NAT64/46 Example: Inside IPv6 Network with Outside IPv4 Internet and DNS Translation

Following is a typical example where you have an inside IPv6-only network, but there are some IPv4-only services on the outside Internet that internal users need.


NAT64 network diagram.

In this example, you translate the inside IPv6 network to IPv4 using dynamic interface PAT with the IP address of the outside interface. Outside IPv4 traffic is statically translated to addresses on the 2001:db8::/96 network, allowing transmission on the inside network. You enable DNS rewrite on the NAT46 rule, so that replies from the external DNS server can be converted from A (IPv4) to AAAA (IPv6) records, and the addresses converted from IPv4 to IPv6.

Following is a typical sequence for a web request where a client at 2001:DB8::100 on the internal IPv6 network tries to open www.example.com.

  1. The client’s computer sends a DNS request to the DNS server at 2001:DB8::D1A5:CA81. The NAT rules make the following translations to the source and destination in the DNS request:

    • 2001:DB8::100 to a unique port on 209.165.201.1 (The NAT64 interface PAT rule.)

    • 2001:DB8::D1A5:CA81 to 209.165.202.129 (The NAT46 rule. D1A5:CA81 is the IPv6 equivalent of 209.165.202.129.)

  2. The DNS server responds with an A record indicating that www.example.com is at 209.165.200.225. The NAT46 rule, with DNS rewrite enabled, converts the A record to the IPv6-equivalent AAAA record, and translates 209.165.200.225 to 2001:db8:D1A5:C8E1in the AAAA record. In addition, the source and destination addresses in the DNS response are untranslated:

    • 209.165.202.129 to 2001:DB8::D1A5:CA81

    • 209.165.201.1 to 2001:db8::100

  3. The IPv6 client now has the IP address of the web server, and makes an HTTP request to www.example.com at 2001:db8:D1A5:C8E1. (D1A5:C8E1 is the IPv6 equivalent of 209.165.200.225.) The source and destination of the HTTP request are translated:

    • 2001:DB8::100 to a unique port on 209.156.101.54 (The NAT64 interface PAT rule.)

    • 2001:db8:D1A5:C8E1 to 209.165.200.225 (The NAT46 rule.)

The following procedure explains how to configure this example.

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device. In this example, we will assume the interface objects are security zones named inside and outside. To configure interface objects, select Objects > Object Management, then select Interface.

Procedure

Step 1

Create the network objects that define the inside IPv6 and outside IPv4 networks.

  1. Choose Objects > Object Management.

  2. Select Network from the table of contents and click Add Network > Add Object.

  3. Define the inside IPv6 network.

    Name the network object (for example, inside_v6) and enter the network address, 2001:db8::/96.

  4. Click Save.

  5. Click Add Network > Add Object and define the outside IPv4 network.

    Name the network object (for example, outside_v4_any) and enter the network address 0.0.0.0/0.

  6. Click Save.

Step 2

Configure the NAT64 dynamic PAT rule for the inside IPv6 network.

Step 3

Configure the static NAT46 rule for the outside IPv4 network.

  1. Click Add Rule.

  2. Configure the following properties:

    • NAT Rule = Auto NAT Rule.

    • Type = Static.

  3. On Interface Objects, configure the following:

    • Source Interface Objects = outside.

    • Destination Interface Objects = inside.

  4. On Translation, configure the following:

    • Original Source = outside_v4_any network object.

    • Translated Source > Address = inside_v6 network object.

  5. On Advanced, select Translate DNS replies that match this rule.

  6. Click OK.

    With this rule, any IPv4 address on the outside network coming to the inside interface is translated to an address on the 2001:db8::/96 network using the embedded IPv4 address method. In addition, DNS responses are converted from A (IPv4) to AAAA (IPv6) records, and the addresses converted from IPv4 to IPv6.