Description
This article describes how to access the internal resources using IPv4 internally, using IPv6 for external access.
Usually, IPv4 is used for external access into the network and creates a VIP to forward traffic internally. This article will show how to achieve this setup using NAT64 too.
Scope
FortiGate on Azure.
Solution
- Ensure to have a FortiGate in the Azure environment. Create two address spaces in the VNET and assign them to the External Subnet as shown below.
- Enable IPv6 on the FortiGate, which can be found in the Feature Visibility settings under System -> Feature Visibility.
For the NICs in Azure, it should have both primary and secondary static IPv4 and IPv6 addresses, each with a static public IP. When done correctly, it should look like this.
When creating this, it is possible to encounter the following error messages. To avoid these errors while assigning an IPv6 Public IP address to a NIC, ensure that there is a Static Public IPv4 & IPv6 and have Standard SKU. Note that before upgrading, make sure that all public IPs are disassociated.
Disassociated Public IP:
https://learn.microsoft.com/en-us/azure/virtual-network/ip-services/remove-public-ip-address-vm
Create Standard SKU Public:
If there is already an existing Public IP, simply disassociate it from the NIC. Change the Dynamic IP to Static if it has not been already done. Select Overview to select the 'Upgrade to Standard SKU' link. Microsoft recommends using Standard SKU public IP addresses for production workloads. Acknowledge the changes once done.
If everything is set up correctly, there are now both IPv4 and IPv6 on the External interface like this, along with a static route pointing out through the External interface.
To test the external connection, an online IPv6 ping tool has been used. The FortiGate sniffer looks like that.
Since the external connection is now working properly, the next step is to set up the internal connection.
For the internal interface, the settings in Azure should include a secondary private IP, like this.
Once done, it is possible to go back to the FortiGate and configure the IP Pool, VIP, and Policies. Here is a sample configuration.
Virtual IP Configuration:
CLI command:
config firewall vip6
edit "WebServer-VIP64"
set extip 2404:f800:8000:122::5
set portforward enable
set nat66 disable
set nat64 enable
set ipv4-mappedip 172.16.0.69
set ipv4-mappedport 443
set extport 10443
next
end
IP pool configuration:
CLI command:
config firewall ippool
edit "NAT64-IP-POOL"
set startip 172.16.0.70
set endip 172.16.0.70
set nat64 enable
next
end
Outbound policy:
Command line:
config firewall policy
edit 1
set name "INT-EXT-INTERNET"
set srcintf "port2"
set dstintf "port1"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
set nat enable
next
end
Inbound policy:
Command line:
config firewall policy
edit 2
set name "NAT64-EXT-INT-WEB"
set srcintf "port1"
set dstintf "port2"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "WebServer-VIP64"
set schedule "always"
set service "HTTP" "HTTPS"
set logtraffic all
set ippool enable
set poolname "NAT64-IP-POOL"
next
end
