Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- [resolved] nat46 with FortiOS 5.2.0?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[resolved] nat46 with FortiOS 5.2.0?
Hello,
I want to access one internal IPv6 server connecting a public IPv4 address.
The plan is the Fortigate does nat46 by terminating the incomming IPv4 connection and translating the TCP-data to a IPv6 connection to the IPv6 server.
I configured " policy46" and " vip46" (described in FortiOS Handbook IPv6 for FortiOS 5.2) but it does not work.
config firewall policy46
edit 1
set permit-any-host enable
set srcintf " wan1"
set dstintf " wan2"
set srcaddr " all"
set dstaddr " nat46test185"
set action accept
set schedule " always"
set service " HTTP" " PING"
set logtraffic enable
set fixedport enable
next
end
config firewall vip46
edit " nat46test185"
set extip 192.0.2.185
set mappedip 2001:db8:f00:b0b::185
next
end
config system interface
edit " wan1"
set vdom " root"
set ip 192.0.2.189 255.255.255.240
set allowaccess ping
set type physical
set external enable
set snmp-index 3
set secondary-IP enable
config ipv6
set ip6-allowaccess ping ssh
set ip6-address 2001:db8:f00:2::189/64
end
config secondaryip
edit 1
set ip 192.0.2.185 255.255.255.255
set allowaccess ping
next
end
next
end
I have no " config system nat46" to set to enable.
Does anyone has the " config system nat46" with another unit?
Does anyone publish a configuration that works?
I have public IPv4 and IPv6 addresses and many other IPv6 features are working.
Looking forward to receive the last bit to get a running configuration.
Regards
tinyadmin
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
- « Previous
-
- 1
- 2
- Next »
12 REPLIES 12
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don' t understand why I have to switch on (= enable) nat64 for using nat46, but now it works: the system translates an incomming IPv4 connection to a IPv6 server and (very wonderful!) the IPv4 source address is embedded in the IPv6 source address of the connection. This is the way IPv6 only datacenters can work. Many thanks to emnoc for refreshing my diag debug flow knowledge and to storaid for the still confusing but correct hint. By the way: the FortiGate 5.2.0 Handbook for IPv6 tells to enable config system nat46. To complete the post with working debug information I add the following lines:
FortiOS_5.2.0 # diag debug reset
FortiOS_5.2.0 # diag debug flow filter add 192.0.2.185
FortiOS_5.2.0 # diag debug flow filter6 add 2001:db8:f00:b0b::185
FortiOS_5.2.0 # diag debug flow show console enable
show trace messages on console
FortiOS_5.2.0 # diag debug flow trace start 100
FortiOS_5.2.0 # diag debug flow trace start6 100
FortiOS_5.2.0 # diag debug enable
!client with ipv4 address 192.0.2.188: ping -n 1 192.0.2.185
id=20085 trace_id=1 msg=" vd-root received a packet(proto=1, 192.0.2.188:1->192.0.2.185:8) from wan1."
id=20085 trace_id=1 msg=" allocate a new session-0000555e"
id=20085 trace_id=1 msg=" find SNAT: IP-192.0.2.185(from IPPOOL), port-1"
id=20085 trace_id=1 msg=" find SNAT46: IP-2001:db8:f00:b0b::185, port-1"
id=20085 trace_id=1 msg=" VIP-192.0.2.185:1, outdev-wan1"
id=20085 trace_id=1 msg=" DNAT 192.0.2.185:8->192.0.2.185:1"
id=20085 trace_id=1 msg=" nat64 ipv4 received a packet proto=1"
id=20085 trace_id=1 msg=" find SNAT: IP-192.168.11.254, port-62464"
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 64:ff9b::c000:02bc:1->2001:db8:f00:b0b::185:128) from wan1."
