Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[resolved] nat46 with FortiOS 5.2.0?
Hello,
I want to access one internal IPv6 server connecting a public IPv4 address.
The plan is the Fortigate does nat46 by terminating the incomming IPv4 connection and translating the TCP-data to a IPv6 connection to the IPv6 server.
I configured " policy46" and " vip46" (described in FortiOS Handbook IPv6 for FortiOS 5.2) but it does not work.
config firewall policy46 edit 1 set permit-any-host enable set srcintf " wan1" set dstintf " wan2" set srcaddr " all" set dstaddr " nat46test185" set action accept set schedule " always" set service " HTTP" " PING" set logtraffic enable set fixedport enable next end config firewall vip46 edit " nat46test185" set extip 192.0.2.185 set mappedip 2001:db8:f00:b0b::185 next end config system interface edit " wan1" set vdom " root" set ip 192.0.2.189 255.255.255.240 set allowaccess ping set type physical set external enable set snmp-index 3 set secondary-IP enable config ipv6 set ip6-allowaccess ping ssh set ip6-address 2001:db8:f00:2::189/64 end config secondaryip edit 1 set ip 192.0.2.185 255.255.255.255 set allowaccess ping next end next endI have no " config system nat46" to set to enable. Does anyone has the " config system nat46" with another unit? Does anyone publish a configuration that works? I have public IPv4 and IPv6 addresses and many other IPv6 features are working. Looking forward to receive the last bit to get a running configuration. Regards tinyadmin
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say doesn' t work , what do you mean? Have you done any diag debug flow commands?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My test-client with ipv4 (192.0.2.187) is located in same network like firewall wan1 interface
FGT:
# diag debug flow show console enable
# diagnose debug flow filter addr 192.0.2.187 192.0.2.185
# diagnose debug flow trace start 5
Client:
telnet 192.0.2.185 80
NO messages on FGT CLI :-(
any hints?
Does on your system exist " config system nat46"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see something that I didn' t see before;
end
config firewall vip46
edit " nat46test185"
set extip 192.0.2.185 <----HERE
set mappedip 2001:db8:f00:b0b::185
next
end
config system interface
edit " wan1"
set vdom " root"
set ip 192.0.2.189 255.255.255.240
set allowaccess ping
set type physical
set external enable
set snmp-index 3
set secondary-IP enable
config ipv6
set ip6-allowaccess ping ssh
set ip6-address 2001:db8:f00:2::189/64
end
config secondaryip
edit 1
set ip 192.0.192.185 255.255.255.255 <--HERE
set allowaccess ping
next
end
next
end
So what are you trying to do. The VIP address should not be a real address of a Fgt?
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response.
I added the secondary IP because my nat46 did not work. Now I removed the secondary IP.
Now the client did not get an answer neither ping nor telnet port 80
Maybe this helps us to find the problem of configuration.
Doing a diag sniffer packet during the diag debug flow I see echo requests from my ping and sync packets received by the fortigate, but I do not see any flow of the packets
Do you have a system to check if you have a config system nat46 command?


Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No I' m sorry I' m on the road and don' t have remote-access to check for nat46 commands
So with the secondary removed, what do you see in a diag debug?
diag debug reset
diag debug en
diag debug flow filter add 192.0.192.185
diag debug flow show console en
diag debug flow trace start 100
start with a ping and then a http-get to the VIP address
fwiw: I don' t think you need nat4-2-6 commands on a vip46 configuration iirc.
Also one last thing, is the ipv6 host actually up? regardless, I' m curious as to what the diag debug flow output show
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
diag debug reset
diag debug flow filter add 192.0.2.185
diag debug flow filter6 add 2001:db8:f00:b0b::185
diag debug flow show console en
diag debug flow trace start 100
diag debug flow trace start6 100
diag debug enable
! client: telnet 2001:db8:f00:b0b::185 80
id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1."
id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1."
id=20085 trace_id=18 msg=" allocate a new session-00003dfd"
id=20085 trace_id=18 msg=" find a route: gw-2001:db8:f00:b0b::185 via wan2 err 0 flags 01040001"
id=20085 trace_id=18 msg=" Check policy between wan1 -> wan2"
id=20085 trace_id=18 msg=" Allowed by Policy-12:"
id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 2001:db8:f00:b0b::185:80->2001:db8:f00:2:7520:32c5:b370:c876:50552) from wan2."
id=20085 trace_id=19 msg=" Find an existing session, id-00003dfd, reply direction"
id=20085 trace_id=19 msg=" find a route: gw-2001:db8:f00:2:7520:32c5:b370:c876 via wan1 err 0 flags 01040001"
id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 2001:db8:f00:2:7520:32c5:b370:c876:50552->2001:db8:f00:b0b::185:80) from wan1."
id=20085 trace_id=20 msg=" Find an existing session, id-00003dfd, original direction"
id=20085 trace_id=20 msg=" enter fast path"
[[cut many lines]]
! telnet to ipv6 address works
! client: telnet 192.0.2.185 80
id=20085 trace_id=18 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1."
id=20085 trace_id=18 msg=" allocate a new session-0004e641"
id=20085 trace_id=18 msg=" iprope_in_check() check failed, drop"
id=20085 trace_id=19 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1."
id=20085 trace_id=19 msg=" allocate a new session-0004e642"
id=20085 trace_id=19 msg=" iprope_in_check() check failed, drop"
id=20085 trace_id=20 msg=" vd-root received a packet(proto=6, 192.0.2.187:50553->192.0.2.185:80) from wan1."
id=20085 trace_id=20 msg=" allocate a new session-0004e644"
id=20085 trace_id=20 msg=" iprope_in_check() check failed, drop"
! telnet to nat46 address doesn' t work
! client: ping 192.0.2.185
id=20085 trace_id=22 msg=" vd-root received a packet(proto=1, 192.0.2.187:1->192.0.2.185:8) from wan1."
id=20085 trace_id=22 msg=" allocate a new session-0004e6bf"
id=20085 trace_id=22 msg=" iprope_in_check() check failed, drop"
! even IPv4 ping doesn' t work
diag deb disable
diag debug reset
Now I try to understand debug message " iprope_in_check() check failed..."
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great diagnostics, that' s why you need to trouble-shoot with diag debug flow first.
iprope_in_check() check failed...I think and only guessing since I' m away from a fortigate at this time, but the VIP is not being seen by the fortigate if I had to guess. What I would see if it' s possible in the cfg to set the vip like this? config firewall vip46 edit " nat46test185" set extip 192.0.2.185 set extintf " wan1" <----HERE set mappedip 2001:db8:f00:b0b::185 next end Define the actually interface for the VIP.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is not possible to use the " set extinf ..." command for NAT46 virtual IP
But see below, not it works

Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you enable " NAT64" function??
this function is required...
config sys nat64
set status ena
end
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
FWF60D x2 FWF60C x3 FGT80C rev.2 FGT200B-POE FAP220B x3 FAP221B x2
FSW224B x1
