A single IPv4 address can be used for NAT44 and NAT64; you don’t
reserve a pool of IPv4 addresses for NAT64 only.
NAT64 operates on Layer 3 interfaces, subinterfaces, and tunnel
interfaces. To use NAT64 on a Palo Alto Networks firewall for IPv6-initiated
communication, you must have a third-party DNS64 Server or
a solution in place to separate the DNS query function from the
NAT function. The DNS64 server translates between your IPv6 host
and an IPv4 DNS server by encoding the IPv4 address it receives
from a public DNS server into an IPv6 address for the IPv6 host.
Palo Alto Networks supports the following NAT64 features:
Hairpinning (NAT U-Turn); additionally, NAT64 prevents
hairpinning loop attacks by dropping all incoming IPv6 packets that
have a source prefix of 64::/n.
Translation of TCP/UDP/ICMP packets per RFC 6146 and the firewall makes a
best effort to translate other protocols that don’t use an application-level
gateway (ALG). For example, the firewall can translate a GRE packet.
This translation has the same limitation as NAT44: if you don’t
have an ALG for a protocol that can use a separate control and data
channel, the firewall might not understand the return traffic flow.
Translation between IPv4 and IPv6 of the ICMP length attribute
of the original datagram field, per RFC 4884.