< Home

Configuring Dynamic NAT64 Mapping

This section describes how to configure dynamic NAT64 mapping. Dynamic NAT64 implements translation in either NAT64 address pool mode or port mode (hereafter referred to as easy IP mode). Dynamic NAT64 mapping is implemented when IPv6 hosts access an IPv4 network.

Prerequisites

Before configuring dynamic NAT64 mapping, complete the following tasks:

  • Add interfaces to security zones and configure security policies.
  • Enable IPv6 on a FW and its interfaces so that the FW supports the IPv4/IPv6 dual stack.
  • Configure a DNS64 server.
  • Configure a NAT64 prefix on a FW.

Context

Address pool-based dynamic NAT64 is implemented using NAT policies. The FW translates the IPv6 address with a specified NAT64 prefix in a packet of source IPv6 into an IPv4 address in the address pool.

You can also use the Easy IP mode. In this mode, NAT64 uses the source IPv4 address of the interface as the post-NAT IPv4 address. This mode saves IPv4 addresses.

Procedure

  1. Access the system view.

    system-view

  2. Access the interface view.

    interface interface-type { interface-number | interface-number.subinterface-number }

    The interface in this command is the interface that connects the FW to the IPv6 network.

  3. Enable the NAT64 function on the interface.

    nat64 enable

  4. Return to the system view.

    quit

  5. Configure a NAT address pool. NAT64 translates a source IPv6 address into a source IPv4 address listed in the specified address pool. If NAT64 based on easy IP is used, skip this step because there is no need to configure a NAT address pool.
    1. Access the NAT address pool view.

      nat address-group group-name [ group-number ]

    2. Set an address pool mode. The address pool mode varies with the Source NAT type.

      mode { pat | full-cone { global | local } [ no-reverse ] }

    3. Set IP address ranges.

      section [ id ] start-ipv4 [ end-ipv4 ]

  6. Create a NAT policy and access the NAT policy view.

    nat-policy

  7. Create a NAT rule and access the NAT rule view.

    rule name rule_name

  8. Set the NAT policy type to NAT64.

    nat-type nat64

  9. Configure NAT64 matching rules.

    By default, all matching rules are "any." Only traffic that meets all configured rules can match the NAT64 policy.

    Table 1 NAT64 matching rules

    Action

    Command

    Specify a source IPv6 address.

    source-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any }

    Specify a destination IPv6 address.

    destination-address { address-set address-set-name &<1-6> | ipv4-address [ ipv4-mask-length | mask mask-address ] | ipv6-address ipv6-prefix-length | range { ipv4-start-address ipv4-end-address | ipv6-start-address ipv6-end-address } | mac-address &<1-6> | any }

    Specify the source security zone to which an IPv6 intranet belongs.

    source-zone { zone-name &<1-6> | any }

    Specify the destination security zone to which an IPv4 network belongs.

    destination-zone zone-name

    Specify the type of service (ToS).

    The ToS field is carried in an IP header and describes the service type of a packet.

    service { service-name &<1-6> | any }

  10. Perform either of the following operations to specify a NAT64 translation mode:

    • To enable NAT64 translation in address pool mode, run:

      action source-nat address-group address-group-name

    • To enable NAT64 translation in easy IP mode, run:

      action source-nat easy-ip

  11. Return to the NAT policy view.

    quit

  12. Return to the system view.

    quit

  13. (Optional) Enable Endpoint-independent filtering.

    firewall endpoint-independent filter enable

    After the function is enabled, packets from IPv4 users to IPv6 users can match the destination server-map table. The FW performs NAT based on the destination server-map table and directly forwards the packets without querying security policies. If the function is disabled, the device applies the interzone packet filtering rules to filter the packets that pass the device.

Example

Configure dynamic NAT64 mapping to enable NAT64 translation in address pool mode.

<FW> system-view
[FW] nat64 prefix 3001:: 96
[FW] nat address-group pool_nat64
[FW-nat-address-group-pool_nat64] section 1 1.1.1.6 1.1.1.36
[FW-nat-address-group-pool_nat64] quit
[FW] nat-policy
[FW-policy-nat] rule name p_nat64
[FW-policy-nat-rule-p_nat64] nat-type nat64
[FW-policy-nat-rule-p_nat64] source-zone trust
[FW-policy-nat-rule-p_nat64] destination-zone untrust
[FW-policy-nat-rule-p_nat64] action source-nat address-group pool_nat64
Parent Topic: Configuring NAT64 Mapping
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >