Yes, there is a missing step in the document, you must add static route to your natted IPv6, since in GAIA we can't add route through the interface you will need to add it with some fake address as next hop.

set ipv6 static-route add <IPv6_NATed_network>/<prefix_length> nexthop gateway <IPv6_nexthop> on

let me know if it's worked for you.

Hi Ilya_Yusupov,

I did add IPv6 Static route for IPV6 NAT Network.

No luck.

@Mark - Any such Route information included in your setup, please share.

Regards, Prabu

@Prabulingam_N1 ,

can you please share with me offline your NAT64 rule and the route that you add?

Thanks,

Ilya 

Hi Prabu,

The only IPv6 route that I set was the default route. 

-Mark

Dear Mark,

After changing Route in IPV6, I'm able to succeed as per your setup and I did in Customer environment as well. It Worked.

But got issue in Remote Access VPN. Customer had MobileBlade enabled earlier and unable to connect now once this setup IPV6 is up.

Per sk163313 - it says that "RemoteAccess VPN" not supported but also states that "Mobile Access Blade Portal" is supported.

I had tried in my Lab setup and got same result that RemoteAccess VPN Client or SSLbased does not work once IPv6 enabled.

(Checked with configuring RemoteAccess community in IPSec & using MOB blade as well) no luck.

Is there any such you had faced?

Regards, Prabu

Hi Prabu,

As the scenario that I was testing for a customer (and based the white paper around) was for outbound web access only, VPN access of any kind was not tested.

Sorry,

-Mark

Dear Mark,

Thanks for quick reply.

Yes, I achieved for my customer based on your setup and fine now.

But Remote VPN will not work and NOT supported as per sk mentioned.

Anyways I will be checking with TAC to confirm that atleast "MobileAccess Portal" is Supported or not.

Regards, Prabu

Dear Mark,

I have a doubt here in DNS64 server.

When I perform nslookup in DNS64 server for www.rediff.com - I get "A" record and I get synthesized address to Client - Fine.

When I perform nslookup in DNS64 server for www.youtube.com - I get both real "A" & "AAAA" record so I cannot access the site.

Need to know how can i get only "A" record for ALL internet websites so that DNS64 server can provide synthesized address.

Regards, Prabu

Hi Prabu,

I believe that is controlled by the client - I just used Wireshark to capture a lookup of cnn.com, and got both A and AAAA records. The packet capture showed my laptop sending both A and AAAA queries. If you remove the IPv6 protocol from your network adapter (assuming Windows), then try the query, what happens?

-Mark

Hi Mark,

The reason why IPv6Client unable to access www.cnn.com is that DNS64 server gives the Actual IPv6 & IPv4 records back to Client.

As we have NAT rule that IPV6Clients can access Synthesized address (64:fff../96) , Ipv6 Client unable to get access for cnn.com.

This Whitepaper of configuring NAT64 with DNS64 server is only to access from Internal IPV6 client to External IPV4 ONLY sites.(not the sites having both IPV6/IPV4 address like cnn.com or youtube.com)

With this current setup if I should get access for both Synthesized & Real combined IPv6/IPv4 sites, then should I use IPv6 address configured in External Interface of Firewall?? Your inputs will help me sure..please..

Regards, Prabu