Configure NAT64 for IPv4-Initiated Communication

IPv4-initiated communication to an IPv6 server is similar to destination NAT in an IPv4 topology. The destination IPv4 address maps to the destination IPv6 address through a one-to-one, static IP translation (not a many-to-one translation).
The firewall encodes the source IPv4 address into Well-Known Prefix 64:FF9B::/96 as defined in RFC 6052. The translated destination address is the actual IPv6 address. The use case for IPv4-initiated communication is typically when an organization is providing access from the public, untrust zone to an IPv6 server in the organization’s DMZ zone. This topology does not use a DNS64 server.
nat64_v4_init.png
  1. Enable IPv6 to operate on the firewall.
    1. Select
      Device
      Setup
      Session
      and edit the Session Settings.
    2. Select
      Enable IPv6 Firewalling
      .
    3. Click
      OK
      .
  2. (
    Optional
    ) When an IPv4 packet has its DF bit set to zero (and because IPv6 does not fragment packets), ensure the translated IPv6 packet does not exceed the path MTU for the destination IPv6 network.
    1. Select
      Device
      Setup
      Session
      and edit Session Settings.
    2. For
      NAT64 IPv6 Minimum Network MTU
      , enter the smallest number of bytes into which the firewall will fragment IPv4 packets for translation to IPv6 (range is 1280-9216, default is 1280).
      If you don’t want the firewall to fragment an IPv4 packet prior to translation, set the MTU to 9216. If the translated IPv6 packet still exceeds this value, the firewall drops the packet and issues an ICMP packet indicating destination unreachable - fragmentation needed.
    3. Click
      OK
      .
  3. Create an address object for the IPv4 destination address (pre-translation).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object, for example, nat64_ip4server.
    3. For
      Type
      , select
      IP Netmask
      and enter the IPv4 address and netmask of the firewall interface in the Untrust zone. This example uses 198.51.19.1/24.
    4. Click
      OK
      .
  4. Create an address object for the IPv6 source address (translated).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object, for example, nat64_ip6source.
    3. For
      Type
      , select
      IP Netmask
      and enter the NAT64 IPv6 address with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
      For this example, enter 64:FF9B::/96.
      (The firewall encodes the prefix with the IPv4 source address 192.1.2.8, which is C001:0208 in hexadecimal.)
    4. Click
      OK
      .
  5. Create an address object for the IPv6 destination address (translated).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object, for example, nat64_server_2.
    3. For
      Type
      , select
      IP Netmask
      and enter the IPv6 address of the IPv6 server (destination). This example uses 2001:DB8::2/64.
      The source and destination must have the same netmask (prefix length).
    4. Click
      OK
      .
  6. Create the NAT64 rule.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a
      Name
      for the NAT64 rule, for example, nat64_ipv4_init.
    3. For
      NAT Type
      , select
      nat64
      .
  7. Specify the original source and destination information.
    1. For the
      Original Packet
      ,
      Add
      the
      Source Zone
      , likely an untrust zone.
    2. Select the
      Destination Zone
      , likely a trust or DMZ zone.
    3. For
      Source Address
      , select
      Any
      or
      Add
      the address object for the IPv4 host.
    4. For
      Destination Address
      ,
      Add
      the address object for the IPv4 destination, in this example, nat64_ip4server.
    5. For
      Service
      , select
      any
      .
  8. Specify the translated packet information.
    1. For the
      Translated Packet
      , in the
      Source Address Translation
      ,
      Translation Type
      , select
      Static IP
      .
    2. For
      Translated Address
      , select the source translated address object you created, nat64_ip6source.
    3. For
      Destination Address Translation
      , for
      Translated Address
      , specify a single IPv6 address (the address object, in this example, nat64_server_2, or the IPv6 address of the server).
    4. Click
      OK
      .
  9. Create a security policy to allow the NAT traffic from the Untrust zone.
    1. Select
      Policies
      Security
      and
      Add
      a rule
      Name
      .
    2. Select
      Source
      and
      Add
      a
      Source Zone
      ; select
      Untrust
      .
    3. For
      Source Address
      , select
      Any
      .
    4. Select
      Destination
      and
      Add
      a
      Destination Zone
      ; select
      DMZ
      .
    5. For
      Actions
      , select
      Allow
      .
    6. Click
      OK
      .
  10. Commit your changes.
    Click
    Commit
    .
  11. Troubleshoot or view a NAT64 session.
    >
    show session id
    <session-id>

Related Documentation