- CheckMates
- :
- Products
- :
- General Topics
- :
- White Paper - Configuring NAT64 for Internet Acces...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
White Paper - Configuring NAT64 for Internet Access in R80.20
Author
Abstract:
NAT64 is an IPv6 transition mechanism that facilitates communication between IPv6 and IPv4 hosts by using a form of NAT. The NAT64 gateway is a translator between IPv4 and IPv6 protocols, for which function it needs at least one IPv4 address and an IPv6 network segment comprising a 32-bit address space.
This document provides step by step instructions on how to configure NAT64 for Internet access.
For the full list of White Papers, go here.
- Tags:
- ipv6
- net64
- white paper
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Val/Mark,
I had configured as mentioned in your PDF. (Exactly the same)
If I ping from Internal Host IPV6 only machine to outside, I can see the packet hitting Firewall Internal (i) only.
Unable to see I,o,O and no NAT64 also.
Is there any other settings we have to do?
I'm using R80.30 Kernel 2.6.18 Standalone with IPv4 & IPv6 configured in Internal Interface of FW & Only IPv4 in External Internal interface.
Getting zdebug drop as: "failed to get outbound interface"
Any suggestions?
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is a missing step in the document, you must add static route to your natted IPv6, since in GAIA we can't add route through the interface you will need to add it with some fake address as next hop.
set ipv6 static-route add <IPv6_NATed_network>/<prefix_length> nexthop gateway <IPv6_nexthop> on
let me know if it's worked for you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ilya_Yusupov,
I did add IPv6 Static route for IPV6 NAT Network.
No luck.
@Mark - Any such Route information included in your setup, please share.
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please share with me offline your NAT64 rule and the route that you add?
Thanks,
Ilya
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Prabu,
The only IPv6 route that I set was the default route.
-Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for quick reply.
Even I had not given any other than default IPv6 route.
Error I get is: "Failed to get outbound interface" so looks kernel unable to forward from Internal interface "i" to I,o,O points.
Is there any other parameter thru command line or internal file should we do?
Since the same info I had tried in Fortigate and it worked great.
And what OS you had used for DNS64 server? Linux or Windows
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Mark,
After changing Route in IPV6, I'm able to succeed as per your setup and I did in Customer environment as well. It Worked.
But got issue in Remote Access VPN. Customer had MobileBlade enabled earlier and unable to connect now once this setup IPV6 is up.
Per sk163313 - it says that "RemoteAccess VPN" not supported but also states that "Mobile Access Blade Portal" is supported.
I had tried in my Lab setup and got same result that RemoteAccess VPN Client or SSLbased does not work once IPv6 enabled.
(Checked with configuring RemoteAccess community in IPSec & using MOB blade as well) no luck.
Is there any such you had faced?
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Prabu,
As the scenario that I was testing for a customer (and based the white paper around) was for outbound web access only, VPN access of any kind was not tested.
Sorry,
-Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Mark,
Thanks for quick reply.
Yes, I achieved for my customer based on your setup and fine now.
But Remote VPN will not work and NOT supported as per sk mentioned.
Anyways I will be checking with TAC to confirm that atleast "MobileAccess Portal" is Supported or not.
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear Mark,
I have a doubt here in DNS64 server.
When I perform nslookup in DNS64 server for www.rediff.com - I get "A" record and I get synthesized address to Client - Fine.
When I perform nslookup in DNS64 server for www.youtube.com - I get both real "A" & "AAAA" record so I cannot access the site.
Need to know how can i get only "A" record for ALL internet websites so that DNS64 server can provide synthesized address.
Regards, Prabu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Prabu,
I believe that is controlled by the client - I just used Wireshark to capture a lookup of cnn.com, and got both A and AAAA records. The packet capture showed my laptop sending both A and AAAA queries. If you remove the IPv6 protocol from your network adapter (assuming Windows), then try the query, what happens?
-Mark
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Mark,
The reason why IPv6Client unable to access www.cnn.com is that DNS64 server gives the Actual IPv6 & IPv4 records back to Client.
As we have NAT rule that IPV6Clients can access Synthesized address (64:fff../96) , Ipv6 Client unable to get access for cnn.com.
This Whitepaper of configuring NAT64 with DNS64 server is only to access from Internal IPV6 client to External IPV4 ONLY sites.(not the sites having both IPV6/IPV4 address like cnn.com or youtube.com)
With this current setup if I should get access for both Synthesized & Real combined IPv6/IPv4 sites, then should I use IPv6 address configured in External Interface of Firewall?? Your inputs will help me sure..please..
Regards, Prabu