Fortinet black logo

Handbook

NAT66, NAT64, NAT46 and DNS64

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:754171
Download PDF

NAT66, NAT64, NAT46 and DNS64

NAT66, NAT64, and DNS64 are now supported for IPv6. These options provide IPv6 NAT and DNS capabilities withIPv6-IPv4 tunneling or dual stack configurations. The commands are available only in the CLI.

Fortinet supports all features described in RFC 6146. However, for DNS64 there is no support for handling Domain Name System Security Extensions (DNSSEC). DNSSEC is for securing types of information that are provided by the DNS as used on an IP network or networks. You can find more information about DNS64 in RFC 6147.

NAT64 and DNS64 (DNS proxy)

NAT64 is used to translate IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. ‘DNS proxy’ and ‘DNS64’ are interchangeable terms.

Example NAT64 configuration

With a NAT64 and DNS64 configuration in place on a FortiGate unit, clients on an IPv6 network can transparently connect to addresses on an IPv4 network. NAT64 and DNS64 perform the IPv4 to IPv6 transition, allowing clients that have already switched to IPv6 addresses to continue communicating with servers that still use IPv4 addresses.

To enable NAT64 and DNS64, use the following CLI commands:

Enable NAT64

config system nat64

set status enable

end

Enable the DNS proxy on the IPv6 interface

config system dns-server

edit internal

end

In your DHCP6 configuration, configure the IPv6 interface IP address as the DNS6 server IP address. The FortiGate will proxy DNS requests to the system DNS server.

config system dhcp6 server

edit 1

set interface internal

config ip-range

edit 1

set start-ip 2001:db8:1::11

set end-ip 2001:db8:1::20

end

set dns-server1 2001:db8:1::10

end

NAT64 policies

You can configure security policies for NAT64 using the GUI. For these options to appear, the feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT64 Policy.

NAT64 policies and can also be configured from the CLI using the following command:

config firewall policy64

In the following section, you will configure a NAT64 policy that allows connections from an internal IPv6 network to an external IPv4 network.

Configuring NAT64 to allow a host on the IPv6 network to connect to the Internet server

In this example, the Internal IPv6 network address is 2001:db8:1::/48 and the external IPv4 network address is 172.20.120.0/24. NAT64 is configured to allow a user on the internal network to connect to the server at IPv4 address 172.20.120.12. In this configuration, sessions exiting the wan1 interface must have their source address changed to an IPv4 address in the range 172.20.120.200 to 172.20.120.210.

Enter the following command to enable NAT64:

config system nat64

set status enable

end

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

By using the nat64-prefix option of the config system nat64 command to change the default nat64 prefix from the well-known prefix of 64:ff9b::/96 and setting always-synthesize-aaaa-record to enable (default), the DNS proxy does not check for AAAA records but rather synthesizes AAAA records.

As an alternative to the above entry, there is the optional configuration that would allow the resolution of CNAME queries.

config system nat64

set status enable

set nat64-prefix 64:ff9b::/96

set always-synthesize-aaaa-record enable

end

Enter the following command to add an IPv6 firewall address for the internal network:

config firewall address6

edit internal-net6

set ip6 2001:db8:1::/48

end

Enter the following command to add an IPv4 firewall address for the external network:

config firewall address

edit external-net4

set subnet 172.20.120.0/24

set associated-interface wan1

end

Enter the following command to add an IP pool containing the IPv4 address that the should become the source address of the packets exiting the wan1 interface:

config firewall ippool

edit exit-pool4

set startip 172.20.120.200

set endip 172.20.120.210

end

Enter the following command to add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network:

config firewall policy64

edit 0

set srcintf internal

set srcaddr internal-net6

set dstintf wan1

set dstaddr external-net4

set action accept

set schedule always

set service ALL

set logtraffic enable

set ippool enable

set poolname exit-pool4

end

The srcaddr can be any IPv6 firewall address and the dstaddr can be any IPv4 firewall address.

Other NAT64 policy options include fixedport, which can be used to prevent NAT64 from changing the destination port. You can also configure traffic shaping for NAT64 policies.

