FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pywong
Staff
Staff
Description
This article describes how to configure IPV4 to IPV6 translation on the FortiGate.  NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.


Solution
Diagram
IPV4 Client (10.202.1.150/22)
|
|  IPv4 network (10.202.0.0/22)
|
[Port7 - 10.202.1.124/22]
Fortigate
[Port6 - 2001:1:1:2::1/64]
|
|
IPv6 Server (2001:1:1:2::100/64)


Configuration CLI (only relevant parts)

   1. Interfaces

config system interface
    edit "port7"
        set vdom "root"
        set ip 10.202.1.127 255.255.252.0
        set allowaccess ping https ssh
        set type physical
        set snmp-index 7
    next
end

config system interface
    edit "port6"
        set vdom "root"
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2001:1:1:2::1/64
            end
    next
end


   2. Enable NAT64  (note that the default prefix for NAT64 is 64:ff9b::/96)
config system nat64
    set status enable
end

   3. Configure VIP46
config firewall vip46
    edit "nat46_jw"
        set extip 10.202.1.100
        set mappedip 2001:1:1:2::100
    next
end
   4. Configure firewall policy46
config firewall policy46
    edit 1
        set srcintf "port7"
        set dstintf "port6"
        set srcaddr "all"
        set dstaddr "nat46_jw"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic enable
    next
end

Verification:

IPv4 host has network connectivity with IPv6 server.
C:\Users\fortinet>ping 10.202.1.100

Pinging 10.202.1.100 with 32 bytes of data:
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127

Ping statistics for 10.202.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


Fortigate Log
date=2019-04-04 time=17:56:09 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.202.1.150 srcintf="port7" dstip=10.202.1.100 dstintf="port6" poluuid=ca338086-5100-51e9-af5a-f3d62a28968b sessionid=378097 proto=1 action=accept policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=2001:1:1:2::100 tranport=128 transip=64:ff9b::aca:196 transport=62464 service="PING" duration=64 sentbyte=240 rcvdbyte=240 sentpkt=4 rcvdpkt=4 appcat="unscanned"


Contributors