- Local User Groups
Welcome to CheckMates
Journey to the Cloud with Confidence!
Webinar: Wed 10 June @ 8am PT | 11am ET
I am Gil Shwed
Ask Me Anything!
for working from home
APT41 and Living Off The Land
NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of NAT. The NAT64 gateway is a translator between IPv4 and IPv6 protocols, for which function it needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space.
This document provides step by step instructions on how to configure NAT64 for Internet access.
For the full list of White Papers, go here.
I had configured as mentioned in your PDF. (Exactly the same)
If I ping from Internal Host IPV6 only machine to outside, I can see the packet hitting Firewall Internal (i) only.
Unable to see I,o,O and no NAT64 also.
Is there any other settings we have to do?
I'm using R80.30 Kernel 2.6.18 Standalone with IPv4 & IPv6 configured in Internal Interface of FW & Only IPv4 in External Internal interface.
Getting zdebug drop as: "failed to get outbound interface"
Yes, there is a missing step in the document, you must add static route to your natted IPv6, since in GAIA we can't add route through the interface you will need to add it with some fake address as next hop.
set ipv6 static-route add <IPv6_NATed_network>/<prefix_length> nexthop gateway <IPv6_nexthop> on
let me know if it's worked for you.
After changing Route in IPV6, I'm able to succeed as per your setup and I did in Customer environment as well. It Worked.
But got issue in Remote Access VPN. Customer had MobileBlade enabled earlier and unable to connect now once this setup IPV6 is up.
Per sk163313 - it says that "RemoteAccess VPN" not supported but also states that "Mobile Access Blade Portal" is supported.
I had tried in my Lab setup and got same result that RemoteAccess VPN Client or SSLbased does not work once IPv6 enabled.
(Checked with configuring RemoteAccess community in IPSec & using MOB blade as well) no luck.
Is there any such you had faced?
As the scenario that I was testing for a customer (and based the white paper around) was for outbound web access only, VPN access of any kind was not tested.
Thanks for quick reply.
Yes, I achieved for my customer based on your setup and fine now.
But Remote VPN will not work and NOT supported as per sk mentioned.
Anyways I will be checking with TAC to confirm that atleast "MobileAccess Portal" is Supported or not.
I have a doubt here in DNS64 server.
When I perform nslookup in DNS64 server for www.rediff.com - I get "A" record and I get synthesized address to Client - Fine.
When I perform nslookup in DNS64 server for www.youtube.com - I get both real "A" & "AAAA" record so I cannot access the site.
Need to know how can i get only "A" record for ALL internet websites so that DNS64 server can provide synthesized address.
I believe that is controlled by the client - I just used Wireshark to capture a lookup of cnn.com, and got both A and AAAA records. The packet capture showed my laptop sending both A and AAAA queries. If you remove the IPv6 protocol from your network adapter (assuming Windows), then try the query, what happens?
The reason why IPv6Client unable to access www.cnn.com is that DNS64 server gives the Actual IPv6 & IPv4 records back to Client.
As we have NAT rule that IPV6Clients can access Synthesized address (64:fff../96) , Ipv6 Client unable to get access for cnn.com.
This Whitepaper of configuring NAT64 with DNS64 server is only to access from Internal IPV6 client to External IPV4 ONLY sites.(not the sites having both IPV6/IPV4 address like cnn.com or youtube.com)
With this current setup if I should get access for both Synthesized & Real combined IPv6/IPv4 sites, then should I use IPv6 address configured in External Interface of Firewall?? Your inputs will help me sure..please..