Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sebas865
Staff
Staff

Created on ‎09-03-2023 11:49 PM Edited on ‎10-09-2023 09:40 PM By Community Manager

Article Id 271627

Troubleshooting Tip: NAT64 and DNS64 is not working properly

Description This article describes how to solve the layer 3 connectivity issue when NAT64 and DNS64 are configured.
Scope FortiOS 7.0.11, 7.0.12, 7.2.5 and 7.4.0.
Solution

When NAT64 and DNS 64 are configured, there must be an IP pool for the policy.

 

Firewall policy:

 

1.JPG

 

If the IP pool external IP range has the same IP address as the FortiGate WAN interface IP, it will cause a connectivity issue.

 2.JPG

 

The reply is not forwarded to the source.

 

Considering this, the NAT64 does not allow to use the WAN interface IP address as the external IP range for the IP pool. It is imperative to use an available IP address of the public range. For example, the WAN interface IP address is 192.168.1.3, therefore, the IP pool can have an available IP address within that range.

 

3.JPG

 

4.JPG

 

Having done this, Layer 3 connectivity is working.

 

5.JPG

 

Output from FortiGate sniffer CLI command.

The request and reply are routed properly.

 

6.JPG

 

Note-Do enable arp-reply when using ippool  

 

config firewall ippool
    edit "xyz"
        set type overload
        set startip x.x.x.x
        set endip x.x.x.z
        set arp-reply enable <-----
end
410
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.