NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet and DNS Translation
Following is a typical example where you have an inside IPv6-only network, but there are some IPv4-only services on the outside Internet that internal users need.
In this example, you translate the inside IPv6 network to IPv4 using dynamic interface PAT with the IP address of the outside interface. Outside IPv4 traffic is statically translated to addresses on the 2001:db8::/96 network, allowing transmission on the inside network. You enable DNS rewrite on the NAT46 rule, so that replies from the external DNS server can be converted from A (IPv4) to AAAA (IPv6) records, and the addresses converted from IPv4 to IPv6.
Following is a typical sequence for a web request where a client at 2001:DB8::100 on the internal IPv6 network tries to open www.example.com.
-
The client’s computer sends a DNS request to the DNS server at 2001:DB8::D1A5:CA81. The NAT rules make the following translations to the source and destination in the DNS request:
-
2001:DB8::100 to a unique port on 209.165.201.1 (The NAT64 interface PAT rule.)
-
2001:DB8::D1A5:CA81 to 209.165.202.129 (The NAT46 rule. D1A5:CA81 is the IPv6 equivalent of 209.165.202.129.)
-
-
The DNS server responds with an A record indicating that www.example.com is at 209.165.200.225. The NAT46 rule, with DNS rewrite enabled, converts the A record to the IPv6-equivalent AAAA record, and translates 209.165.200.225 to 2001:db8:D1A5:C8E1in the AAAA record. In addition, the source and destination addresses in the DNS response are untranslated:
-
209.165.202.129 to 2001:DB8::D1A5:CA81
-
209.165.201.1 to 2001:db8::100
-
-
The IPv6 client now has the IP address of the web server, and makes an HTTP request to www.example.com at 2001:db8:D1A5:C8E1. (D1A5:C8E1 is the IPv6 equivalent of 209.165.200.225.) The source and destination of the HTTP request are translated:
-
2001:DB8::100 to a unique port on 209.156.101.54 (The NAT64 interface PAT rule.)
-
2001:db8:D1A5:C8E1 to 209.165.200.225 (The NAT46 rule.)
-
The following procedure explains how to configure this example.
Before you begin
Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device. In this example, we will assume the interface objects are security zones named inside and outside. To configure interface objects, select , then select Interface.
Procedure
Step 1 | Create the network objects that define the inside IPv6 and outside IPv4 networks. |
Step 2 | Configure the NAT64 dynamic PAT rule for the inside IPv6 network. |
Step 3 | Configure the static NAT46 rule for the outside IPv4 network. |