Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SRC
New Contributor

How to NAT46 and NAT64 on firewall

Hi All,

   I have internal server that cannot setup IPv6 address, so I need translate IPv4 to IPv6 when interna server begin setup communicate with external(IPv6) and in nevertheless translate to IPv4 when external begin communicate with internal server.

   However, I have successed for translate NAT64 on firewall when external(IPv6) need to communnicate with internal server but when try to setup NAT46, it make NAT64 will not work for translation.

 

   Could you please advise me about for an example to configuration or solution that can go to successful

 

==Simple diagram==

InternalServer[IPv4]=====[IPv4]Firewall[ipv6]=====[IPv6]ExternalServer   

 

Thanks you.

8 REPLIES 8
emnoc
Esteemed Contributor III

It should be simple but  what have you configured? This is a strange requirement since most of the stuff I worked with is using NAT64 but  the process is like this;

 

 

1> You need to define a vip46  with the ext-map-ip address and the mapped inside address ( are you using port fowards  ?  or 1to1 ? )

 

2> than a policy46 to allow the traffic/services

 

 

Have you ran'd diag debug flow  with the source address of one of ipv4 host that's allowed to see what happens?

 

 

Just remember the inside hosts will be connecting to the ipv4 target hence the nat46 ;)

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
SRC
New Contributor

Hi Emnoc,

Regarding your quesions,

1> You need to define a vip46  with the ext-map-ip address and the mapped inside address ( are you using port fowards  ?  or 1to1 ? ) 1to1

 

2> than a policy46 to allow the traffic/services HTTP and ALL_ICMP6

 

NAT64 configuration

config system nat64     set status enable end

config firewall policy64     edit 2         set uuid 4ba445a0-2a1e-51e5-03ad-883f78cfc3db         set srcintf "External"         set dstintf "Private"         set srcaddr "all"         set dstaddr "2001:C00:XXX:XXX::241==10.100.1.241"         set action accept         set schedule "always"         set service "HTTP" "ALL_ICMP6"         set logtraffic enable         set permit-any-host enable         set fixedport enable     next end

config firewall vip64     edit "2001:C00:xxx:xxx::241==10.100.1.241"         set uuid 97baf5ee-2972-51e5-7a5a-c872d3ee54fe         set extip 2001:c00:xxx:xxx::241         set mappedip 10.100.1.241     next end

After configure NAT64 so i try to debug with check ping from external.

[size="1"] 2015-07-24 10:36:24 id=20085 trace_id=348 func=resolve_ip6_tuple_fast line=2934 msg="vd-root received a packet(proto=58, 2a02:348:82:cb69::6:8498->2001:c00:xxx:xxx::241:128) from External." 2015-07-24 10:36:24 id=20085 trace_id=348 func=resolve_ip6_tuple line=3025 msg="allocate a new session-00f66e60" 2015-07-24 10:36:24 id=20085 trace_id=348 func=get_new_addr6 line=695 msg="find NAT: IP-64:ff9b::a64:1f1, port-8498" 2015-07-24 10:36:24 id=20085 trace_id=348 func=__ip6_session_run_tuple line=1618 msg="DNAT 2001:c00:xxx:xxx::241:128->64:ff9b::a64:1f1:8498" 2015-07-24 10:36:24 id=20085 trace_id=348 func=fw6_pre_route_handler line=131 msg="VIP-64:ff9b::a64:1f1:8498, outdev-unknown" 2015-07-24 10:36:24 id=20085 trace_id=348 func=vf_ip6_route_input line=533 msg="find a route: gw-64:ff9b::a64:1f1 via root err 0 flags 85000001" 2015-07-24 10:36:24 id=20085 trace_id=348 func=ip6_nat_af_input line=636 msg="nat64 ipv6 received a packet proto=58" 2015-07-24 10:36:24 id=20085 trace_id=348 func=fw6_nat_af_sink_handler line=495 msg="Check nat af policy between External_Public -> Private IP MGT" 2015-07-24 10:36:24 id=20085 trace_id=101525 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=1, 10.100.1.241:8498->10.100.1.1:0) from Private IP MGT. code=0, type=0, id=8498, seq=1." [/size]

[size="1"] [/size]

After that, I try to configure NAT46

config firewall vip46     edit "10.100.1.241==2001:C00:xxx:xxx::241"         set uuid 8568df22-31b6-51e5-e3e5-c23253ab0769         set extip 10.100.1.241         set mappedip 2001:c00:xxx:xxx::241     next end

   When IP address 10.100.1.241 is external-map in NAT46 then NAT64 will cannot working and when consider debug log ping from external, I find it use policy that is direction from External->root and droup by implicit deny. (This is normal? and we will modify in policy64 or not?)

