Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn
Collaborator

IPv6 echo-request NAT

Hi All,

For one of our customers, we have created a IPv6 setup so a internal IPv4 website is reachable on a external IPv6 address.
This is working fine and we can reach the website on port 443 and we see the correct access rule and NAT rule being hit.

But when we perform a ping from an external IPv6 host to the external IPv6 address, the NAT rule is not being hit. We can see an allow in the log for the correct access rule, but there is no NAT rule in the log entry.

The only reason I can think of is on the outside we use ping for IPv6 and on the inside we use ping for IPv4. And those protocols differ and cannot be translated.

Does this sounds familiar to anyone? Is there an explanation why NAT is not used when we ping the external IPv6 address.

Regards,
Martijn

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

So you're doing NAT64 then, correct?
Possible that's not supported, but haven't heard that specifically.
Might be worth a TAC case to clarify. 

0 Kudos
Amogha_Chandras
Employee
Employee

According to RFC 6146, NAT64 translation lets IPv6-only client communicate with IPv4-only server, therefore in your case you have to use NAT64.

Please follow our admin guide in order to configure it: The below is r80.20 admin guide shared


https://sc1.checkpoint.com/documents/R80.20_GA/WebAdminGuides/EN/CP_R80.20_SecurityManagement_AdminG...

Search for "Configuring Stateful NAT64 "

Also since I am not sure of the version you are using ,  NAT64 is not supported on R80.10 version

0 Kudos
Martijn
Collaborator

Hi,

We have configured NAT64 so a external IPv6 client can access the website which runs on a internal web-server with a IPv4 stack. For HTTPS this is working and we access the website from a external IPv6 client. We can see the correct access rule and NAT rule being hit. No problems there.

But when we try to PING from the external IPv6 client to the website (resolves to an IPv6 address) we do not get a reply. We can see the access rule being hit (echo-request6 allowed). But the NAT rule is not being hit while that NAT rule is configured for any service and is working for HTTPS.

Regards,
Martijn 

0 Kudos
Amogha_Chandras
Employee
Employee

I would open a ticket if possible with tac. They may take the packet captures like tcpdump and fw monitor and perhaps a kernel debug might also be required in few cases. Hence better if TAC can take a look.

 

In Check point, the NAT64 gateway creates a mapping between the IPv6 and the IPv4 addresses, which may be manually configured or determined automatically. The original destination IPv6 address is linked with the translated destination IPv4 address so it must be unique. What that means is that the IPv6 and IPv4 address must be different in each rule.

For example, if you are  using two different IPv6 address in the Original Destination but the Translated Destination has the same IPv4 address in both rules then it might not work

Since we cant see your configuration , please contact TAC for deeper analysis

0 Kudos