DNS64 Reply Modification

The following figure shows an FTP server and DNS server on the outside IPv4 network. The system has a static translation for the outside server. In this case, when an inside IPv6 user requests the address for ftp.cisco.com from the DNS server, the DNS server responds with the real address, 209.165.200.225.

Because you want inside users to use the mapped address for ftp.cisco.com (2001:DB8::D1A5:C8E1, where D1A5:C8E1 is the IPv6 equivalent of 209.165.200.225) you need to configure DNS reply modification for the static translation. This example also includes a static NAT translation for the DNS server, and a PAT rule for the inside IPv6 hosts.

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device. In this example, we will assume the interface objects are security zones named inside and outside. To configure interface objects, select Objects > Object Management, then select Interface.

Procedure

Step 1

Create the network objects for the FTP server, DNS server, inside network, and PAT pool.

  1. Choose Objects > Object Management.

  2. Select Network from the table of contents and click Add Network > Add Object.

  3. Define the real FTP server address.

    Name the network object (for example, ftp_server) and enter the host address, 209.165.200.225.

  4. Click Save.

  5. Click Add Network > Add Object and define the FTP server's translated IPv6 address.

    Name the network object (for example, ftp_server_v6) and enter the host address, 2001:DB8::D1A5:C8E1.

  6. Click Save.

  7. Click Add Network > Add Object and define the DNS server's real address.

    Name the network object (for example, dns_server) and enter the host address, 209.165.201.15.

  8. Click Save.

  9. Click Add Network > Add Object and define the DNS server's translated IPv6 address.

    Name the network object (for example, dns_server_v6) and enter the host address, 2001:DB8::D1A5:C90F (where D1A5:C90F is the IPv6 equivalent of 209.165.201.15).

  10. Click Save.

  11. Click Add Network > Add Object and define the inside IPv6 network.

    Name the network object (for example, inside_v6) and enter the network address, 2001:DB8::/96.

  12. Click Save.

  13. Click Add Network > Add Object and define the IPv4 PAT pool for the inside IPv6 network.

    Name the network object (for example, ipv4_pool) and enter the range 209.165.200.230-209.165.200.235.

  14. Click Save.

Step 2

Configure the static NAT rule with DNS modification for the FTP server.

  1. Select Devices > NAT and create or edit the threat defense NAT policy.

  2. Click Add Rule.

  3. Configure the following properties:

    • NAT Rule = Auto NAT Rule.

    • Type = Static.

  4. On Interface Objects, configure the following:

    • Source Interface Objects = outside.

    • Destination Interface Objects = inside.

  5. On Translation, configure the following:

    • Original Source = ftp_server network object.

    • Translated Source > Address = ftp_server_v6 network object.

  6. On Advanced, select the following options:

    • Translate DNS replies that match this rule.

    • Net to Net Mapping, because this is a one-to-one NAT46 translation.

  7. Click OK.

Step 3

Configure the static NAT rule for the DNS server.

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Auto NAT Rule.

    • Type = Static.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = outside.

    • Destination Interface Objects = inside.

  4. On Translation, configure the following:

    • Original Source = dns_server network object.

    • Translated Source > Address = dns_server_v6 network object.

  5. On Advanced, select Net to Net Mapping, because this is a one-to-one NAT46 translation.

  6. Click OK.

Step 4

Configure the dynamic NAT with a PAT pool rule for the inside IPv6 network.

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Auto NAT Rule.

    • Type = Dynamic.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = inside.

    • Destination Interface Objects = outside.

  4. On Translation, configure the following:

    • Original Source = inside_v6 network object.

    • Translated Source > Address = leave this field empty.

  5. On PAT Pool, configure the following:

    • Enable PAT Pool = select this option.

    • Translated Source > Address = ipv4_pool network object.

  6. Click OK.