Configure NAT64 for IPv6-Initiated Communication

This configuration task and its addresses correspond to the figures in IPv6-Initiated Communication.
  1. Enable IPv6 to operate on the firewall.
    1. Select
      Device
      Setup
      Session
      and edit the Session Settings.
    2. Select
      Enable IPv6 Firewalling
      .
    3. Click
      OK
      .
  2. Create an address object for the IPv6 destination address (pre-translation).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object, for example, nat64-IPv4 Server.
    3. For
      Type
      , select
      IP Netmask
      and enter the IPv6 prefix with a netmask that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96). This is either the Well-Known Prefix or your Network-Specific Prefix that is configured on the DNS64 Server.
      For this example, enter 64:FF9B::/96.
      The source and destination must have the same netmask (prefix length).
      (You don’t enter a full destination address because, based on the prefix length, the firewall extracts the encoded IPv4 address from the original destination IPv6 address in the incoming packet. In this example, the prefix in the incoming packet is encoded with C633:6401 in hexadecimal, which is the IPv4 destination address 198.51.100.1.)
    4. Click
      OK
      .
  3. (
    Optional
    ) Create an address object for the IPv6 source address (pre-translation).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object.
    3. For
      Type
      , select
      IP Netmask
      and enter the address of the IPv6 host, in this example, 2001:DB8::5/96.
    4. Click
      OK
      .
  4. (
    Optional
    ) Create an address object for the IPv4 source address (translated).
    1. Select
      Objects
      Addresses
      and click
      Add
      .
    2. Enter a
      Name
      for the object.
    3. For
      Type
      , select
      IP Netmask
      and enter the IPv4 address of the firewall’s egress interface, in this example, 192.0.2.1.
    4. Click
      OK
      .
  5. Create the NAT64 rule.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a
      Name
      for the NAT64 rule, for example, nat64_ipv6_init.
    3. (
      Optional
      ) Enter a
      Description
      .
    4. For
      NAT Type
      , select
      nat64
      .
  6. Specify the original source and destination information.
    1. For the
      Original Packet
      ,
      Add
      the
      Source Zone
      , likely a trusted zone.
    2. Select the
      Destination Zone
      , in this example, the Untrust zone.
    3. (
      Optional
      ) Select a
      Destination Interface
      or the default (
      any
      ).
    4. For
      Source Address
      , select
      Any
      or
      Add
      the address object you created for the IPv6 host.
    5. For
      Destination Address
      ,
      Add
      the address object you created for the IPv6 destination address, in this example, nat64-IPv4 Server.
    6. (
      Optional
      ) For
      Service
      , select
      any
      .
  7. Specify the translated packet information.
    1. For the
      Translated Packet
      , in
      Source Address Translation
      , for
      Translation Type
      , select
      Dynamic IP and Port
      .
    2. For
      Address Type
      , do one of the following:
      • Select
        Translated Address
        and
        Add
        the address object you created for the IPv4 source address.
      • Select
        Interface Address
        , in which case the translated source address is the IP address and netmask of the firewall’s egress interface. For this choice, select an
        Interface
        and optionally an
        IP Address
        if the interface has more than one IP address.
    3. Leave
      Destination Address Translation
      unselected. (The firewall extracts the IPv4 address from the IPv6 prefix in the incoming packet, based on the prefix length specified in the original destination of the NAT64 rule.)
    4. Click
      OK
      to save the NAT64 policy rule.
  8. Configure a tunnel interface to emulate a loopback interface with a netmask other than 128.
    1. Select
      Network
      Interfaces
      Tunnel
      and
      Add
      a tunnel.
    2. For
      Interface Name
      , enter a numeric suffix, such as .2.
    3. On the
      Config
      tab, select the
      Virtual Router
      where you are configuring NAT64.
    4. For
      Security Zone
      , select the destination zone associated with the IPv4 server destination (Trust zone).
    5. On the
      IPv6
      tab, select
      Enable IPv6 on the interface
      .
    6. Click
      Add
      and for the
      Address
      , select
      New Address
      .
    7. Enter a
      Name
      for the address.
    8. (
      Optional
      ) Enter a
      Description
      for the tunnel address.
    9. For
      Type
      , select
      IP Netmask
      and enter your IPv6 prefix and prefix length, in this example, 64:FF9B::/96.
    10. Click
      OK
      .
    11. Select
      Enable address on interface
      and click
      OK
      .
    12. Click
      OK
      .
    13. Click
      OK
      to save the tunnel.
  9. Create a security policy to allow NAT traffic from the trust zone.
    1. Select
      Policies
      Security
      and
      Add
      a rule
      Name
      .
    2. Select
      Source
      and
      Add
      a
      Source Zone
      ; select
      Trust
      .
    3. For
      Source Address
      , select
      Any
      .
    4. Select
      Destination
      and
      Add
      a
      Destination Zone
      ; select
      Untrust
      .
    5. For
      Application
      , select
      Any
      .
    6. For
      Actions
      , select
      Allow
      .
    7. Click
      OK
      .
  10. Commit your changes.
    Click
    Commit
    .
  11. Troubleshoot or view a NAT64 session.
    >
    show session id
    <session-id>

Related Documentation