Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎09-10-2024 03:44 AM

Article Id 340246

Technical Tip: Configuring NAT64 using External IPv6 Address with Embedded IPv4 Address

Description This article describes the process of mapping an IPv4 address to an IPv6 address using NAT64. Specifically, it explains how to configure a VIP (Virtual IP) address range where the external IPv6 address uses embedded IPv4 addresses.
Scope FortiGate.
Solution

In a NAT64 setup, it is necessary to map an IPv4 address to an IPv6 address using a specific external IPv6 address range.

This article provides a detailed example using the option 'External IP address/range' and the 'Use Embedded' setting to embed an IPv4 address within an IPv6 address.

 

Prerequisites:

  • A NAT64 gateway/router is configured for IPv6 and IPv4 routing.
  • An external IPv6 address range and an IPv4 address for mapping.

 

Step 1. Define the External IPv6 Address Range:


In this example, the external IPv6 address range used is '2001::ac10:101'. This address represents the external IPv6 address where the lower 32 bits will be used to map the IPv4 address. The internal server IPv4 address would be '172.16.1.1' and the IPv6 address range used is 2001::/64.

 

  • How to Convert the IPv4 Address to Hexadecimal: The IPv4 address '172.16.1.1' needs to be represented in hexadecimal format:
  • '172' in hex is 'AC'.
  • '16' in hex is '10'.
  • '1' in hex is '01'.
  • '1' in hex is '01'.

Thus, the IPv4 address '172.16.1.1' converts to 'AC10:0101' in hexadecimal.

 

  • Use the External IPv6 Range:  the external IPv6 address range 2001::/64 will be used. The first 64 bits of the IPv6 address are the fixed prefix (2001::), and the lower 32 bits will be used for the IPv4-embedded address.
  • Embed the IPv4 Address into the IPv6 Address: To embed the IPv4 address (172.16.1.1, or AC10:0101 in hexadecimal) into the IPv6 address, append the hexadecimal IPv4 address to the external IPv6 prefix (2001::).

The resulting IPv6 address will be:

2001::AC10:0101

 

Step 2. Configure the VIP object with an Embedded IPv4 Address.

 

From GUI:

  1. Go to the policy & Objects -> VIP configuration section on FortiGate and specify the name 'Example:NAT64_VIP'.
  2. Input the external IPv6 address '2001::ac10:101'.
  3. Select the 'Use Embedded' option under the 'IPV4 address/range' settings.
  4. Select 'OK' to save the changes.

 

NAT64_VIP.png

 

From CLI:

 

config firewall vip6
    edit "NAT64_VIP"
        set extip 2001::ac10:101
        set nat64 enable
        set embedded-ipv4-address enable
    next
end

 

Step 3. Apply the VIP object and IP-Pool on the NAT64 firewall policy. 

 

From GUI:

  1. Go to the policy & Objects -> Firewall policy section on FortiGate and configure the new policy.
  2. Input the Incoming Interface, Outgoing Interface, Source object(IPv6) Destination Object(NAT64_VIP) & IP-Pool(NAT64_Pool).
  3. Select the NAT Option 'NAT64' (Unless this option is specified, the NAT64-VIP can not be added as the destination address).
  4. Select 'OK' to save the changes.

 

NAT64_Policy.png

 

IP-Pool Object: Specify any IP address range, as long as it does not overlap with the LAN interface IP address).

 

NAT64_IP-Pool.png

 

From CLI:

 

  • Firewall Policy:

 

```

config firewall policy
    edit 1
        set name "NAT64"
        set srcintf "port3"
        set dstintf "port4"
        set action accept
        set nat64 enable
        set srcaddr6 "all"
        set dstaddr6 "NAT64_VIP"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set ippool enable
        set poolname "NAT64_Pool"
    next
end

 

  • IP-Pool:

 

```

config firewall ippool
    edit "NAT64_Pool"
        set startip 200.200.200.2
        set endip 200.200.200.2
        set nat64 enable
    next
end

 

Verifying the Configuration: 

To confirm that the NAT64 configuration is working as expected:

 

