Re: NAT46 for LAN towards WAN (Customer's query)

Jerry · ‎2021-08-16

hi guys hope you're all doing well.

have a query like a boomerang from on Customer, it was phrased as following:

1. I do use a LAN 17.16.0.0/16 and I use CP (ipv4 interface) as my default next-hope IP address gateway

2. That LAN I'd like to have browsing INTERNET on our IPv6 range from the ISP. We do have full ::/64 network.

3. NAT46 however and its configuration always bring our push of the policy to the error and it points that we're doing it wrongly.

4. Local LAN 172.16.0.0/16 I'd like to translate towards the Internet via our custom IPv6 range from our WAN interface on the CP Gateway.

5. CP Gateway translates native IPv6 networks towards IPv6 internet just fine. All works like a charm.

6. some of the local LAN's cannot use IPv6 via either DHCP or static a they need to use some of the older system still on IPv4.

7. IPv4 LAN would be really cool to navigate "just internet traffic" via IPv6 address from the CP WAN interface.

8. I was unable to see any specific examples from CP KB's pointing me towards the resolution. can you suggest help or resource I should be referring myself to?

This is what I've got from my Customer who gets really picky on migrating all v4 to full-v6 for everything. Can you suggest him (me indirectly) any resource I could point him out to?

ps. I do know very well Ipv6 FAQ and ARTG IPv6. No help over there for him whatsoever I'm afraid.

Cheers

Jerry

PhoneBoy · ‎2021-08-16

What’s the precise error?
Also, I assume you’re on at least R80.40 JHF 83: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Jerry · ‎2021-08-16

1st of all - error is related to NAT rule clearion and verify pane shows error on the right hand side of the SmartConsole

2nd - it’s R81 up2date ClusterXL

Jerry

Jerry · ‎2021-08-16

3.10 fs btw. 🙂 error … will provide when customer share it with me soon.

Jerry

Jerry · ‎2021-08-16

Jerry

PhoneBoy · ‎2021-08-16

So what is the precise NAT rule it's complaining about?
And does the object in the original destination contain an IPv6 address?
Screenshots would help (and you can send them privately to me if you prefer).

Jerry · ‎2021-08-16

Cheers Dameon, I realle appreciate that.

Will ping you on WhatsApp if you have a moment.

The ideal (desired) NAT46 rule was about to serve as INTERNET RULE not 1-2-1 NAT really so my cust. goal was to have local v4 subnet beging translated in full to v6 on the INTERNET with the public ipv6 address from the CP WAN interface. Simply NAT46 Stateless towards “any” if possible. But they struggle to set it up so do I in the lab. Feels like hopeless …

Jerry

PhoneBoy · ‎2021-08-16

But you're using Stateless NAT46, which implies a 1:1 NAT.
And why wouldn't you as a /64 has far more usable addresses than you could possibly use.

Jerry · ‎2021-08-16

I tell you what would help, simple line wrote like this, simple pattern when you know that ipv4 LAN is 172.16.0.0/16 and any example of ipv6 201:0:0:1::/64 as ext. WAN IPv6 address (virtual one, not physical wan ip add. on the interface)

ORIG.SRC:

ORIG. DST:

TRANS.SRC:

TRANS.DST:

how would you do that then knowing it have to be LAN to INTERNET via IPv6 address from the WAN range?

Jerry

PhoneBoy · ‎2021-08-16

Again, actual screenshots would help.
If you're insisting on having everything come from the WAN IP (which is IPv6), you'd configure it as HIDE NAT (not NAT46).

Jerry · ‎2021-08-16

alright, cheers Dameon. I'll reach out to you either by PM or WA shortly.

Jerry

Are you a member of CheckMates?

NAT46 for LAN towards WAN (Customer's query)