Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Surendra
Explorer

Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Hi Team

we have NAT 64 rule for Ipv6 to Ipv4 communication, Ipv6 sources are able to communicate when we give ANY in destination in access rule. if we give specific ipv4 host or network it is not hitting the rule since request is looking for embedded ipv6 address in access rule.

source ip : ipv6 address

destination ip : 64:FF9B::/96

original destination is 190.x.x.x

 

check point firewall is not able to convert embedded ipv6 to original ipv4

 

please suggest us, how to fix ipv6 to ipv4 communication issue.

 

0 Kudos
5 Replies
Chris_Atkinson
Employee Employee
Employee

Which version/JHF are used in this deployment - have you opened a TAC case?

CCSM R77/R80/ELITE
0 Kudos
Surendra
Explorer

Maestro device, version is R81.10 and JHF is Take 139.

yes raised case with CP, they said R&D team is working on that feature that conversion from 64:ff9b:xxx:xxxx hexa to original ipv4.

0 Kudos
Tom_Kendrick
Employee
Employee

Hi, this does work, but it's not simple 🙂

You need to use something (like Unbound) that will help you with DNS64, so that the address you request is converted to the embedded 64 version, and then use a special NAT rule, to take the traffic destined to the NAT64 addresses, and switch them to hide behind a IPv4 address (while also extracting the embedded IPv4 address from the IPv6 destination address) - If you're not confused, you are doing well!

 

Its discussed / documented here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topi...

 

This was from within an isolated environment (so IP's are not public) when testing with breaking point. You need to make sure the NAT rule is set correctly - like this....

 

64example.png

Surendra
Explorer

we have created the NAT64 rule and it is working fine when we keep ANY in destination in access rule.

if we keep ipv4 in destination in access rule it is not hitting that rule.

original reqauest

  • Src IP = Configured IPv6 address
  • Dst IP = IPv4 embedded IPv6 address returned by DNS64 server

but in security rule we have kept original destination ipv4 address so checkpoint will look for 64:ff9b:xx:xx/96 in destionation since it is not in rule it is not hitting that rule.

the firewall is capable of performing the translation from IPv6 to IPv4 regardless of if this was done by a DNS64 server or by some other method, as long as the IPv4 address is embedded into the IPv6 address

 

 

0 Kudos
PhoneBoy
Admin
Admin

If you want this to work as expected, you will need to put the IPv6 version of the IPv4 address in your Access Rule.
Otherwise, this won't work.
https://support.checkpoint.com/results/sk/sk113175 

0 Kudos