Technical Tip: How to configure NAT46 to allow IPv4 traffic to reach IPv6-only traffic when central SNAT is enabled
Description
This article describes how to configure NAT46 to allow IPv4 traffic to reach IPv6-only traffic when central SNAT is enabled.
Scope
FortiOS.
Solution
Topology:
- Enable Central SNAT by navigating to System -> Settings -> System Operation Settings -> Enable Central SNAT.
-
Configure a VIP to a different IPv4 network address and map it to the actual IPv6 server address, and enable NAT46 through CLI, and then define an IPv6 pool.
CLI:
config firewall vip
edit "VIP46"
set uuid 4b66f586-50d5-51f0-48c3-b8970c112b2a
set extip 10.200.0.100
set nat44 disable
set nat46 enable <---
set extintf "port3"
set ipv6-mappedip 2abc:abc::ab
next
end
CLI:
FW1 (Ipv6) # show
config firewall ippool6
edit "Ipv6"
set startip 2abc:abc::ac
set endip 2abc:abc::ad
set nat46 enable
next
end
-
Configure a Central NAT policy to translate the IPv4 address of 10.200.0.100 to the IPv6 Pool address range.
-
Configure a firewall policy to allow this NAT46 traffic.
CLI:
FW1 (2) # show
config firewall policy
edit 2
set name "NAT46 policy"
set uuid 30598124-50e3-51f0-27a6-36935583fcac
set srcintf "port3"
set dstintf "port4"
set action accept
set nat46 enable
set srcaddr "PC1-ipv4"
set dstaddr "Dnat_IPv6" <----
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
end
Note:
In firewall policy, when Central SNAT is enabled, the user cannot add a VIP object as a destination address. Hence, it is recommended to use actual mapped addresses.
Related articles:
Technical Tip: How to Create a NAT64 Firewall Policy for a VIP