Hi All,
I have internal server that cannot setup IPv6 address, so I need translate IPv4 to IPv6 when interna server begin setup communicate with external(IPv6) and in nevertheless translate to IPv4 when external begin communicate with internal server.
However, I have successed for translate NAT64 on firewall when external(IPv6) need to communnicate with internal server but when try to setup NAT46, it make NAT64 will not work for translation.
Could you please advise me about for an example to configuration or solution that can go to successful
==Simple diagram==
InternalServer[IPv4]=====[IPv4]Firewall[ipv6]=====[IPv6]ExternalServer
Thanks you.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
It should be simple but what have you configured? This is a strange requirement since most of the stuff I worked with is using NAT64 but the process is like this;
1> You need to define a vip46 with the ext-map-ip address and the mapped inside address ( are you using port fowards ? or 1to1 ? )
2> than a policy46 to allow the traffic/services
Have you ran'd diag debug flow with the source address of one of ipv4 host that's allowed to see what happens?
Just remember the inside hosts will be connecting to the ipv4 target hence the nat46 ;)
PCNSE
NSE
StrongSwan
Hi Emnoc,
Regarding your quesions,
1> You need to define a vip46 with the ext-map-ip address and the mapped inside address ( are you using port fowards ? or 1to1 ? ) 1to1
2> than a policy46 to allow the traffic/services HTTP and ALL_ICMP6
NAT64 configuration
config system nat64 set status enable end
config firewall policy64 edit 2 set uuid 4ba445a0-2a1e-51e5-03ad-883f78cfc3db set srcintf "External" set dstintf "Private" set srcaddr "all" set dstaddr "2001:C00:XXX:XXX::241==10.100.1.241" set action accept set schedule "always" set service "HTTP" "ALL_ICMP6" set logtraffic enable set permit-any-host enable set fixedport enable next end
config firewall vip64 edit "2001:C00:xxx:xxx::241==10.100.1.241" set uuid 97baf5ee-2972-51e5-7a5a-c872d3ee54fe set extip 2001:c00:xxx:xxx::241 set mappedip 10.100.1.241 next end
After configure NAT64 so i try to debug with check ping from external.
[size="1"] 2015-07-24 10:36:24 id=20085 trace_id=348 func=resolve_ip6_tuple_fast line=2934 msg="vd-root received a packet(proto=58, 2a02:348:82:cb69::6:8498->2001:c00:xxx:xxx::241:128) from External." 2015-07-24 10:36:24 id=20085 trace_id=348 func=resolve_ip6_tuple line=3025 msg="allocate a new session-00f66e60" 2015-07-24 10:36:24 id=20085 trace_id=348 func=get_new_addr6 line=695 msg="find NAT: IP-64:ff9b::a64:1f1, port-8498" 2015-07-24 10:36:24 id=20085 trace_id=348 func=__ip6_session_run_tuple line=1618 msg="DNAT 2001:c00:xxx:xxx::241:128->64:ff9b::a64:1f1:8498" 2015-07-24 10:36:24 id=20085 trace_id=348 func=fw6_pre_route_handler line=131 msg="VIP-64:ff9b::a64:1f1:8498, outdev-unknown" 2015-07-24 10:36:24 id=20085 trace_id=348 func=vf_ip6_route_input line=533 msg="find a route: gw-64:ff9b::a64:1f1 via root err 0 flags 85000001" 2015-07-24 10:36:24 id=20085 trace_id=348 func=ip6_nat_af_input line=636 msg="nat64 ipv6 received a packet proto=58" 2015-07-24 10:36:24 id=20085 trace_id=348 func=fw6_nat_af_sink_handler line=495 msg="Check nat af policy between External_Public -> Private IP MGT" 2015-07-24 10:36:24 id=20085 trace_id=101525 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=1, 10.100.1.241:8498->10.100.1.1:0) from Private IP MGT. code=0, type=0, id=8498, seq=1." [/size]
[size="1"] [/size]
After that, I try to configure NAT46
config firewall vip46 edit "10.100.1.241==2001:C00:xxx:xxx::241" set uuid 8568df22-31b6-51e5-e3e5-c23253ab0769 set extip 10.100.1.241 set mappedip 2001:c00:xxx:xxx::241 next end
When IP address 10.100.1.241 is external-map in NAT46 then NAT64 will cannot working and when consider debug log ping from external, I find it use policy that is direction from External->root and droup by implicit deny. (This is normal? and we will modify in policy64 or not?)
