CLI: Example for Configuring an IPv6 User in a Virtual System to Access an IPv4 Server
Dynamic NAT64 mapping applies when the IPv6 network accesses the IPv4 network. Virtual systems support dynamic NAT64 mapping configuration.
Networking Requirements
As shown in Figure 1, the virtual system vsysa supports the IPv6/IPv4 dual stack and is connected to an IPv6 network and an IPv4 network. The PC on the IPv6 network can access the server on the IPv4 network using URL www.example.com.
When the NAT64 is deployed with DNS64. The DNS64 device provides domain name resolution. The NAT64 prefix and prefix length configured for DNS64 are the same as those of the NAT64 device.
Procedure
- Create virtual system vsysa, and assigns interfaces and global ip addresses to vsysa.
# Enable the virtual system function.
<FW> system-view [FW] vsys enable
# Create a virtual system and assign interfaces and global IP addresses to the virtual system. Global IP addresses will be used in the NAT address pool.
[FW] vsys name vsysa [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1 [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/2 [FW-vsys-vsysa] assign global-ip 1.1.1.6 1.1.1.10 exclusive [FW-vsys-vsysa] quit
- Configure IP addresses, routes, and security policies for vsysa.
# Enable IPv6.
[FW] ipv6# Enable the IPv6 address family.
[FW] ip vpn-instance vsysa [FW-vpn-instance-vsysa] ipv6-family [FW-vpn-instance-vsysa-af-ipv6] quit [FW-vpn-instance-vsysa] quit
# Set interface IP addresses.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit [FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ipv6 enable [FW-GigabitEthernet 0/0/2] ipv6 address 1::1 64 [FW-GigabitEthernet 0/0/2] quit
# Configure a static route to the IPv6 network.
[FW] ipv6 route-static vpn-instance vsysa 2001:: 64 1::2# Access the configuration view of the virtual system.
[FW] switch vsys vsysa# Assign interfaces to security zones.
<FW-vsysa> system-view [FW-vsysa] firewall zone trust [FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/1 [FW-vsysa-zone-trust] quit [FW-vsysa] firewall zone untrust [FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-vsysa-zone-untrust] quit
# Configure a security policy.
[FW-vsysa] security-policy [FW-vsysa-policy-security] rule name policy_sec_1 [FW-vsysa-policy-security-rule-policy_sec_1] source-zone untrust [FW-vsysa-policy-security-rule-policy_sec_1] destination-zone trust [FW-vsysa-policy-security-rule-policy_sec_1] source-address 2001:: 64 [FW-vsysa-policy-security-rule-policy_sec_1] action permit [FW-vsysa-policy-security-rule-policy_sec_1] quit
# Configure a static route to the IPv4 network.
[FW-vsysa] ip route-static 2.2.2.0 24 1.1.1.254 - Configure NAT64.
# Enable the NAT64 function to connect to the IPv6 network interface.
[FW-vsysa] interface GigabitEthernet 0/0/2 [FW-vsysa-GigabitEthernet 0/0/2] nat64 enable [FW-vsysa-GigabitEthernet 0/0/2] quit
# Set the IPv6 prefix to 3001::/96.
[FW-vsysa] nat64 prefix 3001:: 96 In the example, the NAT64 prefix is 3001:: 96. If no prefix is configured, the well-known prefix is used by default.
# Configure IPv4 NAT address pool addressgroup1 whose addresses range from 1.1.1.6 through 1.1.1.10. The addresses in this NAT address pool are the IPv4 addresses of resulting packets.
[FW-vsysa] nat address-group addressgroup1 [FW-vsysa-address-group-addressgroup1] mode pat [FW-vsysa-address-group-addressgroup1] section 1 1.1.1.6 1.1.1.10 [FW-vsysa-address-group-addressgroup1] quit
# Configure a dynamic NAT64 mapping.
[FW-vsysa] nat-policy [FW-vsysa-policy-nat] rule name policy_nat64 [FW-vsysa-policy-nat-rule-policy_nat64] nat-type nat64 [FW-vsysa-policy-nat-rule-policy_nat64] source-zone untrust [FW-vsysa-policy-nat-rule-policy_nat64] destination-zone trust [FW-vsysa-policy-nat-rule-policy_nat64] source-address 2001:: 64 [FW-vsysa-policy-nat-rule-policy_nat64] action source-nat address-group addressgroup1 [FW-vsysa-policy-nat-rule-policy_nat64] quit [FW-vsysa-policy-nat] quit
- Configure the DNS64 device.
# Set the IPv6 prefix of the DNS64 device to 3001::/96, which is the same as the NAT64 prefix of the FW.
# Configure a route from the DNS64 device to the PC.
- Configure IPv6 address, route and DNS server for the PC. (The method of setting IPv6 address, route and DNS server varies depending on the operating system of the PC. The setting method is omitted here.)
# # Set the PC IPv6 address to 2001::1/64.
# Configure a route from the PC to 3001::/96 and set the next hop to the address of the egress router on the IPv6 network.
# Set the DNS server of the PC as the IPv6 address of the DNS64 device.
- Configure IPv4 address and route for the server. (The method of setting IPv4 address varies depending on the operating system of the server. The setting method is omitted here.)
# Set the server IPv4 address to 2.2.2.2/24.
# Configure a route from the server to 1.1.1.6-1.1.1.10 and set the next hop to the address of the egress router on the IPv4 network.
Verification
- Access www.example.com from the PC. The access succeeds.
Check the NAT64 session table information.
<FW> display firewall ipv6 session table verbose vsys vsysa Current Total IPv6 Sessions : 1 NAT64: icmpv6 VPN: vsysa --> vsysa ID: a48f34fda4a30c993571015f1 Zone: untrust --> trust TTL: 00:00:45 Left: 00:00:45 Interface: GigabitEthernet 0/0/1 NextHop: 1.1.1.254 MAC: 0000-0000-0000 <--packets: 25 bytes: 2,600 --> packets: 25 bytes: 2,600 2001::1.44019[1.1.1.7:2051] --> 3001::202:202.2048[2.2.2.2:2048] PolicyName: policy_sec_1
Configuration Scripts
Configuration script of the root system
# ipv6 # vsys enable # vsys name vsysa 1 assign interface GigabitEthernet0/0/1 assign interface GigabitEthernet0/0/2 assign global-ip 1.1.1.6 1.1.1.10 exclusive # interface GigabitEthernet 0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/2 ipv6 enable ipv6 address 1::1/64 # ipv6 route-static vpn-instance vsysa 2001:: 64 1::2 # return
Configuration script of vsysa
# switch vsys vsysa # interface GigabitEthernet 0/0/2 nat64 enable # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # nat address-group addressgroup1 mode pat section 1 1.1.1.6 1.1.1.10 # nat64 prefix 3001:: 96 # ip route-static 2.2.2.0 24 1.1.1.254 # security-policy rule name policy_sec_1 source-zone untrust destination-zone trust source-address 2001:: 64 action permit # nat-policy rule name policy_nat64 source-zone untrust destination-zone trust nat-type nat64 source-address 2001:: 64 action source-nat address-group addressgroup1 # return