CLI: Example for Configuring an IPv4 User in a Virtual System to Access an IPv6 Server
Static NAT64 mapping, the one-to-one address translation mode, applies when the IPv4 network initiates a connection to the IPv6 network. Virtual systems support static NAT64 mapping configuration.
Networking Requirements
As shown in Figure 1, the virtual system vsysa supports the IPv6/IPv4 dual stack and is connected to an IPv6 network and an IPv4 network. The PC on the IPv4 network can access the server on the IPv6 network with IPv4 address 1.1.1.10.
Procedure
- Create virtual system vsysa, and assigns interfaces and global ip addresses to vsysa.
# Enable the virtual system function.
<FW> system-view [FW] vsys enable
# Create a virtual system and assign interfaces and global IP addresses to the virtual system. Public IP addresses will be used for static NAT64 mapping.
[FW] vsys name vsysa [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/1 [FW-vsys-vsysa] assign interface GigabitEthernet 0/0/2 [FW-vsys-vsysa] assign global-ip 1.1.1.10 1.1.1.10 exclusive [FW-vsys-vsysa] quit
- Configure IP addresses, routes, and security policies for vsysa.
# Enable IPv6.
[FW] ipv6# Enable the IPv6 address family.
[FW] ip vpn-instance vsysa [FW-vpn-instance-vsysa] ipv6-family [FW-vpn-instance-vsysa-af-ipv6] quit [FW-vpn-instance-vsysa] quit
# Set interface IP addresses.
[FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet 0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet 0/0/1] quit [FW] interface GigabitEthernet 0/0/2 [FW-GigabitEthernet 0/0/2] ipv6 enable [FW-GigabitEthernet 0/0/2] ipv6 address 1::1 64 [FW-GigabitEthernet 0/0/2] quit
# Configure a static route to the IPv6 network.
[FW] ipv6 route-static vpn-instance vsysa 2001:: 64 1::2# Access the configuration view of the virtual system.
[FW] switch vsys vsysa# Assign interfaces to security zones.
<FW-vsysa> system-view [FW-vsysa] firewall zone trust [FW-vsysa-zone-trust] add interface GigabitEthernet 0/0/1 [FW-vsysa-zone-trust] quit [FW-vsysa] firewall zone untrust [FW-vsysa-zone-untrust] add interface GigabitEthernet 0/0/2 [FW-vsysa-zone-untrust] quit
# Configure a security policy.
[FW-vsysa] security-policy [FW-vsysa-policy-security] rule name policy_sec_1 [FW-vsysa-policy-security-rule-policy_sec_1] source-zone trust [FW-vsysa-policy-security-rule-policy_sec_1] destination-zone untrust [FW-vsysa-policy-security-rule-policy_sec_1] destination-address 2001::1 64 [FW-vsysa-policy-security-rule-policy_sec_1] action permit [FW-vsysa-policy-security-rule-policy_sec_1] quit [FW-vsysa-policy-security] quit
# Configure a static route to the IPv4 network.
[FW-vsysa] ip route-static 2.2.2.0 24 1.1.1.254 - Configure NAT64.
# Enable the NAT64 function to connect to the IPv6 network interface.
[FW-vsysa] interface GigabitEthernet 0/0/2 [FW-vsysa-GigabitEthernet 0/0/2] nat64 enable [FW-vsysa-GigabitEthernet 0/0/2] quit
# Configure a NAT64 prefix. The source address of the packets from the PC to the server on the IPv6 network is the combination of the prefix and the IPv4 address of the PC.
[FW-vsysa] nat64 prefix 3001:: 96
In the example, the NAT64 prefix is 3001:: 96. If no prefix is configured, the well-known prefix is used by default.
# Configure a static NAT64 mapping to translate IPv6 address 2001::1 (of the server) into IPv4 address 1.1.1.10.
[FW-vsysa] nat64 static 2001::1 1.1.1.10 unr-route - Configure the IPv4 address and route for the PC. (The method of configuring the IPv4 address and route varies depending on the operating system of the PC and is omitted here.)
# Set the PC IPv4 address to 2.2.2.2/24.
# Configure a route from the PC to 1.1.1.10 and set the next hop to the address of the egress router on the IPv4 network.
- Set IPv6 address and route for the server. (The method of configuring the IPv6 address and route varies depending on the operating system of the server. The setting method is omitted here.)
# Set the server IPv6 address to 2001::1/64.
# Configure a route from the server to 3001::/96 and set the next hop to the address of the egress router on the IPv6 network.
Verification
After the configuration is complete, run the ping 1.1.1.10 command on the PC.
Check the NAT64 session table information.
<FW> display firewall ipv6 session table verbose vsys vsysa Current Total IPv6 Sessions : 1 NAT64: icmpv6 VPN: vsysa --> vsysa ID: a48f34fda44b01b9957100c6d Zone: trust --> untrust TTL: 00:00:45 Left: 00:00:45 Interface: GigabitEthernet 0/0/2 NextHop: 1::2 MAC: 643e-8c48-f14c <--packets: 50 bytes: 5,200 --> packets: 50 bytes: 5,200 3001::202:202.44026[2.2.2.2:44026] --> 2001::1.2048[1.1.1.10:2048] PolicyName: policy_sec_1
Configuration Scripts
Configuration script of the root system
# ipv6 # vsys enable # vsys name vsysa 1 assign interface GigabitEthernet0/0/1 assign interface GigabitEthernet0/0/2 assign global-ip 1.1.1.10 1.1.1.10 exclusive # interface GigabitEthernet 0/0/1 ip address 1.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/2 ipv6 enable ipv6 address 1::1/64 # ipv6 route-static vpn-instance vsysa 2001:: 64 1::2 # return
Configuration script of vsysa
# switch vsys vsysa # interface GigabitEthernet 0/0/2 nat64 enable # firewall zone trust set priority 85 add interface GigabitEthernet0/0/1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # nat64 prefix 3001:: 96 nat64 static 2001::1 1.1.1.10 unr-route # ip route-static 2.2.2.0 24 1.1.1.254 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust destination-address 2001::1 64 action permit # return