Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
tinyadmin
New Contributor III

[resolved] nat46 with FortiOS 5.2.0?

Hello, I want to access one internal IPv6 server connecting a public IPv4 address. The plan is the Fortigate does nat46 by terminating the incomming IPv4 connection and translating the TCP-data to a IPv6 connection to the IPv6 server. I configured " policy46" and " vip46" (described in FortiOS Handbook IPv6 for FortiOS 5.2) but it does not work.
config firewall policy46
     edit 1
         set permit-any-host enable
         set srcintf " wan1" 
         set dstintf " wan2" 
         set srcaddr " all" 
         set dstaddr " nat46test185" 
         set action accept
         set schedule " always" 
         set service " HTTP"  " PING" 
         set logtraffic enable
         set fixedport enable
     next
 end
 config firewall vip46
     edit " nat46test185" 
         set extip 192.0.2.185
         set mappedip 2001:db8:f00:b0b::185
     next
 end
 config system interface
     edit " wan1" 
         set vdom " root" 
         set ip 192.0.2.189 255.255.255.240
         set allowaccess ping
         set type physical
         set external enable
         set snmp-index 3
         set secondary-IP enable
             config ipv6
                 set ip6-allowaccess ping ssh
                 set ip6-address 2001:db8:f00:2::189/64
             end
             config secondaryip
                 edit 1
                     set ip 192.0.2.185 255.255.255.255
                     set allowaccess ping
                 next
             end
     next
 end
 
I have no " config system nat46" to set to enable. Does anyone has the " config system nat46" with another unit? Does anyone publish a configuration that works? I have public IPv4 and IPv6 addresses and many other IPv6 features are working. Looking forward to receive the last bit to get a running configuration. Regards tinyadmin
12 REPLIES 12
tinyadmin
New Contributor III

I don' t understand why I have to switch on (= enable) nat64 for using nat46, but now it works: the system translates an incomming IPv4 connection to a IPv6 server and (very wonderful!) the IPv4 source address is embedded in the IPv6 source address of the connection. This is the way IPv6 only datacenters can work. Many thanks to emnoc for refreshing my diag debug flow knowledge and to storaid for the still confusing but correct hint. By the way: the FortiGate 5.2.0 Handbook for IPv6 tells to enable config system nat46. To complete the post with working debug information I add the following lines:


FortiOS_5.2.0 # diag debug reset
FortiOS_5.2.0 # diag debug flow filter add 192.0.2.185
FortiOS_5.2.0 # diag debug flow filter6 add 2001:db8:f00:b0b::185
FortiOS_5.2.0 # diag debug flow show console enable
show trace messages on console
FortiOS_5.2.0 # diag debug flow trace start 100
FortiOS_5.2.0 # diag debug flow trace start6 100
FortiOS_5.2.0 # diag debug enable

!client with ipv4 address 192.0.2.188: ping -n 1 192.0.2.185
id=20085 trace_id=1 msg=" vd-root received a packet(proto=1, 192.0.2.188:1->192.0.2.185:8) from wan1."
id=20085 trace_id=1 msg=" allocate a new session-0000555e"
id=20085 trace_id=1 msg=" find SNAT: IP-192.0.2.185(from IPPOOL), port-1"
id=20085 trace_id=1 msg=" find SNAT46: IP-2001:db8:f00:b0b::185, port-1"
id=20085 trace_id=1 msg=" VIP-192.0.2.185:1, outdev-wan1"
id=20085 trace_id=1 msg=" DNAT 192.0.2.185:8->192.0.2.185:1"
id=20085 trace_id=1 msg=" nat64 ipv4 received a packet proto=1"
id=20085 trace_id=1 msg=" find SNAT: IP-192.168.11.254, port-62464"
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 64:ff9b::c000:02bc:1->2001:db8:f00:b0b::185:128) from wan1."
! IPv6 address ends with embedded IPv4 source address: 192.0.2.188 = c000:02bc HEX (dez to hex translation)
id=20085 trace_id=1 msg=" allocate a new session-00000065"
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:24576->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=1 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:24576->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=1 msg=" find a route: gw-:: via root err 0 flags 80200001"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:1->64:ff9b::c000:02bc:129) from wan2."
id=20085 trace_id=2 msg=" Find an existing session, id-00000065, reply direction"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:1->64:ff9b::c000:02bc:129) from wan2."
id=20085 trace_id=2 msg=" Find an existing session, id-00000065, reply direction"
id=20085 trace_id=2 msg=" find a route: gw-64:ff9b::c000:02bc via root err 0 flags 85000001"
id=20085 trace_id=2 msg=" nat64 ipv6 received a packet proto=58"
id=20085 trace_id=2 msg=" SNAT 192.0.2.185->192.0.2.185:1"

