[resolved] nat46 with FortiOS 5.2.0?

tinyadmin · ‎07-05-2014

Hello, I want to access one internal IPv6 server connecting a public IPv4 address. The plan is the Fortigate does nat46 by terminating the incomming IPv4 connection and translating the TCP-data to a IPv6 connection to the IPv6 server. I configured " policy46" and " vip46" (described in FortiOS Handbook IPv6 for FortiOS 5.2) but it does not work.

config firewall policy46
     edit 1
         set permit-any-host enable
         set srcintf " wan1" 
         set dstintf " wan2" 
         set srcaddr " all" 
         set dstaddr " nat46test185" 
         set action accept
         set schedule " always" 
         set service " HTTP"  " PING" 
         set logtraffic enable
         set fixedport enable
     next
 end
 config firewall vip46
     edit " nat46test185" 
         set extip 192.0.2.185
         set mappedip 2001:db8:f00:b0b::185
     next
 end
 config system interface
     edit " wan1" 
         set vdom " root" 
         set ip 192.0.2.189 255.255.255.240
         set allowaccess ping
         set type physical
         set external enable
         set snmp-index 3
         set secondary-IP enable
             config ipv6
                 set ip6-allowaccess ping ssh
                 set ip6-address 2001:db8:f00:2::189/64
             end
             config secondaryip
                 edit 1
                     set ip 192.0.2.185 255.255.255.255
                     set allowaccess ping
                 next
             end
     next
 end

I have no " config system nat46" to set to enable. Does anyone has the " config system nat46" with another unit? Does anyone publish a configuration that works? I have public IPv4 and IPv6 addresses and many other IPv6 features are working. Looking forward to receive the last bit to get a running configuration. Regards tinyadmin

emnoc · ‎07-05-2014

When you say doesn' t work , what do you mean? Have you done any diag debug flow commands?

PCNSE

NSE

StrongSwan

tinyadmin · ‎07-05-2014

My test-client with ipv4 (192.0.2.187) is located in same network like firewall wan1 interface FGT: # diag debug flow show console enable # diagnose debug flow filter addr 192.0.2.187 192.0.2.185 # diagnose debug flow trace start 5 Client: telnet 192.0.2.185 80 NO messages on FGT CLI :-( any hints? Does on your system exist " config system nat46"

emnoc · ‎07-06-2014

I see something that I didn' t see before; end config firewall vip46 edit " nat46test185" set extip 192.0.2.185 <----HERE set mappedip 2001:db8:f00:b0b::185 next end config system interface edit " wan1" set vdom " root" set ip 192.0.2.189 255.255.255.240 set allowaccess ping set type physical set external enable set snmp-index 3 set secondary-IP enable config ipv6 set ip6-allowaccess ping ssh set ip6-address 2001:db8:f00:2::189/64 end config secondaryip edit 1 set ip 192.0.192.185 255.255.255.255 <--HERE set allowaccess ping next end next end So what are you trying to do. The VIP address should not be a real address of a Fgt?

PCNSE

NSE

StrongSwan

tinyadmin · ‎07-06-2014

Thank you for your response. I added the secondary IP because my nat46 did not work. Now I removed the secondary IP. Now the client did not get an answer neither ping nor telnet port 80

Maybe this helps us to find the problem of configuration. Doing a diag sniffer packet during the diag debug flow I see echo requests from my ping and sync packets received by the fortigate, but I do not see any flow of the packets

Do you have a system to check if you have a config system nat46 command?

emnoc · ‎07-06-2014

No I' m sorry I' m on the road and don' t have remote-access to check for nat46 commands So with the secondary removed, what do you see in a diag debug? diag debug reset diag debug en diag debug flow filter add 192.0.192.185 diag debug flow show console en diag debug flow trace start 100 start with a ping and then a http-get to the VIP address fwiw: I don' t think you need nat4-2-6 commands on a vip46 configuration iirc. Also one last thing, is the ipv6 host actually up? regardless, I' m curious as to what the diag debug flow output show

PCNSE

NSE

StrongSwan

tinyadmin · ‎07-07-2014

diag debug reset diag debug flow filter add 192.0.2.185 diag debug flow filter6 add 2001:db8:f00:b0b::185 diag debug flow show console en diag debug flow trace start 100 diag debug flow trace start6 100 diag debug enable ! client: telnet 2001:db8:f00:b0b::185 80 id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=18 msg=" allocate a new session-00003dfd" id=20085 trace_id=18 msg=" find a route: gw-2001:db8:f00:b0b::185 via wan2 err 0 flags 01040001" id=20085 trace_id=18 msg=" Check policy between wan1 -> wan2" id=20085 trace_id=18 msg=" Allowed by Policy-12:" id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 2001:db8:f00:b0b::185:80->2001:db8:f00:2:7520:32c5:b370:c876:50552) from wan2." id=20085 trace_id=19 msg=" Find an existing session, id-00003dfd, reply direction" id=20085 trace_id=19 msg=" find a route: gw-2001:db8:f00:2:7520:32c5:b370:c876 via wan1 err 0 flags 01040001" id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1." id=20085 trace_id=20 msg=" Find an existing session, id-00003dfd, original direction" id=20085 trace_id=20 msg=" enter fast path" [[cut many lines]] ! telnet to ipv6 address works ! client: telnet 192.0.2.185 80 id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=18 msg=" allocate a new session-0004e641" id=20085 trace_id=18 msg=" iprope_in_check() check failed, drop" id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=19 msg=" allocate a new session-0004e642" id=20085 trace_id=19 msg=" iprope_in_check() check failed, drop" id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1." id=20085 trace_id=20 msg=" allocate a new session-0004e644" id=20085 trace_id=20 msg=" iprope_in_check() check failed, drop" ! telnet to nat46 address doesn' t work ! client: ping 192.0.2.185 id=20085 trace_id=22 msg=" vd-root received a packet(proto=1, 192.0.2.187:1->192.0.2.185:8) from wan1." id=20085 trace_id=22 msg=" allocate a new session-0004e6bf" id=20085 trace_id=22 msg=" iprope_in_check() check failed, drop" ! even IPv4 ping doesn' t work diag deb disable diag debug reset Now I try to understand debug message " iprope_in_check() check failed..."

emnoc · ‎07-08-2014

Great diagnostics, that' s why you need to trouble-shoot with diag debug flow first.

iprope_in_check() check failed...

I think and only guessing since I' m away from a fortigate at this time, but the VIP is not being seen by the fortigate if I had to guess. What I would see if it' s possible in the cfg to set the vip like this? config firewall vip46 edit " nat46test185" set extip 192.0.2.185 set extintf " wan1" <----HERE set mappedip 2001:db8:f00:b0b::185 next end Define the actually interface for the VIP.

PCNSE

NSE

StrongSwan

tinyadmin · ‎07-08-2014

It is not possible to use the " set extinf ..." command for NAT46 virtual IP But see below, not it works

storaid · ‎07-08-2014

did you enable " NAT64" function?? this function is required... config sys nat64 set status ena end

FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2

FSW224B x1

[resolved] nat46 with FortiOS 5.2.0?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website