IPv4-initiated communication to an IPv6 server
is similar to destination NAT in an IPv4 topology. The destination
IPv4 address maps to the destination IPv6 address through a one-to-one,
static IP translation (not a many-to-one translation).
The
firewall encodes the source IPv4 address into Well-Known Prefix
64:FF9B::/96 as defined in RFC 6052. The translated destination
address is the actual IPv6 address. The use case for IPv4-initiated
communication is typically when an organization is providing access
from the public, untrust zone to an IPv6 server in the organization’s
DMZ zone. This topology does not use a DNS64 server.
Enable IPv6 to operate on the firewall.
Select
Device
Setup
Session
and
edit the Session Settings.
Select
Enable IPv6 Firewalling
.
Click
OK
.
(
Optional
) When an IPv4 packet has its DF bit
set to zero (and because IPv6 does not fragment packets), ensure
the translated IPv6 packet does not exceed the path MTU for the
destination IPv6 network.
Select
Device
Setup
Session
and
edit Session Settings.
For
NAT64 IPv6 Minimum Network MTU
,
enter the smallest number of bytes into which the firewall will
fragment IPv4 packets for translation to IPv6 (range is 1280-9216,
default is 1280).
If you don’t want the firewall to fragment
an IPv4 packet prior to translation, set the MTU to 9216. If the
translated IPv6 packet still exceeds this value, the firewall drops
the packet and issues an ICMP packet indicating destination unreachable
- fragmentation needed.
Click
OK
.
Create an address object for the IPv4 destination address
(pre-translation).
Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object,
for example, nat64_ip4server.
For
Type
, select
IP
Netmask
and enter the IPv4 address of the firewall interface
in the Untrust zone. The address must use no netmask or a netmask
of /32 only. This example uses 198.51.19.1/32.
Click
OK
.
Create an address object for the IPv6 source address
(translated).
Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object,
for example, nat64_ip6source.
For
Type
, select
IP
Netmask
and enter the NAT64 IPv6 address with a netmask
that is compliant with RFC 6052 (/32, /40, /48, /56, /64, or /96).
For this example, enter 64:FF9B::/96.
(The firewall
encodes the prefix with the IPv4 source address 192.1.2.8, which
is C001:0208 in hexadecimal.)
Click
OK
.
Create an address object for the IPv6 destination address
(translated).
Select
Objects
Addresses
and click
Add
.
Enter a
Name
for the object,
for example, nat64_server_2.
For
Type
, select
IP
Netmask
and enter the IPv6 address of the IPv6 server
(destination). The address must use no netmask or a netmask of /128
only. This example uses 2001:DB8::2/128.
Click
OK
.
Create the NAT64 rule.
Select
Policies
NAT
and click
Add
.
On the
General
tab, enter a
Name
for
the NAT64 rule, for example, nat64_ipv4_init.
For
NAT Type
, select
nat64
.
Specify the original source and destination information.
For the
Original Packet
,
Add
the
Source
Zone
, likely an untrust zone.
Select the
Destination Zone
,
likely a trust or DMZ zone.
For
Source Address
, select
Any
or
Add
the
address object for the IPv4 host.
For
Destination Address
,
Add
the
address object for the IPv4 destination, in this example, nat64_ip4server.
For
Service
, select
any
.
Specify the translated packet information.
For the
Translated Packet
,
in the
Source Address Translation
,
Translation
Type
, select
Static IP
.
For
Translated Address
, select
the source translated address object you created, nat64_ip6source.
For
Destination Address Translation
,
for
Translated Address
, specify a single
IPv6 address (the address object, in this example, nat64_server_2,
or the IPv6 address of the server).
Click
OK
.
Create a security policy to allow the NAT traffic from
the Untrust zone.