NAT46 policy

NAT46 policy

NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a mechanism, IPv4 environments cannot connect to IPv6 networks.

Sample topology

In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the client PC can access the server by using IP address 10.1.100.55.

Sample configuration

To enable display for IPv6 and NAT46/NAT64 using the GUI:

  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable NAT46 & NAT64.
  4. Click Apply.

To enable display for IPv6 and NAT46/NAT64 using the CLI:

config system global set gui-ipv6 enable

end config system settings set gui-nat46-64 enable

end

To configure VIP46 using the GUI:

  1. Go to Policy & Object > Virtual IPs.
  2. Click Create New.
  3. For Name, enter vip46_server.
  4. For External IP Address/Range, enter 1.100.55-10.1.100.55.
  5. For Mapped IP Address/Range, enter 2000:172:16:200::55.
  6. Click OK.

To configure VIP46 using the CLI:

config firewall vip46 edit “vip46_server” set extip 10.1.100.55 set mappedip 2000:172:16:200::55

next

end

To configure IPv6 IP pool using the GUI:

  1. Go to Policy & Object > IP Pools.
  2. Click Create New.
  3. For Name, enter client_expternal.
  4. For External IP Range, enter 2000:172:16:201::11- 2000:172:16:201::20.
  5. Click OK.

To configure IPv6 IP pool using the CLI:

config firewall ippool6 edit “client_external” set startip 2000:172:16:201::11 set endip 2000:172:16:201::20

next

end

To enable NAT64 and configure address prefix using the CLI:

config system nat64 set status enable set secondary-prefix-status enable config secondary-prefix edit “1” set nat64-prefix 2000:172:16:201::/96

next

end

end

To create NAT46 policy using the GUI:

  1. Go to Policy & Object > NAT46 Policy.
  2. Click Create New.
  3. For Incoming Interface, select port10.
  4. For Outgoing Interface, select port9.
  5. For Source Address, select all.
  6. For Destination Address, select vip46_server.
  7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool client_expernal.
  8. Click OK.

To create NAT46 policy using the CLI:

config firewall policy46 edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “all” set dstaddr “vip46_server” set action accept set schedule “always” set service “ALL” set ippool enable set poolname “client_external”

next

end

Sample troubleshooting

Example to trace flow to see the whole process.

# dia de flow filter saddr 10.1.100.11 # dia de flow show function-name enable show function name

# dia de flow show iprope enable show trace messages about iprope # dia de flow trace start 5

id=20085 trace_id=1 func=print_pkt_detail line=5401 msg=”vd-root:0 received a packet(proto=1, 10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1.” id=20085 trace_id=1 func=init_ip_session_common line=5561 msg=”allocate a new session-

000003b9″

id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg=”in-[port10], out-[]” id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg=”len=1″

id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg=”checking gnum-100000 policy-1″

id=20085 trace_id=1 func=get_vip46_addr line=998 msg=”find DNAT46: IP-2000:172:16:200::55, port-27592″

id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg=”matched policy-1, actt=accept, vip=1, flag=100, sflag=2000000″

id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg=”result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100″

id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg=”VIP-10.1.100.55:27592, outdevunkown”

id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg=”DNAT 10.1.100.55:8-

>10.1.100.55:27592″

id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg=”find a route: flag=80000000 gw-10.1.100.55 via root” id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg=”nat64 ipv4 received a packet proto=1″ id=20085 trace_id=1 func=__iprope_check line=2112 msg=”gnum-100012, check-ffffffffa0024ebe” id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg=”checked gnum-100012 policy-

1, ret-matched, act-accept”

id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg=”ret-matched” id=20085 trace_id=1 func=get_new_addr46 line=1047 msg=”find SNAT46: IP-2000:172:16:201::13

(from IPPOOL), port-27592″

id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg=”policy-1 is matched, actaccept”

id=20085 trace_id=1 func=__iprope_check line=2131 msg=”gnum-100012 check result: ret-matched, act-accept, flag-08050500, flag2-00200000″

id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg=”after check: ret-matched, act-accept, flag-08050500, flag2-00200000″ id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg=”allocate a new session-00000081″

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.