How a host on the internal IPv6 network communicates with example.server.com that only has IPv4 address on the Internet
  1. The host on the internal network does a DNS lookup for example.server.com by sending a DNS query for an AAAA record for example.server.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy.
  3. The DNS proxy attempts to resolve the query with a DNS server on the Internet and discovers that there are no AAAA records for example.server.com.
  4. The previous step is skipped if always-synthesize-aaaa-record is enabled.
  5. The DNS proxy performs an A-record query for example.server.com and gets back an RRSet containing a single A record with the IPv4 address 172.20.120.12.
  6. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.20.120.12.
  7. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.20.120.12.
  8. The packet is routed to the FortiGate internal interface where it is accepted by the NAT64 security policy.
  9. The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.20.120.12 to IPv4 address 172.20.120.12 and translates the source address of the packets to 172.20.120.200 (or another address in the IP pool range) and forwards the packets out the wan1 interface to the Internet.

NAT66

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr internal_net

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

end

Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:

config firewall ippool6

edit example_6_pool

set startip 2001:db8::

set endip 2001:db8::

end

Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.

config firewall address6

edit device_address

set ip6 2001:db8::132/128

end

Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr device_address

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

set ippool enable

set poolname example_6_pool

end

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.

config firewall vip6

edit example-vip6

set extip 2001:db8::dd

set mappedip 2001:db8::ee

end

Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr all

set dstaddr example-vip6

set action accept

set schedule always

set service ALL

end

NAT64 and NAT66 session failover

The FortiGate Clustering Protocol (FGCP) supports IPv6, NAT64, and NAT66 session failover. If session pickup is enabled, these sessions are synchronized between cluster members and, after an HA failover, the sessions will resume with only minimal interruption.

NAT46

NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

To enable NAT46, use the following CLI command:

config firewall vip46

NAT46 policies

Security policies for NAT46 can be configured from the GUI. For these options to appear in the GUI, this feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT46 Policy.

NAT46 policies and can also be configured from the CLI using the following command:

config firewall policy46

NAT66, NAT64, NAT46 and DNS64

NAT66, NAT64, and DNS64 are now supported for IPv6. These options provide IPv6 NAT and DNS capabilities withIPv6-IPv4 tunneling or dual stack configurations. The commands are available only in the CLI.

Fortinet supports all features described in RFC 6146. However, for DNS64 there is no support for handling Domain Name System Security Extensions (DNSSEC). DNSSEC is for securing types of information that are provided by the DNS as used on an IP network or networks. You can find more information about DNS64 in RFC 6147.

NAT64 and DNS64 (DNS proxy)

NAT64 is used to translate IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. ‘DNS proxy’ and ‘DNS64’ are interchangeable terms.

Example NAT64 configuration

With a NAT64 and DNS64 configuration in place on a FortiGate unit, clients on an IPv6 network can transparently connect to addresses on an IPv4 network. NAT64 and DNS64 perform the IPv4 to IPv6 transition, allowing clients that have already switched to IPv6 addresses to continue communicating with servers that still use IPv4 addresses.

To enable NAT64 and DNS64, use the following CLI commands:

Enable NAT64

config system nat64

set status enable

end

Enable the DNS proxy on the IPv6 interface

config system dns-server

edit internal

end

In your DHCP6 configuration, configure the IPv6 interface IP address as the DNS6 server IP address. The FortiGate will proxy DNS requests to the system DNS server.

config system dhcp6 server

edit 1

set interface internal

config ip-range

edit 1

set start-ip 2001:db8:1::11

set end-ip 2001:db8:1::20

end

set dns-server1 2001:db8:1::10

end

NAT64 policies

You can configure security policies for NAT64 using the GUI. For these options to appear, the feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT64 Policy.

NAT64 policies and can also be configured from the CLI using the following command:

config firewall policy64

In the following section, you will configure a NAT64 policy that allows connections from an internal IPv6 network to an external IPv4 network.

