IPv6 with Checkpoint R77.30

Gaurav_Pandya · ‎2017-10-05

Hi,

I am testing scenario as per the customer requirement. It is migration of IPv4 to IPv6.

I want to test static NAT scenario (NAT64) where your external IP would be IPv6 and internal IP would be IPv4 so what are the steps required to configure in checkpoint R77.30. I am referring below URL but it would be helpful if there is a doc with configuration snapshot.

https://sc1.checkpoint.com/documents/R77/CP_R77_Firewall_WebAdmin/119030.htm#o119659

Regards,

Gaurav Pandya

PhoneBoy · ‎2017-10-05

NAT64 is translating an IPv6 address to an IPv4 one.

What you're describing is NAT46 (translating an IPv4 address into an IPv6 one).

No version of Check Point supports NAT46 currently.

Hugo_vd_Kooij · ‎2017-10-06

Preferably I would like to handle this at layer 7.

Reverse proxies are among my most favorite machines for this purpose.

Gaurav_Pandya · ‎2017-10-06

Hi Dameon,

Sorry as I have described like this. But our actual requirement is NAT64. Where outside IPv6 address want to communicate to the internal host which has IPv4 address.

It will be good if there is a good documentation with screenshot.

Regards,

Gaurav Pandya

PhoneBoy · ‎2017-10-06

You pointed to the documentation, it just didn't have pictures.

At the bottom of every document, there is a "Send Feedback" link, which I encourage you to use.

Meanwhile, I was able to create a rule that looks something like this:

The objects look like the following:

What I would encourage you to do is:

Add each object to the rule as normal
Only after you've assembled the rule, click on the Translated Source column, Select NAT Method, then select Stateful NAT64, translated packets will have "64" in them, as shown above.
If you have gateways pre-R76 configured in your management, you may need to configure the Install On field to be explicit gateways, else you will get a policy install failure.

Hopefully that helps

Gaurav_Pandya · ‎2017-10-10

Hi Dameon,

Thanks very much for your response.

Yes After some research, I did the same thing which you have mentioned. The difference is I have made static NAT.

Here, I have one question. May be it is silly but what we need to put in IPv6-server address (Destination Field). So IPv6 address has any relation with IPv4 address.

IPv6 address should be made from ipv4 address ?

My flow will be like

Any source address (ipv6) from outside --> hits to IPv6 address --> source IPv6 address will be translated to IPv4 address (Embeded range) --> Destination IPv6 address will be translated to IPv4 address 1.1.1.1

Please let me know if I am missing anything.

Regards,

Gaurav Pandya

Gaurav_Pandya · ‎2017-10-10

Posting snapshot of my config.

PhoneBoy · ‎2017-10-10

If you look at my example above:

The destination IPv6 address your users will connect to is represented by the ipv6-server object.
This destination IP will be translated to the IP specified by ipv4-server.
The source IP of the connection will be translated (HIDE NAT style) to one of the IPs in the IP Pool object called ipv6-hiderange.

Which is similar to what you said.

Steve_Townsend · ‎2019-01-28

How does this apply to NAT64 Hide NAT. I want to translate an IPv6 source to a IPv4 source Hide NAT. Any ideas

Hugo_vd_Kooij · ‎2019-02-21

So far I have not seen much use for NAT64.

I prefer to make sure vital components are dual stack. Like:

- Firewall

- Proxies

- MTA's

- Loadbalancers / reverse proxies

That way you can use either protocol internaly as you see fit. And you can use both on the outside. As I don't see how we will get rid of dual protocol for a few decades.

Steve_Townsend · ‎2019-02-21

Palo Alto supports supports IPv6 NAT translation for /32, /40, /48, /56, /64, and /96 subnets using these prefixes. What does Check Point support in R77.30 and R80.20?

Gaurav_Pandya · ‎2019-02-22

Hi Steve,

I have only tested above scenario in R77.30. There is more IPv6 support in R80.20

You can refer sk39374 for more information