  1. Ping the IPv4 server from an IPv6 client:


```
ping6 2001::ac10:101
or ```

# exe ping6 2001::ac10:101
PING 2001::ac10:101(2001::ac10:101) 56 data bytes
64 bytes from 2001::ac10:101: icmp_seq=1 ttl=254 time=32.2 ms

--- 2001::ac10:101 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 32.244/32.244/32.244/0.000 ms

 

  1. Check NAT64 debug logs: Verify that traffic is being translated correctly by reviewing NAT64 logs for the IPv4 and IPv6 traffic.

 

------IPv6 Traffic Debug Output -----

# id=65308 trace_id=29 func=resolve_ip6_tuple_fast line=4989 msg="vd-root:0 received a packet(proto=58, 2001::1:16->2001::ac10:101:128) from port3."
id=65308 trace_id=29 func=resolve_ip6_tuple line=5133 msg="allocate a new session-00000037"
id=65308 trace_id=29 func=get_new_addr6 line=1228 msg="find NAT: IP-::, port-0(fixed port)"
id=65308 trace_id=29 func=get_vip64_addr line=1163 msg="find DNAT64: IP-172.16.1.1, port-8(fixed port)"
id=65308 trace_id=29 func=ip6_route_input line=2196 msg="find a route: gw-:: via naf.root err 0 flags 40000001"
id=65308 trace_id=29 func=fw6_forward_handler line=572 msg="Check policy between port3 -> naf.root"
id=65308 trace_id=29 func=get_new_addr64 line=1099 msg="find SNAT64: IP-200.200.200.2(from IPPOOL), port-7326"
id=65308 trace_id=29 func=fw6_forward_handler line=697 msg="Allowed by Policy-1: SNAT"
id=65308 trace_id=29 func=ip6_nat_af_input line=296 msg="nat64 ipv6 received a packet proto=58"
id=65308 trace_id=29 func=init_ip_session_common line=6080 msg="allocate a new session-0000c29a, tun_id=0.0.0.0"
id=65308 trace_id=29 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
id=65308 trace_id=29 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=29 func=fw_forward_handler line=989 msg="Allowed by Policy-1:"
id=65308 trace_id=29 func=ip_session_confirm_final line=3113 msg="npu_state=0x100, hook=4"

 

----- IPv6 Sniffer Logs -----

2024-09-10 03:07:54.330118 port3 in 2001::1 -> 2001::ac10:101: icmp6: echo request seq 1
2024-09-10 03:07:54.330439 naf.root out 2001::1 -> 2001::ac10:101: icmp6: echo request seq 1
2024-09-10 03:07:54.359407 naf.root in 2001::ac10:101 -> 2001::1: icmp6: echo reply seq 1
2024-09-10 03:07:54.359514 port3 out 2001::ac10:101 -> 2001::1: icmp6: echo reply seq 1

 

------IPv4 Traffic Debug Output -----

# id=65308 trace_id=1 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 200.200.200.2:20767->172.16.1.1:2048) tun_id=0.0.0.0 from naf.root. type=8, code=0, id=20767, seq=1."
id=65308 trace_id=1 func=init_ip_session_common line=6080 msg="allocate a new session-0000c2b6, tun_id=0.0.0.0"
id=65308 trace_id=1 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via port4"
id=65308 trace_id=1 func=__iprope_tree_check line=535 msg="gnum-100004, use addr/intf hash, len=2"
id=65308 trace_id=1 func=fw_forward_handler line=989 msg="Allowed by Policy-1:"
id=65308 trace_id=1 func=ip_session_confirm_final line=3113 msg="npu_state=0x100, hook=4"
id=65308 trace_id=2 func=print_pkt_detail line=5894 msg="vd-root:0 received a packet(proto=1, 172.16.1.1:20767->200.200.200.2:0) tun_id=0.0.0.0 from port4. type=0, code=0, id=20767, seq=1."
id=65308 trace_id=2 func=resolve_ip_tuple_fast line=5982 msg="Find an existing session, id-0000c2b6, reply direction"
id=65308 trace_id=2 func=__vf_ip_route_input_rcu line=1990 msg="find a route: flag=00000000 gw-0.0.0.0 via naf.root"
id=65308 trace_id=2 func=fw_forward_dirty_handler line=439 msg="state=00000204, state2=00000001, npu_state=00000100"
id=65308 trace_id=2 func=ip4_nat_af_input line=259 msg="nat64 ipv4 received a packet proto=1"
id=65308 trace_id=2 func=ip6_route_input line=2196 msg="find a route: gw-:: via port3 err 0 flags 40000001"
id=65308 trace_id=2 func=npu_handle_session46 line=685 msg="Trying to offloading session from naf.root to port3, skb.npu_flag=00000000 ses.state=00000204 ses.npu_state=0x00000100"

 

----- IPv4 Sniffer Logs -----

2024-09-10 03:08:31.549729 naf.root in 200.200.200.2 -> 172.16.1.1: icmp: echo request
2024-09-10 03:08:31.549896 port4 out 200.200.200.2 -> 172.16.1.1: icmp: echo request
2024-09-10 03:08:31.580757 port4 in 172.16.1.1 -> 200.200.200.2: icmp: echo reply
2024-09-10 03:08:31.580874 naf.root out 172.16.1.1 -> 200.200.200.2: icmp: echo reply

 

  1. Troubleshoot Issues: If the communication is not successful, ensure:
  • The NAT64 prefix and mapping settings are correctly configured.
  • The NAT64 gateway is properly routing IPv6 and IPv4 traffic.
  •  Firewall rules are appropriately set to allow NAT64 traffic.

 

  • Debug Commands:

 

----IPv6----

di de flow filter6 clear
di de flow filter6 saddr 2001::1
di de flow show function-name enable
di de flow trace start6 1000
di de en

 

  • To disable the debug:

 

di de dis

 

`````````````````````

di sniffer packet any "host 2001::1" 4 0 l <Press ctrl+c to stop the sniffer>

 

----IPv4----

di de flow filter clear
di de flow filter addr 172.16.1.1
di de flow show function-name enable
di de flow trace start 100
di de en

 

  • To disable the debug:

 

di de dis

 

`````````````````````

di sniffer packet any "host 172.16.1.1" 4 0 l <Press ctrl+c to stop the sniffer>
468
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.