Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tinyadmin
New Contributor III

[resolved] nat46 with FortiOS 5.2.0?

Hello, I want to access one internal IPv6 server connecting a public IPv4 address. The plan is the Fortigate does nat46 by terminating the incomming IPv4 connection and translating the TCP-data to a IPv6 connection to the IPv6 server. I configured " policy46" and " vip46" (described in FortiOS Handbook IPv6 for FortiOS 5.2) but it does not work.
config firewall policy46
     edit 1
         set permit-any-host enable
         set srcintf " wan1" 
         set dstintf " wan2" 
         set srcaddr " all" 
         set dstaddr " nat46test185" 
         set action accept
         set schedule " always" 
         set service " HTTP"  " PING" 
         set logtraffic enable
         set fixedport enable
     next
 end
 config firewall vip46
     edit " nat46test185" 
         set extip 192.0.2.185
         set mappedip 2001:db8:f00:b0b::185
     next
 end
 config system interface
     edit " wan1" 
         set vdom " root" 
         set ip 192.0.2.189 255.255.255.240
         set allowaccess ping
         set type physical
         set external enable
         set snmp-index 3
         set secondary-IP enable
             config ipv6
                 set ip6-allowaccess ping ssh
                 set ip6-address 2001:db8:f00:2::189/64
             end
             config secondaryip
                 edit 1
                     set ip 192.0.2.185 255.255.255.255
                     set allowaccess ping
                 next
             end
     next
 end
 
I have no " config system nat46" to set to enable. Does anyone has the " config system nat46" with another unit? Does anyone publish a configuration that works? I have public IPv4 and IPv6 addresses and many other IPv6 features are working. Looking forward to receive the last bit to get a running configuration. Regards tinyadmin
12 REPLIES 12
emnoc
Esteemed Contributor III

When you say doesn' t work , what do you mean? Have you done any diag debug flow commands?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tinyadmin
New Contributor III

My test-client with ipv4 (192.0.2.187) is located in same network like firewall wan1 interface FGT: # diag debug flow show console enable # diagnose debug flow filter addr 192.0.2.187 192.0.2.185 # diagnose debug flow trace start 5 Client: telnet 192.0.2.185 80 NO messages on FGT CLI :-( any hints? Does on your system exist " config system nat46"
emnoc
Esteemed Contributor III

I see something that I didn' t see before; end config firewall vip46 edit " nat46test185" set extip 192.0.2.185 <----HERE set mappedip 2001:db8:f00:b0b::185 next end config system interface edit " wan1" set vdom " root" set ip 192.0.2.189 255.255.255.240 set allowaccess ping set type physical set external enable set snmp-index 3 set secondary-IP enable config ipv6 set ip6-allowaccess ping ssh set ip6-address 2001:db8:f00:2::189/64 end config secondaryip edit 1 set ip 192.0.192.185 255.255.255.255 <--HERE set allowaccess ping next end next end So what are you trying to do. The VIP address should not be a real address of a Fgt?

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tinyadmin
New Contributor III

Thank you for your response. I added the secondary IP because my nat46 did not work. Now I removed the secondary IP. Now the client did not get an answer neither ping nor telnet port 80 Maybe this helps us to find the problem of configuration. Doing a diag sniffer packet during the diag debug flow I see echo requests from my ping and sync packets received by the fortigate, but I do not see any flow of the packets Do you have a system to check if you have a config system nat46 command?
emnoc
Esteemed Contributor III

No I' m sorry I' m on the road and don' t have remote-access to check for nat46 commands So with the secondary removed, what do you see in a diag debug? diag debug reset diag debug en diag debug flow filter add 192.0.192.185 diag debug flow show console en diag debug flow trace start 100 start with a ping and then a http-get to the VIP address fwiw: I don' t think you need nat4-2-6 commands on a vip46 configuration iirc. Also one last thing, is the ipv6 host actually up? regardless, I' m curious as to what the diag debug flow output show

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tinyadmin
New Contributor III

diag debug reset diag debug flow filter add 192.0.2.185 diag debug flow filter6 add 2001:db8:f00:b0b::185 diag debug flow show console en diag debug flow trace start 100 diag debug flow trace start6 100 diag debug enable ! client: telnet 2001:db8:f00:b0b::185 80 id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=18 msg=" allocate a new session-00003dfd" id=20085 trace_id=18 msg=" find a route: gw-2001:db8:f00:b0b::185 via wan2 err 0 flags 01040001" id=20085 trace_id=18 msg=" Check policy between wan1 -> wan2" id=20085 trace_id=18 msg=" Allowed by Policy-12:" id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 2001:db8:f00:b0b::185:80->2001:db8:f00:2:7520:32c5:b370:c876:50552) from wan2." id=20085 trace_id=19 msg=" Find an existing session, id-00003dfd, reply direction" id=20085 trace_id=19 msg=" find a route: gw-2001:db8:f00:2:7520:32c5:b370:c876 via wan1 err 0 flags 01040001" id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=20 msg=" Find an existing session, id-00003dfd, original direction" id=20085 trace_id=20 msg=" enter fast path" [[cut many lines]] ! telnet to ipv6 address works ! client: telnet 192.0.2.185 80 id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=18 msg=" allocate a new session-0004e641" id=20085 trace_id=18 msg=" iprope_in_check() check failed, drop" id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=19 msg=" allocate a new session-0004e642" id=20085 trace_id=19 msg=" iprope_in_check() check failed, drop" id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=20 msg=" allocate a new session-0004e644" id=20085 trace_id=20 msg=" iprope_in_check() check failed, drop" ! telnet to nat46 address doesn' t work ! client: ping 192.0.2.185 id=20085 trace_id=22 msg=" vd-root received a packet(proto=1, 192.0.2.187:1->192.0.2.185:8) from wan1." id=20085 trace_id=22 msg=" allocate a new session-0004e6bf" id=20085 trace_id=22 msg=" iprope_in_check() check failed, drop" ! even IPv4 ping doesn' t work diag deb disable diag debug reset Now I try to understand debug message " iprope_in_check() check failed..."
emnoc
Esteemed Contributor III

Great diagnostics, that' s why you need to trouble-shoot with diag debug flow first.
iprope_in_check() check failed...
I think and only guessing since I' m away from a fortigate at this time, but the VIP is not being seen by the fortigate if I had to guess. What I would see if it' s possible in the cfg to set the vip like this? config firewall vip46 edit " nat46test185" set extip 192.0.2.185 set extintf " wan1" <----HERE set mappedip 2001:db8:f00:b0b::185 next end Define the actually interface for the VIP.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
tinyadmin
New Contributor III

It is not possible to use the " set extinf ..." command for NAT46 virtual IP But see below, not it works
storaid
Contributor

did you enable " NAT64" function?? this function is required... config sys nat64 set status ena end

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2 FSW224B x1
Labels
Top Kudoed Authors