Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin

White Paper - Configuring NAT64 for Internet Access in R80.20

Author

@Mark_Halsall 

Abstract:

NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of NAT. The NAT64 gateway is a translator between IPv4 and IPv6 protocols, for which function it needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space.

This document provides step by step instructions on how to configure NAT64 for Internet access.

 

For the full list of White Papers, go here

12 Replies
Prabulingam_N1
Advisor

Dear Val/Mark,

I had configured as mentioned in your PDF. (Exactly the same)

If I ping from Internal Host IPV6 only machine to outside, I can see the packet hitting Firewall Internal (i) only.

Unable to see I,o,O and no NAT64 also.

Is there any other settings we have to do? 

I'm using R80.30 Kernel 2.6.18 Standalone with IPv4 & IPv6 configured in Internal Interface of FW & Only IPv4 in External Internal interface.

Getting zdebug drop as: "failed to get outbound interface"

 

Any suggestions?

 

Regards, Prabu

0 Kudos
Ilya_Yusupov
Employee
Employee

Yes, there is a missing step in the document, you must add static route to your natted IPv6, since in GAIA we can't add route through the interface you will need to add it with some fake address as next hop.

 

set ipv6 static-route add <IPv6_NATed_network>/<prefix_length> nexthop gateway <IPv6_nexthop> on

 

let me know if it's worked for you.

0 Kudos
Prabulingam_N1
Advisor

Hi Ilya_Yusupov,

I did add IPv6 Static route for IPV6 NAT Network.

No luck.

 

@Mark - Any such Route information included in your setup, please share.

 

 

Regards, Prabu

Ilya_Yusupov
Employee
Employee

@Prabulingam_N1 ,

 

can you please share with me offline your NAT64 rule and the route that you add?

Thanks,

Ilya 

0 Kudos
Mark_Halsall
Employee Alumnus
Employee Alumnus

Hi Prabu,

The only IPv6 route that I set was the default route. 

 

-Mark

Prabulingam_N1
Advisor

Dear Mark,

Thanks for quick reply.
Even I had not given any other than default IPv6 route.

Error I get is: "Failed to get outbound interface" so looks kernel unable to forward from Internal interface "i" to I,o,O points.

Is there any other parameter thru command line or internal file should we do?

Since the same info I had tried in Fortigate and it worked great.

And what OS you had used for DNS64 server? Linux or Windows


Regards, Prabu
0 Kudos
Prabulingam_N1
Advisor

Dear Mark,

 

After changing Route in IPV6, I'm able to succeed as per your setup and I did in Customer environment as well. It Worked.

 

But got issue in Remote Access VPN. Customer had MobileBlade enabled earlier and unable to connect now once this setup IPV6 is up.

Per sk163313 - it says that "RemoteAccess VPN" not supported but also states that "Mobile Access Blade Portal" is supported.

I had tried in my Lab setup and got same result that RemoteAccess VPN Client or SSLbased does not work once IPv6 enabled.

(Checked with configuring RemoteAccess community in IPSec & using MOB blade as well) no luck.

 

Is there any such you had faced?

 

Regards, Prabu

Mark_Halsall
Employee Alumnus
Employee Alumnus

Hi Prabu,

 

As the scenario that I was testing for a customer (and based the white paper around) was for outbound web access only, VPN access of any kind was not tested.

 

Sorry,

 

-Mark

0 Kudos
Prabulingam_N1
Advisor

Dear Mark,

Thanks for quick reply.

Yes, I achieved for my customer based on your setup and fine now.

But Remote VPN will not work and NOT supported as per sk mentioned.

Anyways I will be checking with TAC to confirm that atleast "MobileAccess Portal" is Supported or not.

 

Regards, Prabu

0 Kudos
Prabulingam_N1
Advisor

Dear Mark,

 

I have a doubt here in DNS64 server.

When I perform nslookup in DNS64 server for www.rediff.com - I get "A" record and I get synthesized address to Client - Fine.

When I perform nslookup in DNS64 server for www.youtube.com - I get both real "A" & "AAAA" record so I cannot access the site.

 

Need to know how can i get only "A" record for ALL internet websites so that DNS64 server can provide synthesized address.

 

Regards, Prabu

0 Kudos
Mark_Halsall
Employee Alumnus
Employee Alumnus

Hi Prabu,

I believe that is controlled by the client - I just used Wireshark to capture a lookup of cnn.com, and got both A and AAAA records. The packet capture showed my laptop sending both A and AAAA queries. If you remove the IPv6 protocol from your network adapter (assuming Windows), then try the query, what happens?

-Mark

0 Kudos
Prabulingam_N1
Advisor

Hi Mark,

 

The reason why IPv6Client unable to access www.cnn.com is that DNS64 server gives the Actual IPv6 & IPv4 records back to Client.

As we have NAT rule that IPV6Clients can access Synthesized address (64:fff../96) , Ipv6 Client unable to get access for cnn.com.

This Whitepaper of configuring NAT64 with DNS64 server is only to access from Internal IPV6 client to External IPV4 ONLY sites.(not the sites having both IPV6/IPV4 address like cnn.com or youtube.com)

 

With this current setup if I should get access for both Synthesized & Real combined IPv6/IPv4 sites, then should I use IPv6 address configured in External Interface of Firewall?? Your inputs will help me sure..please..

 

Regards, Prabu

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events