- Products
- Learn
- Local User Groups
- Partners
-
More
Celebrate the New Year
With CheckMates!
Value of Security
Vendor Self-Awareness
Join Us for CPX 360
23-24 February 2021
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
How to Remediate Endpoint & VPN
Issues (in versions E81.10 or earlier)
Mobile Security
Buyer's Guide Out Now
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Hi,
I am testing scenario as per the customer requirement. It is migration of IPv4 to IPv6.
I want to test static NAT scenario (NAT64) where your external IP would be IPv6 and internal IP would be IPv4 so what are the steps required to configure in checkpoint R77.30. I am referring below URL but it would be helpful if there is a doc with configuration snapshot.
https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/119030.htm#o119659
Regards,
Gaurav Pandya
NAT64 is translating an IPv6 address to an IPv4 one.
What you're describing is NAT46 (translating an IPv4 address into an IPv6 one).
No version of Check Point supports NAT46 currently.
Preferably I would like to handle this at layer 7.
Reverse proxies are among my most favorite machines for this purpose.
Hi Dameon,
Sorry as I have described like this. But our actual requirement is NAT64. Where outside IPv6 address want to communicate to the internal host which has IPv4 address.
It will be good if there is a good documentation with screenshot.
Regards,
Gaurav Pandya
You pointed to the documentation, it just didn't have pictures.
At the bottom of every document, there is a "Send Feedback" link, which I encourage you to use.
Meanwhile, I was able to create a rule that looks something like this:
The objects look like the following:
What I would encourage you to do is:
Hopefully that helps
Hi Dameon,
Thanks very much for your response.
Yes After some research, I did the same thing which you have mentioned. The difference is I have made static NAT.
Here, I have one question. May be it is silly but what we need to put in IPv6-server address (Destination Field). So IPv6 address has any relation with IPv4 address.
IPv6 address should be made from ipv4 address ?
My flow will be like
Any source address (ipv6) from outside --> hits to IPv6 address --> source IPv6 address will be translated to IPv4 address (Embeded range) --> Destination IPv6 address will be translated to IPv4 address 1.1.1.1
Please let me know if I am missing anything.
Regards,
Gaurav Pandya
Posting snapshot of my config.
If you look at my example above:
Which is similar to what you said.
How does this apply to NAT64 Hide NAT. I want to translate an IPv6 source to a IPv4 source Hide NAT. Any ideas
So far I have not seen much use for NAT64.
I prefer to make sure vital components are dual stack. Like:
- Firewall
- Proxies
- MTA's
- Loadbalancers / reverse proxies
That way you can use either protocol internaly as you see fit. And you can use both on the outside. As I don't see how we will get rid of dual protocol for a few decades.
Palo Alto supports supports IPv6 NAT translation for /32, /40, /48, /56, /64, and /96 subnets using these prefixes. What does Check Point support in R77.30 and R80.20?
Hi Steve,
I have only tested above scenario in R77.30. There is more IPv6 support in R80.20
You can refer sk39374 for more information
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY