NAT64 is translating an IPv6 address to an IPv4 one.

What you're describing is NAT46 (translating an IPv4 address into an IPv6 one).

No version of Check Point supports NAT46 currently.

Preferably I would like to handle this at layer 7.

Reverse proxies are among my most favorite machines for this purpose.

Hi Dameon,

Sorry as I have described like this. But our actual requirement is NAT64. Where outside IPv6 address want to communicate to the internal host which has IPv4 address.

It will be good if there is a good documentation with screenshot.

Regards,

Gaurav Pandya 

You pointed to the documentation, it just didn't have pictures.

At the bottom of every document, there is a "Send Feedback" link, which I encourage you to use.

Meanwhile, I was able to create a rule that looks something like this:

The objects look like the following:

What I would encourage you to do is:

• Add each object to the rule as normal
• Only after you've assembled the rule, click on the Translated Source column, Select NAT Method, then select Stateful NAT64, translated packets will have "64" in them, as shown above.
• If you have gateways pre-R76 configured in your management, you may need to configure the Install On field to be explicit gateways, else you will get a policy install failure.

Hopefully that helps

Hi Dameon,

Thanks very much for your response.

Yes After some research, I did the same thing which you have mentioned. The difference is I have made static NAT.

Here, I have one question. May be it is silly but what we need to put in IPv6-server address (Destination Field). So IPv6 address has any relation with IPv4 address.

IPv6 address should be made from ipv4 address ?

My flow will be like

Any source address (ipv6) from outside --> hits to IPv6 address  --> source IPv6 address will be translated to IPv4 address (Embeded range) --> Destination IPv6 address will be translated to IPv4 address 1.1.1.1

Please let me know if I am missing anything.

Regards,

Gaurav Pandya

Posting snapshot of my config.

If you look at my example above:

• The destination IPv6 address your users will connect to is represented by the ipv6-server object.
• This destination IP will be translated to the IP specified by ipv4-server.
• The source IP of the connection will be translated (HIDE NAT style) to one of the IPs in the IP Pool object called ipv6-hiderange.

Which is similar to what you said.

How does this apply to NAT64 Hide NAT. I want to translate an IPv6 source to a IPv4 source Hide NAT. Any ideas

So far I have not seen much use for NAT64.

I prefer to make sure vital components are dual stack. Like:

 - Firewall

 - Proxies

 - MTA's

 - Loadbalancers / reverse proxies

That way you can use either protocol internaly as you see fit. And you can use both on the outside. As I don't see how we will get rid of dual protocol for a few decades.

Palo Alto supports supports IPv6 NAT translation for /32, /40, /48, /56, /64, and /96 subnets using these prefixes. What does Check Point support in R77.30 and R80.20?

Hi Steve,

I have only tested above scenario in R77.30. There is more IPv6 support in R80.20

You can refer sk39374 for more information