CLI: Example for Enabling an IPv4 User to Access an IPv6 Server
Static NAT64 mapping, the one-to-one address translation mode, applies when the IPv4 network initiates a connection to the IPv6 network.
Networking Requirements
As shown in Figure 1, the FW supports the IPv6/IPv4 dual stack and is connected to an IPv6 network and an IPv4 network.
The PC on the IPv4 network can access the server on the IPv6 network with IPv4 address 1.1.1.10.
Procedure
- Configure the FW.
# Set an IPv4 address for GigabitEthernet 0/0/1.
<FW> system-view [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit
# Enable the IPv6 packet forwarding function.
[FW] ipv6# Set an IPv6 address for GigabitEthernet 0/0/2.
[FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ipv6 enable [FW-GigabitEthernet 0/0/2] ipv6 address 2001::2 64
# Enable the NAT64 function on GigabitEthernet 0/0/2.
[FW-GigabitEthernet 0/0/2] nat64 enable [FW-GigabitEthernet 0/0/2] quit
# Assign GigabitEthernet 0/0/1 to the Trust zone.
[FW] firewall zone trust [FW-zone-trust] add interface GigabitEthernet 0/0/1 [FW-zone-trust] quit
# Assign GigabitEthernet 0/0/2 to the Untrust zone.
[FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-zone-untrust] quit
# Configure a NAT64 prefix. The source address of the packets from the PC to the server on the IPv6 network is the combination of the prefix and the IPv4 address of the PC.
[FW] nat64 prefix 3001:: 96
In the following example, the NAT64 prefix is 3001::96.
# Configure a static NAT64 mapping to translate IPv6 address 2001::1 (of the server) into IPv4 address 1.1.1.10.
[FW] nat64 static 2001::1 1.1.1.10 unr-route# Enables NAT64 packets to be controlled by security policies.
[FW] nat64 security-policy enable# Configure a security policy.
An IPv6 security policy is required for NAT64 static mapping.
[FW] security-policy [FW-policy-security] rule name policy_sec_1 [FW-policy-security-rule-policy_sec_1] source-zone trust [FW-policy-security-rule-policy_sec_1] destination-zone untrust [FW-policy-security-rule-policy_sec_1] destination-address 2001::1 64 [FW-policy-security-rule-policy_sec_1] action permit [FW-policy-security-rule-policy_sec_1] quit
- Configure an IPv4 address for the PC. (The method of configuring the IPv4 address and route varies depending on the operating system of the PC and is omitted here.)
# Set the PC IPv4 address to 1.1.1.2/24, which is on the same subnet as GigabitEthernet 0/0/1 of the FW.
- Set the server IPv6 address and route. (The method of configuring the IPv6 address and route varies depending on the operating system of the server. The setting method is omitted here.)
# Set the server IPv6 address to 2001::1/64, which is on the same subnet as GigabitEthernet 0/0/2 of FW.
# Set a static route from the server to the FW. The destination address is 3001::/96, and the next-hop address is 2001::2.
Verification
# After the configuration is complete, run the ping 1.1.1.10 command on the PC.
C:\> ping 1.1.1.10
Pinging 1.1.1.10 with 32 bytes of data:
Reply from 1.1.1.10: time=69ms
Reply from 1.1.1.10: time=34ms
Reply from 1.1.1.10: time=17ms
Reply from 1.1.1.10: time=18ms
Ping statistics for 1.1.1.10:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 17ms, Maximum = 69ms, Average = 34ms
The IPv4 address of the server can be pinged through from the PC.
# In any view of FW, run the display firewall ipv6 session table command to verify information about the NAT64 session table.
<FW> display firewall ipv6 session table
Current total IPv6 sessions: 1
Slot: 6 CPU: 1
NAT64: icmp6 VPN: public --> public 3001::101:102.44006[1.1.1.2:44006] --> 2001::1.2048[1.1.1.10:2048]
According to the NAT64 session table information, you can obtain the mapping of IPv6 addresses and IPv4 addresses.
Configuration Scripts
Configuration script for the FW:
# sysname FW # ipv6 # interface GigabitEthernet 0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/2 ipv6 enable nat64 enable ipv6 address 2001::2/64 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/2 # nat64 prefix 3001:: 96 nat64 static 2001::1 1.1.1.10 unr-route # nat64 security-policy enable # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust destination-address 2001::1 64 action permit # return