>
    Strata Copilot
    Traditional Workflow (Without NAT)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN NAT Policies
    4. Traditional Workflow (Without NAT)
    Download PDF
    Prisma SD-WAN

    Traditional Workflow (Without NAT)

    Table of Contents

    Traditional Workflow (Without NAT)

    This topic describes the traditional workflow without NAT Protocol Translations.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma SD-WAN license
    Without the implementation of NAT protocol translation, the workflow for inter-IP family communication is severely constrained or entirely non-existent.
    • Direct Communication Failure: An IPv6-only device attempting to reach an IPv4-only server simply fails, as the IPv6 packet structure is incomprehensible to the IPv4 network, and vice-versa.
    • Fragmented Network Access: Users or applications are restricted to accessing resources only within their native IP address family, leading to a fragmented and inefficient network experience.
    • Manual Workarounds: Workarounds might include dual-stack deployment on every device (running both IPv4 and IPv6 stacks simultaneously), which is resource-intensive and often not feasible for legacy devices. Alternatively, application-layer proxies can be used, adding significant latency and complexity, and requiring per-application configuration.
    • Costly Infrastructure Overhauls: Organizations are forced into costly and disruptive "big bang" upgrades to move entirely to IPv6, rather than a phased approach. This can involve replacing a significant portion of network infrastructure and applications.
    • Limited Scalability: Managing two entirely separate and uncommunicative networks (IPv4 and IPv6) significantly complicates network management and limits overall scalability.

    Benefits of NAT

    These features require no explicit configuration. The system automatically determines the appropriate NAT method based on the LAN and WAN interfaces' network stack (IPv4 or IPv6) and applies it, ensuring seamless interoperability and simplifying deployment.
    The implementation of NAT for protocol translation delivers significant benefits:
    • Seamless Interoperability: The most crucial benefit is enabling transparent communication between IPv4-only and IPv6-only environments, ensuring all devices can access necessary resources regardless of their IP address family.
    • Facilitated IPv6 Transition: NAT provides a crucial bridge during the lengthy transition period from IPv4 to IPv6. Organizations can gradually deploy IPv6 without needing to immediately upgrade all legacy IPv4 devices or services.
    • Conservation of IPv4 Addresses: For NAT64, it allows IPv6-native networks to access IPv4 resources without requiring IPv4 addresses for every IPv6 host.
    • Network Address Privacy (NAT66): NAT66 offers a layer of privacy for internal IPv6 networks by presenting a limited set of public IPv6 addresses to the external world, similar to IPv4 NAT.
    • Reduced Complexity for End-Users: End-users are largely unaware of the underlying address translation, experiencing a consistent and accessible network environment.
    • Enhanced Network Flexibility: Network architects gain greater flexibility in designing and deploying mixed IP environments, allowing for optimized resource allocation and network segmentation.

    Supported Deployments

    The system supports the following deployments for traffic flows, addressing different client, operator, and server IP address family (AF) combinations.
    LAN to WAN Flows
    ClientOperator AFServer AFBehavior
    IPv4 ClientIPv4 Operator AFIPv4 Server AFDirect communication is supported.
    IPv4 ClientIPv6 Operator AFIPv4 Server AFThis is a 464 use case. The ION encodes the IPv4 address using the Well Known Prefix (64:ff9b::/96). The NAT box strips the prefix and forwards the IPv4 packet.
    IPv4 ClientIPv4 Operator AFIPv6 Server AFTransparent to the ION device; the operator is responsible for an IPv4 equivalent address for the IPv6 server.
    IPv4 ClientIPv6 Operator AFIPv6 Server AFThe ION employs the Well Known Prefix (64:ff9b::/96) for IPv4 address encoding. The ION converts the IPv4 destination to an IPv6 encoded IP for routing.
    IPv6 ClientIPv4 Operator AFIPv4 Server AFDNS64 is utilized. When the operator provides DNS64, it responds with an IPv6 address containing the 64:ff9b::/96 prefix. The ION strips the prefix and sends the IPv4 packet.
    IPv6 ClientIPv6 Operator AFIPv4 Server AFThis scenario is transparent to ION; the operator needs an IPv4-mapped IPv6 address.
    IPv6 ClientIPv4 Operator AFIPv6 Server AFPackets are dropped.
    IPv6 ClientIPv6 Operator AFIPv6 Server AFNAT66 is supported using 6wind.
    Dual-stack ClientIPv4 Operator AFIPv4 Server AFThe client uses its IPv4 address for the connection.
    Dual-stack ClientIPv6 Operator AFIPv6 Server AFThe client uses its IPv6 address for the connection.
    IPv4 ClientIPv6 Operator AFDual-stack Server AFThe ION uses the Well Known Prefix (64:ff9b::/96) for IPv4 address encoding. The system handles DNS and address mapping to send packets to the dual-stack server.
    IPv6 ClientIPv4 Operator AFDual-stack Server AFThis requires DNS interception and will be supported in releases beyond 6.4.2. The system maps the IPv6 AAAA record to an IPv4 A record for the client.

    © 2025 Palo Alto Networks, Inc. All rights reserved.