 

[size="1"]2015-07-24 10:51:10 id=20085 trace_id=351 func=resolve_ip6_tuple_fast line=2934 msg="vd-root received a packet(proto=58, 2a02:348:82:cb69::6:820->2001:c00:xxx:xxx::241:128) from External." 2015-07-24 10:51:10 id=20085 trace_id=351 func=resolve_ip6_tuple line=3025 msg="allocate a new session-00f67b3f" 2015-07-24 10:51:10 id=20085 trace_id=351 func=get_new_addr6 line=695 msg="find NAT: IP-64:ff9b::a64:1f1, port-820" 2015-07-24 10:51:10 id=20085 trace_id=351 func=__ip6_session_run_tuple line=1618 msg="DNAT 2001:c00:xxx:xxx241:128->64:ff9b::a64:1f1:820" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_pre_route_handler line=131 msg="VIP-64:ff9b::a64:1f1:820, outdev-unknown" 2015-07-24 10:51:10 id=20085 trace_id=351 func=vf_ip6_route_input line=533 msg="find a route: gw-64:ff9b::a64:1f1 via root err 0 flags 85000001" 2015-07-24 10:51:10 id=20085 trace_id=351 func=ip6_nat_af_input line=636 msg="nat64 ipv6 received a packet proto=58" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_nat_af_sink_handler line=495 msg="Check nat af policy between External -> root" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_nat_af_sink_handler line=524 msg="Denied by nat64 policy(0) drop."[/size]

 

***please note:  if I perform edit policy by change destination interface to Any interface,  It still dosn't work and have affected with heartbeat interface of HA is flapping process

><' it's look like bug

 

Thanks you.

 

 

 

 

 

 

emnoc
Esteemed Contributor III

I tried the same also and also found problems. In your debug did you set any filters? I see port 820 and proto58 so I'm assuming these  ( the former ) is not allowed by the policy? Also looking at the FTNT kb , they still have  provided any good examples  or even a  cookbook .

 

FWIW, I tested this on a FWF60D and  with 5.2.3

 

 

config firewall vip46     edit "testing1234567890"         set uuid 15533b72-316d-51e5-bf74-b3b5f6cae078         set extip 192.168.25.25         set mappedip 2001:db8:44::33     next     edit "myvip46"         set uuid 2663140c-3175-51e5-d566-71d6106c3c90         set extip 10.10.77.199         set mappedip 2001:db8:99:203::22     next

 

config firewall policy46     edit 1         set permit-any-host enable         set uuid 1fdef022-316d-51e5-ccc7-bec882532beb         set srcintf "wifi"         set dstintf "internal1"         set srcaddr "myipv4host"         set dstaddr "testing1234567890"         set action accept         set schedule "always"         set service "ALL"         set logtraffic enable     next end

 

id=20085 trace_id=8 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=1, 10.10.80.16:22296->192.168.25.25:8) from wifi. code=8, type=0, id=22296, seq=7." id=20085 trace_id=8 func=init_ip_session_common line=4527 msg="allocate a new session-00003247" id=20085 trace_id=8 func=fw_pre_route_handler line=174 msg="VIP-192.168.25.25:22296, outdev-wifi" id=20085 trace_id=8 func=__ip_session_run_tuple line=2537 msg="DNAT 192.168.25.25:8->192.168.25.25:22296" id=20085 trace_id=8 func=ip4_nat_af_input line=572 msg="nat64 ipv4 received a packet proto=1" id=20085 trace_id=8 func=fw_nat_af_sink_handler line=894 msg="Denied by nat46 policy check."

 

 

 

id=20085 trace_id=15 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 10.10.80.16:52518->192.168.25.25:22) from wifi. flag , seq 584130130, ack 0, win 65535" id=20085 trace_id=15 func=init_ip_session_common line=4527 msg="allocate a new session-00003455" id=20085 trace_id=15 func=fw_pre_route_handler line=174 msg="VIP-192.168.25.25:22, outdev-wifi" id=20085 trace_id=15 func=__ip_session_run_tuple line=2537 msg="DNAT 192.168.25.25:22->192.168.25.25:22" id=20085 trace_id=15 func=ip4_nat_af_input line=572 msg="nat64 ipv4 received a packet proto=6" id=20085 trace_id=15 func=fw_nat_af_sink_handler line=894 msg="Denied by nat46 policy check."

So I'm not sure what's going on with "outdev-wifi"

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
SRC
New Contributor

Hi emnoc,

  Thanks you for advise, we use filter command below;

 

diagnose debug disable diagnose debug flow filter clear diagnose debug flow filter6 clear diagnose debug flow show console enable diagnose debug flow show func enable diagnose debug flow filter6 addr 2001:c00:xxx:xxx::241 diagnose debug flow filter addr 10.100.1.241 diagnose debug flow trace start6 100 diagnose debug flow trace start 100 diagnose debug enable

 

    Maybe, I might open case with TAC if this issue relate with bug and i think example configuration about IPv6 translation is rare.

Thanks you .

MikePruett
Valued Contributor

        set srcaddr "myipv4host"         set dstaddr "testing1234567890"

 

 

as long as those are place holders and not what you actually entered :p and that dest addr isn't a link local address it should work fine. Just had a client set theirs up just like this and it worked. (They were initially trying a link local address)

Mike Pruett Fortinet GURU | Fortinet Training Videos
youzhi
New Contributor

can you tell me how you success translate your NAT64 on your firewall, how you configure your 64policy?

nbctcp
New Contributor III

NAT46/64 is in Additional Features

? -Do I need to buy another license instead of Basic Features -If yes what license I need to buy

tq

http://goo.gl/lhQjmUhttp://nbctcp.wordpress.com
emnoc
Esteemed Contributor III

NAt64/46 is part of fortios, you do not need a license fro that feature.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors