Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

NAT64 with R80.40

This is my first IPv6 implementation on Azure

Lab setup is 

Ext win10: fd5d:7ce8:b6d5:1::4 (10.20.1.6)

fw Ext (eth0): fd5d:7ce8:b6d5:1::a14:205 (10.20.1.4)
fw Int (eth1): fd5d:7ce8:b6d5:2::4 (10.20.2.4)

webs1: 10.20.2.5

My NAT64 rule is 

NAT.jpg

v6-dst.jpg    snat-v4range.jpg

Log shows xlate dst as expected but xlate_src is empty

Snat-missing.jpg

fw6 monitor and tcpdump on eth0 shows fw is sending reset

fwmonitor.jpg

Any help is appreciated!

 

0 Kudos
5 Replies
Highlighted
Admin
Admin

My understanding is that IPv6 is not supported in CloudGuard Gateways in Public Cloud, currently.
You can see it listed as a known limitation here:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Highlighted
Ivory

Appreciate your response.  I read MDM, MUH v2 and IPv6 for Management interface are not supported.  Security Gateway limitations mention about default kernel value and some commands.  Please correct me if I missed the feature ID you are referring to.

Setup of (IPv6 LAN - Firewall - IPv6 LAN) end to end communication is working fine on Azure.

I redeployed everything locally with a 4600 appliance and seeing same behavior

snat-missing1.jpg

I am wondering if any additional configuration is required for source NAT range to take effect.

0 Kudos
Highlighted
Admin
Admin

This is stated in: VSECC-1097
But if you can see it in a physical appliance, I recommend a TAC case.
0 Kudos
Highlighted
Ivory

VSECC-1097 applies to R80.20 and below correct?

I have a TAC case open and waiting to be assigned, thanks again.

0 Kudos
Highlighted
Admin
Admin

If it's in the "Known Limitations" SK for R80.40, it applies there as well.
R80.20 was the first version it was documented in (meaning this isn't a new limitation).
0 Kudos