[size="1"]2015-07-24 10:51:10 id=20085 trace_id=351 func=resolve_ip6_tuple_fast line=2934 msg="vd-root received a packet(proto=58, 2a02:348:82:cb69::6:820->2001:c00:xxx:xxx::241:128) from External." 2015-07-24 10:51:10 id=20085 trace_id=351 func=resolve_ip6_tuple line=3025 msg="allocate a new session-00f67b3f" 2015-07-24 10:51:10 id=20085 trace_id=351 func=get_new_addr6 line=695 msg="find NAT: IP-64:ff9b::a64:1f1, port-820" 2015-07-24 10:51:10 id=20085 trace_id=351 func=__ip6_session_run_tuple line=1618 msg="DNAT 2001:c00:xxx:xxx241:128->64:ff9b::a64:1f1:820" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_pre_route_handler line=131 msg="VIP-64:ff9b::a64:1f1:820, outdev-unknown" 2015-07-24 10:51:10 id=20085 trace_id=351 func=vf_ip6_route_input line=533 msg="find a route: gw-64:ff9b::a64:1f1 via root err 0 flags 85000001" 2015-07-24 10:51:10 id=20085 trace_id=351 func=ip6_nat_af_input line=636 msg="nat64 ipv6 received a packet proto=58" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_nat_af_sink_handler line=495 msg="Check nat af policy between External -> root" 2015-07-24 10:51:10 id=20085 trace_id=351 func=fw6_nat_af_sink_handler line=524 msg="Denied by nat64 policy(0) drop."[/size]
***please note: if I perform edit policy by change destination interface to Any interface, It still dosn't work and have affected with heartbeat interface of HA is flapping process
><' it's look like bug
Thanks you.
I tried the same also and also found problems. In your debug did you set any filters? I see port 820 and proto58 so I'm assuming these ( the former ) is not allowed by the policy? Also looking at the FTNT kb , they still have provided any good examples or even a cookbook .
FWIW, I tested this on a FWF60D and with 5.2.3
config firewall vip46 edit "testing1234567890" set uuid 15533b72-316d-51e5-bf74-b3b5f6cae078 set extip 192.168.25.25 set mappedip 2001:db8:44::33 next edit "myvip46" set uuid 2663140c-3175-51e5-d566-71d6106c3c90 set extip 10.10.77.199 set mappedip 2001:db8:99:203::22 next
config firewall policy46 edit 1 set permit-any-host enable set uuid 1fdef022-316d-51e5-ccc7-bec882532beb set srcintf "wifi" set dstintf "internal1" set srcaddr "myipv4host" set dstaddr "testing1234567890" set action accept set schedule "always" set service "ALL" set logtraffic enable next end
id=20085 trace_id=8 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=1, 10.10.80.16:22296->192.168.25.25:8) from wifi. code=8, type=0, id=22296, seq=7." id=20085 trace_id=8 func=init_ip_session_common line=4527 msg="allocate a new session-00003247" id=20085 trace_id=8 func=fw_pre_route_handler line=174 msg="VIP-192.168.25.25:22296, outdev-wifi" id=20085 trace_id=8 func=__ip_session_run_tuple line=2537 msg="DNAT 192.168.25.25:8->192.168.25.25:22296" id=20085 trace_id=8 func=ip4_nat_af_input line=572 msg="nat64 ipv4 received a packet proto=1" id=20085 trace_id=8 func=fw_nat_af_sink_handler line=894 msg="Denied by nat46 policy check."
id=20085 trace_id=15 func=print_pkt_detail line=4378 msg="vd-root received a packet(proto=6, 10.10.80.16:52518->192.168.25.25:22) from wifi. flag , seq 584130130, ack 0, win 65535"
id=20085 trace_id=15 func=init_ip_session_common line=4527 msg="allocate a new session-00003455"
id=20085 trace_id=15 func=fw_pre_route_handler line=174 msg="VIP-192.168.25.25:22, outdev-wifi"
id=20085 trace_id=15 func=__ip_session_run_tuple line=2537 msg="DNAT 192.168.25.25:22->192.168.25.25:22"
id=20085 trace_id=15 func=ip4_nat_af_input line=572 msg="nat64 ipv4 received a packet proto=6"
id=20085 trace_id=15 func=fw_nat_af_sink_handler line=894 msg="Denied by nat46 policy check."
So I'm not sure what's going on with "outdev-wifi"
PCNSE
NSE
StrongSwan
Hi emnoc,
Thanks you for advise, we use filter command below;
diagnose debug disable diagnose debug flow filter clear diagnose debug flow filter6 clear diagnose debug flow show console enable diagnose debug flow show func enable diagnose debug flow filter6 addr 2001:c00:xxx:xxx::241 diagnose debug flow filter addr 10.100.1.241 diagnose debug flow trace start6 100 diagnose debug flow trace start 100 diagnose debug enable
Maybe, I might open case with TAC if this issue relate with bug and i think example configuration about IPv6 translation is rare.
Thanks you .
set srcaddr "myipv4host" set dstaddr "testing1234567890"
as long as those are place holders and not what you actually entered :p and that dest addr isn't a link local address it should work fine. Just had a client set theirs up just like this and it worked. (They were initially trying a link local address)
Mike Pruett
can you tell me how you success translate your NAT64 on your firewall, how you configure your 64policy?
NAT46/64 is in Additional Features
? -Do I need to buy another license instead of Basic Features -If yes what license I need to buy
tq
NAt64/46 is part of fortios, you do not need a license fro that feature.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1631 | |
1063 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.