! IPv6 address ends with embedded IPv4 source address: 192.0.2.188 = c000:02bc HEX (dez to hex translation)
id=20085 trace_id=1 msg=" allocate a new session-00000065"
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:24576->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:24576->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=1 msg=" find a route: gw-:: via root err 0 flags 80200001"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:1->64:ff9b::c000:02bc:129) from wan2."
id=20085 trace_id=2 msg=" Find an existing session, id-00000065, reply direction"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:1->64:ff9b::c000:02bc:129) from wan2."
id=20085 trace_id=2 msg=" Find an existing session, id-00000065, reply direction"
id=20085 trace_id=2 msg=" find a route: gw-64:ff9b::c000:02bc via root err 0 flags 85000001"
id=20085 trace_id=2 msg=" nat64 ipv6 received a packet proto=58"
id=20085 trace_id=2 msg=" SNAT 192.0.2.185->192.0.2.185:1"
!client with ipv4 address 192.0.2.188: telnet 192.0.2.185 80 (=http port)
id=20085 trace_id=2 msg=" vd-root received a packet(proto=6, 192.0.2.188:50580->192.0.2.185:80) from wan1."
id=20085 trace_id=2 msg=" allocate a new session-0000556f"
id=20085 trace_id=2 msg=" find SNAT: IP-192.0.2.185(from IPPOOL), port-0"
id=20085 trace_id=2 msg=" find SNAT46: IP-2001:db8:f00:b0b::185, port-0"
id=20085 trace_id=2 msg=" VIP-192.0.2.185:80, outdev-wan1"
id=20085 trace_id=2 msg=" DNAT 192.0.2.185:80->192.0.2.185:80"
id=20085 trace_id=2 msg=" nat64 ipv4 received a packet proto=6"
id=20085 trace_id=2 msg=" find SNAT: IP-192.168.177.254, port-50580"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=6, 64:ff9b::c000:02bc:50580->2001:db8:f00:b0b::185:80) from wan1."
! IPv6 address ends with embedded IPv4 source address: 192.0.2.188 = c000:02bc HEX (dez to hex translation)
id=20085 trace_id=2 msg=" allocate a new session-00000066"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 2001:db8:f00:b0b::185:80->64:ff9b::c000:02bc:50580) from wan2."
id=20085 trace_id=3 msg=" Find an existing session, id-00000066, reply direction"
id=20085 trace_id=3 msg=" find a route: gw-64:ff9b::c000:02bc via root err 0 flags 85000001"
id=20085 trace_id=3 msg=" nat64 ipv6 received a packet proto=6"
id=20085 trace_id=3 msg=" SNAT 192.0.2.185->192.0.2.185:80"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 192.0.2.188:50580->192.0.2.185:80) from wan1."
id=20085 trace_id=3 msg=" Find an existing session, id-0000556f, original direction"
id=20085 trace_id=3 msg=" DNAT 192.0.2.185:80->192.0.2.185:80"
id=20085 trace_id=3 msg=" nat64 ipv4 received a packet proto=6"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 64:ff9b::c000:02bc:50580->2001:db8:f00:b0b::185:80) from wan1."
id=20085 trace_id=3 msg=" Find an existing session, id-00000066, original direction"
id=20085 trace_id=4 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:16384->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=4 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:16384->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=4 msg=" find a route: gw-:: via root err 0 flags 80200001"
FortiOS_5.2.0 # diag debug flow trace stop
FortiOS_5.2.0 # diag debug flow trace stop6
FortiOS_5.2.0 # diag deb disable
FortiOS_5.2.0 # diag debug reset
FortiOS_5.2.0 #
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be great if you could tell us the whole working configuration.
Btw, is a kind of " dynamic NAT46" possible?
i.e. After a DNS lookup only a AAAA entry is available => The Fortigate translates this dynamically to the IPv4 client?