!client with ipv4 address 192.0.2.188: telnet 192.0.2.185 80 (=http port)
id=20085 trace_id=2 msg=" vd-root received a packet(proto=6, 192.0.2.188:50580->192.0.2.185:80) from wan1."
id=20085 trace_id=2 msg=" allocate a new session-0000556f"
id=20085 trace_id=2 msg=" find SNAT: IP-192.0.2.185(from IPPOOL), port-0"
id=20085 trace_id=2 msg=" find SNAT46: IP-2001:db8:f00:b0b::185, port-0"
id=20085 trace_id=2 msg=" VIP-192.0.2.185:80, outdev-wan1"
id=20085 trace_id=2 msg=" DNAT 192.0.2.185:80->192.0.2.185:80"
id=20085 trace_id=2 msg=" nat64 ipv4 received a packet proto=6"
id=20085 trace_id=2 msg=" find SNAT: IP-192.168.177.254, port-50580"
id=20085 trace_id=2 msg=" vd-root received a packet(proto=6, 64:ff9b::c000:02bc:50580->2001:db8:f00:b0b::185:80) from wan1."
! IPv6 address ends with embedded IPv4 source address: 192.0.2.188 = c000:02bc HEX (dez to hex translation)
id=20085 trace_id=2 msg=" allocate a new session-00000066"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 2001:db8:f00:b0b::185:80->64:ff9b::c000:02bc:50580) from wan2."
id=20085 trace_id=3 msg=" Find an existing session, id-00000066, reply direction"
id=20085 trace_id=3 msg=" find a route: gw-64:ff9b::c000:02bc via root err 0 flags 85000001"
id=20085 trace_id=3 msg=" nat64 ipv6 received a packet proto=6"
id=20085 trace_id=3 msg=" SNAT 192.0.2.185->192.0.2.185:80"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 192.0.2.188:50580->192.0.2.185:80) from wan1."
id=20085 trace_id=3 msg=" Find an existing session, id-0000556f, original direction"
id=20085 trace_id=3 msg=" DNAT 192.0.2.185:80->192.0.2.185:80"
id=20085 trace_id=3 msg=" nat64 ipv4 received a packet proto=6"
id=20085 trace_id=3 msg=" vd-root received a packet(proto=6, 64:ff9b::c000:02bc:50580->2001:db8:f00:b0b::185:80) from wan1."
id=20085 trace_id=3 msg=" Find an existing session, id-00000066, original direction"
id=20085 trace_id=4 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:16384->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=4 msg=" vd-root received a packet(proto=58, 2001:db8:f00:b0b::185:16384->fe80::209:fff:fe1b:4284:136) from wan2."
id=20085 trace_id=4 msg=" find a route: gw-:: via root err 0 flags 80200001"

FortiOS_5.2.0 # diag debug flow trace stop
FortiOS_5.2.0 # diag debug flow trace stop6
FortiOS_5.2.0 # diag deb disable
FortiOS_5.2.0 # diag debug reset
FortiOS_5.2.0 #

snobs
New Contributor II

It would be great if you could tell us the whole working configuration. Btw, is a kind of " dynamic NAT46" possible? i.e. After a DNS lookup only a AAAA entry is available => The Fortigate translates this dynamically to the IPv4 client? According to http://docs-legacy.fortinet.com/fgt/handbook/cli_html/index.html#page/FortiOS%25205.0%2520CLI/config_firewall.10.66.html
To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0." 
But after " end" I get:
Invalid external ip address.
 object set operator error, -651 discard the setting
 Command fail. Return code -651
 
complete steps:
 FWG# config firewall vip46
 
 FWG(vip46) # edit vip46test
 new entry ' vip46test'  added
 
 FWG(vip46test) # set mappedip 2001:123:456:140::
 
 FWG(vip46test) # set extip 0.0.0.0
 
 FWG(vip46test) # show
 config firewall vip46
     edit " vip46test" 
         set mappedip 2001:123:456:140::
     next
 end
 
 FWG(vip46test) # end
 Invalid external ip address.
 object set operator error, -651 discard the setting
 Command fail. Return code -651
 
tinyadmin
New Contributor III

Hello everyone,

 

as requested I publish a example config here. If you use the Fortigate as DNS-Server / DNS-Cache, keep an eye on DNS response after activating NAT64 because it activates DNS64 and maybe change always-synthesize-aaaa-record line to enable.

Have fun.

config system nat64
    set status enable
    set always-synthesize-aaaa-record disable
end
config firewall vip46
    edit "virtIPnat46"
        set extip 192.0.2.19
        set mappedip 2001:db8:cool:cafe::19
    next
    edit "virtIP_testWWW"
        set comment "example with tcp port 80 only"
        set extip 192.0.2.20
        set mappedip 2001:db8:cool:cafe::80
        set portforward enable
        set extport 80
        set mappedport 80
    next
    edit "virtIP_testSSHforward"
        set comment "forward non-default SSH port to internal system with default-SSH port"
        set extip 192.0.2.20
        set mappedip 2001:db8:cool:cafe::80
        set portforward enable
        set extport 2280
        set mappedport 22
    next
end
config firewall policy46
    edit 0
        set permit-any-host enable
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "virtIPnat46"
        set action accept
        set schedule "always"
        set service "HTTPS" "PING"
    next
    edit 0
        set permit-any-host enable
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "virtIP_testWWW"
        set action accept
        set schedule "always"
        set service "HTTP"
    next
    edit 0
        set permit-any-host enable
        set srcintf "wan1"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "virtIP_testSSHforward"
        set action accept
        set schedule "always"
        set service "SSH"
    next
end
Labels
Top Kudoed Authors