https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/319101#M81869 <P>Hi Guys,</P><P>I am struggling with the destination NAT here.</P><P>I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d" target="_blank">https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d</A></P><P>Article clearly says, IPv6 initiated traffic.</P><P><SPAN>[...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]</SPAN></P><P>&nbsp;</P><P><SPAN>I mean, what ? </SPAN></P><P>&nbsp;</P><P><SPAN>I already have IPv6 on external interface on the firewall that can be reached from IPv6 network</SPAN></P><P><SPAN>I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do.<BR />his is extracted from the destination IPv6 address"&nbsp;<BR />How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall)&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>"</SPAN></P> Fri, 27 Mar 2020 20:05:57 GMT PiankaMariusz 2020-03-27T20:05:57Z https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/67615#M39618 <P>Hello</P> <P>&nbsp;</P> <P>I'm trying to do a NAT from ipv6 to ipv4.</P> <P>On commit I have an error</P> <P>&nbsp;</P> <P>"Nat64 needs an ipv4 in the rule for dest xlat"</P> <P>&nbsp;</P> <P>Rule : from untrust to untrust , destination ip is ipv6 and translated address is ipv4 destination NAT</P> <P>&nbsp;</P> <P>Thanks.</P> Tue, 03 Nov 2015 20:54:25 GMT https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/67615#M39618 PanIst 2015-11-03T20:54:25Z https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/67647#M39622 <P>&nbsp;</P> <P>You don't need IPv4 destination NAT for this scenario (IPv6 to IPv4) :</P> <P>&nbsp;</P> <P>Source IP : Any IPv6 address</P> <P>Destination IP : NAT64 IPv6 prefix with RFC 6052 compliant netmask</P> <P>Source translation : Dynamic IP and port mode using IPv4 address</P> <P>Destination translation : None (this is extracted from the destination IPv6 address)</P> <P>&nbsp;</P> <P><SPAN>Note that this implementation requires&nbsp;a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records. </SPAN></P> <P>&nbsp;</P> <P>Have a look also at the following document that has a configuration example on how to NAT64 IPv6 to IPv4 :&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-NAT64-on-Palo-Alto-Firewalls-IPv6-to-IPv4/ta-p/60249" target="_blank">https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-NAT64-on-Palo-Alto-Firewalls-IPv6-to-IPv4/ta-p/60249</A></P> <P>&nbsp;</P> <P>Regards,</P> <P>-Kim.</P> Wed, 04 Nov 2015 09:57:53 GMT https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/67647#M39622 kiwi 2015-11-04T09:57:53Z https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/319101#M81869 <P>Hi Guys,</P><P>I am struggling with the destination NAT here.</P><P>I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d" target="_blank">https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-initiated-communication.html#iddb41c324-5690-4ca3-b54a-6ec24ed3f57d</A></P><P>Article clearly says, IPv6 initiated traffic.</P><P><SPAN>[...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]</SPAN></P><P>&nbsp;</P><P><SPAN>I mean, what ? </SPAN></P><P>&nbsp;</P><P><SPAN>I already have IPv6 on external interface on the firewall that can be reached from IPv6 network</SPAN></P><P><SPAN>I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do.<BR />his is extracted from the destination IPv6 address"&nbsp;<BR />How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall)&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>"</SPAN></P> Fri, 27 Mar 2020 20:05:57 GMT https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/319101#M81869 PiankaMariusz 2020-03-27T20:05:57Z https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/397070#M91446 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/100793">@PiankaMariusz</a>&nbsp;</P><P>How did you achieve your configuration then?</P><P>I also have the same exact requirement,can you please help..</P><P>&nbsp;</P><P>Thanks in advance mate.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sat, 10 Apr 2021 13:52:16 GMT https://live.paloaltonetworks.com/t5/general-topics/nat64-error/m-p/397070#M91446 shubhamG 2021-04-10T13:52:16Z