According to http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_firewall.10.66.html
To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0."But after " end" I get:
Invalid external ip address. object set operator error, -651 discard the setting Command fail. Return code -651complete steps:
FWG# config firewall vip46
FWG(vip46) # edit vip46test
new entry ' vip46test' added
FWG(vip46test) # set mappedip 2001:123:456:140::
FWG(vip46test) # set extip 0.0.0.0
FWG(vip46test) # show
config firewall vip46
edit " vip46test"
set mappedip 2001:123:456:140::
next
end
FWG(vip46test) # end
Invalid external ip address.
object set operator error, -651 discard the setting
Command fail. Return code -651
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone,
as requested I publish a example config here. If you use the Fortigate as DNS-Server / DNS-Cache, keep an eye on DNS response after activating NAT64 because it activates DNS64 and maybe change always-synthesize-aaaa-record line to enable.
Have fun.
config system nat64
set status enable
set always-synthesize-aaaa-record disable
end
config firewall vip46
edit "virtIPnat46"
set extip 192.0.2.19
set mappedip 2001:db8:cool:cafe::19
next
edit "virtIP_testWWW"
set comment "example with tcp port 80 only"
set extip 192.0.2.20
set mappedip 2001:db8:cool:cafe::80
set portforward enable
set extport 80
set mappedport 80
next
edit "virtIP_testSSHforward"
set comment "forward non-default SSH port to internal system with default-SSH port"
set extip 192.0.2.20
set mappedip 2001:db8:cool:cafe::80
set portforward enable
set extport 2280
set mappedport 22
next
end
config firewall policy46
edit 0
set permit-any-host enable
set srcintf "wan1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "virtIPnat46"
set action accept
set schedule "always"
set service "HTTPS" "PING"
next
edit 0
set permit-any-host enable
set srcintf "wan1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "virtIP_testWWW"
set action accept
set schedule "always"
set service "HTTP"
next
edit 0
set permit-any-host enable
set srcintf "wan1"
set dstintf "dmz"
set srcaddr "all"
set dstaddr "virtIP_testSSHforward"
set action accept
set schedule "always"
set service "SSH"
next
end
- « Previous
-
- 1
- 2
- Next »
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- FortiGate VPN IPSec Tx Error 127 Views
- Need to use ssh-rsa for Public... 299 Views
- FortiSwitch not Applying Configuration from FortiGate 596 Views
- Clients take long to connect to... 194 Views
- Traffic being dropped by FortiGate when... 1951 Views
Labels
-
FortiGate
8,403 -
FortiClient
1,699 -
5.2
801 -
FortiManager
708 -
5.4
639 -
FortiAnalyzer
540 -
FortiSwitch
456 -
FortiAP
452 -
6.0
416 -
FortiClient EMS
401 -
5.6
362 -
FortiMail
308 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
210 -
5.0
196 -
FortiWeb
196 -
IPsec
183 -
FortiNAC
173 -
FortiGuard
133 -
6.4
128 -
SD-WAN
107 -
FortiSIEM
100 -
FortiGateCloud
100 -
FortiCloud Products
95 -
FortiToken
89 -
FortiAuthenticator
82 -
Customer Service
77 -
Wireless Controller
76 -
Firewall policy
69 -
4.0MR3
64 -
FortiProxy
57 -
FortiADC
53 -
High Availability
51 -
Fortivoice
50 -
FortiEDR
50 -
vlan
47 -
ZTNA
46 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
LDAP
38 -
BGP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Authentication
31 -
Interface
31 -
SSO
30 -
NAT
30 -
RADIUS
28 -
FortiConnect
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Logging
24 -
Application control
24 -
Web profile
23 -
Virtual IP
22 -
FortiPAM
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
OSPF
15 -
WAN optimization
15 -
FortiGate v5.0
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
System settings
13 -
FortiSOAR
12 -
FortiCASB
12 -
snmp
12 -
Automation
12 -
Admin
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiBridge
9 -
FortiAP profile
9 -
Proxy policy
9 -
RMA Information and Announcements
8 -
Security profile
8 -
Traffic shaping policy
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCarrier
6 -
Explicit proxy
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Email filter profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
Cloud Management Security
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
TACACS
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1641 | |
| 1069 | |
| 751 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.