topic Re: Does NAT64 works for inbound NAT in General Topics

Does NAT64 works for inbound NAT

Deepak25 — Thu, 23 Sep 2021 16:33:56 GMT

Currently we have configured inbound NAT for DMZ application which is on ipv4. Public ip used for it is ipv4.

Due to some requirement client from outside network will be coming from ipv6 public ip to access the application. In this case our nat is not working.

We have found NAT64 feature in below doc , but given example is for outbound NAT.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIFCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTuCAK

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat64/ipv6-initiated-communication.html

Does NAT64 support for inbound NAT. How we can achieve by keeping actual server private IP on IPv4 ?

If we use DNS64 , let's say firewall translate the destination ipv6 ip into public ipv4 ip. Do we need private ip of server in destination

translation ?

How firewall will translate DNS64 ipv6 public ip to ipv4 public ip ?

Do we need to assign public ipv6 ip on outside interface of firewall ?

Is there any other solution to achieve our requirement ?

Re: Does NAT64 works for inbound NAT

PavelK — Sun, 26 Sep 2021 07:03:08 GMT

Thank you for posting question @Deepak25

The intended use of NAT64 / DNS64 is to allow internal IPv6 only clients to communicate with IPv4 targets on Internet. The links you mentioned are detailing on how this works. The DNS64 is performed on 3rd party system, not on Palo Alto Firewall. Only NAT64 is performed by Firewall itself. Since your requirement is to allow IPv6 traffic from Untrust (Outside) interface to single IPv4 server on Trust (Inside), the NAT64 is not suitable solution.

Setting up static IPv6 to IPv4 NAT from Untrust to Trust, for example /128 address to /32 is not possible. Palo Alto Firewall expects smallest prefix to be /96 otherwise the commit will fail.

Probably the easiest way to achieve your requirement is to enable IPv6 on your Untrust interface, then configure one interface for DMZ and enable it for IPv6 as well. In this DMZ built a server that will do Reverse Proxy IPv6 to IPv4. You can do it with open source, for example NGINX or luxury way with commercial load balancers such as F5 LTM or Citrix NetScaler. In this case you can preserve server and rest of the infrastructure with IPv4 only and let Reverse Proxy expose server from outside by IPv6.

An alternative, would be to enable dual stack on Palo Alto Firewall and all intermediate nodes and bring IPv6 directly to server. If this is not possible, then alternative would be build 6to4 tunnel to hop over internal IPv4 infrastructure.

Kind Regards

Pavel

Re: Does NAT64 works for inbound NAT

Deepak25 — Mon, 27 Sep 2021 09:34:24 GMT

@PavelK

Thanks for reply.

So to achieve our requirement public ipv6 ip is needed and NAT64 nat do not require. Is it correct ?

If we are using reverse proxy for ipv6 to ipv4 ,

A. can we enable ipv6 on same DMZ interface?

B. ipv6 ip of proxy server will be as a destination nat private ip ..right ?

How we can configure 6to4 tunnel in palo alto ?

Re: Does NAT64 works for inbound NAT

PavelK — Mon, 27 Sep 2021 22:22:06 GMT

Thank you for reply @Deepak25

Yes, this is correct. You will need GUA IPv6 (Public IPv6) and in this case you do not have to configure NAT64.

A. Yes, you can enabled IPv6 on existing interface. The configuration is fairly straightforward. Below is a sample from one of the implementation:

B. Yes, this is correct.

For 6to4 tunnel, I found this article: https://weberblog.net/ipv6-through-ipv4-vpn-tunnel-with-palo-alto/ however I think GRE tunnel with IPv6 would be better solution: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel.html

Kind Regards

Pavel