Configuring NAT64 to allow a host on the IPv6 network to connect to the Internet server

In this example, the Internal IPv6 network address is 2001:db8:1::/48 and the external IPv4 network address is 172.20.120.0/24. NAT64 is configured to allow a user on the internal network to connect to the server at IPv4 address 172.20.120.12. In this configuration, sessions exiting the wan1 interface must have their source address changed to an IPv4 address in the range 172.20.120.200 to 172.20.120.210.

Enter the following command to enable NAT64:

config system nat64

set status enable

end

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

By using the nat64-prefix option of the config system nat64 command to change the default nat64 prefix from the well-known prefix of 64:ff9b::/96 and setting always-synthesize-aaaa-record to enable (default), the DNS proxy does not check for AAAA records but rather synthesizes AAAA records.

As an alternative to the above entry, there is the optional configuration that would allow the resolution of CNAME queries.

config system nat64

set status enable

set nat64-prefix 64:ff9b::/96

set always-synthesize-aaaa-record enable

end

Enter the following command to add an IPv6 firewall address for the internal network:

config firewall address6

edit internal-net6

set ip6 2001:db8:1::/48

end

Enter the following command to add an IPv4 firewall address for the external network:

config firewall address

edit external-net4

set subnet 172.20.120.0/24

set associated-interface wan1

end

Enter the following command to add an IP pool containing the IPv4 address that the should become the source address of the packets exiting the wan1 interface:

config firewall ippool

edit exit-pool4

set startip 172.20.120.200

set endip 172.20.120.210

end

Enter the following command to add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network:

config firewall policy64

edit 0

set srcintf internal

set srcaddr internal-net6

set dstintf wan1

set dstaddr external-net4

set action accept

set schedule always

set service ALL

set logtraffic enable

set ippool enable

set poolname exit-pool4

end

The srcaddr can be any IPv6 firewall address and the dstaddr can be any IPv4 firewall address.

Other NAT64 policy options include fixedport, which can be used to prevent NAT64 from changing the destination port. You can also configure traffic shaping for NAT64 policies.

How a host on the internal IPv6 network communicates with example.server.com that only has IPv4 address on the Internet
  1. The host on the internal network does a DNS lookup for example.server.com by sending a DNS query for an AAAA record for example.server.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy.
  3. The DNS proxy attempts to resolve the query with a DNS server on the Internet and discovers that there are no AAAA records for example.server.com.
  4. The previous step is skipped if always-synthesize-aaaa-record is enabled.
  5. The DNS proxy performs an A-record query for example.server.com and gets back an RRSet containing a single A record with the IPv4 address 172.20.120.12.
  6. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.20.120.12.
  7. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.20.120.12.
  8. The packet is routed to the FortiGate internal interface where it is accepted by the NAT64 security policy.
  9. The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.20.120.12 to IPv4 address 172.20.120.12 and translates the source address of the packets to 172.20.120.200 (or another address in the IP pool range) and forwards the packets out the wan1 interface to the Internet.

NAT66

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr internal_net

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

end

Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:

config firewall ippool6

edit example_6_pool

set startip 2001:db8::

set endip 2001:db8::

end

Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.

config firewall address6

edit device_address

set ip6 2001:db8::132/128

end

Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr device_address

set dstaddr all

set action accept

set schedule always

set service ALL

set nat enable

set ippool enable

set poolname example_6_pool

end

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.

config firewall vip6

edit example-vip6

set extip 2001:db8::dd

set mappedip 2001:db8::ee

end

Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.

config firewall policy6

edit 0

set srcintf internal

set dstintf wan1

set srcaddr all

set dstaddr example-vip6

set action accept

set schedule always

set service ALL

end

NAT64 and NAT66 session failover

The FortiGate Clustering Protocol (FGCP) supports IPv6, NAT64, and NAT66 session failover. If session pickup is enabled, these sessions are synchronized between cluster members and, after an HA failover, the sessions will resume with only minimal interruption.

NAT46

NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

To enable NAT46, use the following CLI command:

config firewall vip46

NAT46 policies

Security policies for NAT46 can be configured from the GUI. For these options to appear in the GUI, this feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT46 Policy.

NAT46 policies and can also be configured from the CLI using the following command:

config firewall policy46