Web: Example for Enabling an IPv6 User to Access an IPv4 Server
Dynamic NAT64 mapping applies when the IPv6 network accesses the IPv4 network.
Networking Requirements
As shown in Figure 1, the FW supports the IPv6/IPv4 dual stack and is connected to an IPv6 network and an IPv4 network.
When NAT64 is deployed with DNS64, the DNS64 device provides domain name resolution. The prefix and prefix length set on the DNS64 device are the same as those on the FW.
The PC on the IPv6 network can access the server on the IPv4 network using URL www.example.com.
Procedure
- Enable IPv6 and NAT64.
- Choose .
- Click Configure on the line of IPv6 and enable IPv6 and NAT64 functions.
- Choose .
- Set IP addresses for interfaces on the FW and assign the interfaces to security zones.
- Set the IP address of GigabitEthernet 0/0/1 and assign the interface to a security zone.
- Set the IP address of GigabitEthernet 0/0/2 and assign the interface to a security zone.
- Configure a security policy for traffic between Internet users and intranet servers.
- Configure a NAT address pool and a NAT64 policy.
- Configure the DNS64 device.
# Set the IPv6 prefix of the DNS64 device to 3001::/96, which is the same as the NAT64 prefix of the FW.
# The IP connectivity between the DNS64 device and the PC, and between the DNS64 device and the server is ensured.
- Configure the PC IPv6 address, the route and the DNS server. (The method of setting IPv6 address, route and DNS server varies depending on the operating system of the PC. The setting method is omitted here.)
# Set the PC IPv6 address to 2001::1/24, which is on the same subnet as GigabitEthernet 0/0/2 of the FW.
# Set a static route from the PC to the FW. The destination address is prefix 3001::/96, and the next-hop address is 2001::2.
# Set the DNS server of the PC to the IPv6 address of the DNS64 device.
- Configure the server IPv4 address. (The method of setting IPv4 address varies depending on the operating system of the server. The setting method is omitted here.)
# Set the server IPv4 address to 1.1.1.2/24, which is on the same subnet as GigabitEthernet 0/0/1 of the FW.
Configuration Scripts
Configuration script for the FW:
# sysname FW # ipv6 # interface GigabitEthernet 0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/2 ipv6 enable ipv6 address 2001::2/64 # nat64 enable # nat address-group addressgroup1 mode pat section 1 1.1.1.6 1.1.1.10 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/2 # nat64 prefix 3001:: 96 # security-policy rule name policy_sec_1 source-zone untrust destination-zone trust source-address 2001:: 64 action permit # nat-policy rule name policy_nat64 source-zone untrust destination-zone trust nat-type nat64 source-address 2001:: 64 action source-nat address-group addressgroup1 # return