pre-translation). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_ip4server. For Type, select IP Netmask and enter the IPv4 address and netmask of the firewall interface in the Untrust zone. This example uses 198.51.19.1/24. Click OK.
Create an address object for the IPv6 source address (translated). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_ip6source. For Type, select IP Netmask and enter the NAT64 IPv6 address with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). For this example, enter 64:FF9B::/96. (The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is C001:0208 in hexadecimal.) Click OK.
Create an address object for the IPv6 destination address (translated). Select Objects > Addresses and click Add. Enter a Name for the object, for example, nat64_server_2. For Type, select IP Netmask and enter the IPv6 address of the IPv6 server (destination). This example uses 2001:DB8::2/64. NOTE: The source and destination must have the same netmask (prefix length). Click OK.
Create the NAT64 rule. Select Policies > NAT and click Add. On the General tab, enter a Name for the NAT64 rule, for example, nat64_ipv4_init. For NAT Type, select nat64.
Specify the original source and destination information, and create a service to limit the translation to a single ingress port number. For the Original Packet, Add the Source Zone, likely an untrust zone. Select the Destination Zone, likely a trust or DMZ zone. For Service, select New Service. Enter a Name for the Service, such as Port_8080. Select TCP as the Protocol. For Destination Port, enter 8080. Click OK to save the Service. For Source Address, select Any or Add the address object for the IPv4 host. For Destination Address, Add the address object for the IPv4 destination, in this example, nat64_ip4server.
Specify the translated packet information. For the Translated Packet, in the Source Address Translation, Translation Type, select Static IP. For Translated Address, select the source translated address object you created, nat64_ip6source. For Destination Address Translation, for Translated Address, specify a single IPv6 address (the address object, in this example, nat64_server_2, or the IPv6 address of the server). Specify the private destination Translated Port number to which the firewall translates the public destination port number, in this example, 80. Click OK.
Create a security policy to allow the NAT traffic from the Untrust zone. Select Policies > Security and Add a rule Name. Select Source and Add a Source Zone ; select Untrust. For Source Address, select Any. Select Destination and Add a Destination Zone ; select DMZ. For Actions, select Allow. Click OK.
Commit. Click Commit.
Troubleshoot or view a NAT64 session. > show session id <session-id>

Related Documentation