Does NAT64 works for inbound NAT

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Does NAT64 works for inbound NAT

L3 Networker

Currently we have configured inbound NAT for DMZ application which is on ipv4. Public ip used for it is  ipv4.

Due to some requirement client from outside network will be coming from ipv6 public ip to access the application. In this case our nat is not working.

 

We have found NAT64 feature in below doc , but given example is for outbound NAT. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIFCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTuCAK

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/networking/nat64/ipv6-initiated-communicat...

 

Does NAT64 support for inbound NAT. How we can achieve by keeping actual server private IP on IPv4 ?

If we use DNS64 , let's say firewall translate the destination ipv6 ip into public ipv4 ip. Do we need private ip of server in destination 

translation ?

How firewall will translate DNS64 ipv6 public ip to ipv4 public ip ?

Do we need to assign public ipv6 ip on outside interface of firewall ?

 

 

Is there any other solution to achieve our requirement ?

3 REPLIES 3

Cyber Elite
Cyber Elite

Thank you for posting question @Deepak25 

 

The intended use of NAT64 / DNS64 is to allow internal IPv6 only clients to communicate with IPv4 targets on Internet. The links you mentioned are detailing on how this works. The DNS64 is performed on 3rd party system, not on Palo Alto Firewall. Only NAT64 is performed by Firewall itself. Since your requirement is to allow IPv6 traffic from Untrust (Outside) interface to single IPv4 server on Trust (Inside), the NAT64 is not suitable solution.

 

Setting up static IPv6 to IPv4 NAT from Untrust to Trust, for example /128 address to /32 is not possible. Palo Alto Firewall expects smallest prefix to be /96 otherwise the commit will fail.

 

Probably the easiest way to achieve your requirement is to enable IPv6 on your Untrust interface, then configure one interface for DMZ and enable it for IPv6 as well. In this DMZ built a server that will do Reverse Proxy IPv6 to IPv4. You can do it with open source, for example NGINX or luxury way with commercial load balancers such as F5 LTM or Citrix NetScaler. In this case you can preserve server and rest of the infrastructure with IPv4 only and let Reverse Proxy expose server from outside by IPv6.

 

An alternative, would be to enable dual stack on Palo Alto Firewall and all intermediate nodes and bring IPv6 directly to server. If this is not possible, then alternative would be build 6to4 tunnel to hop over internal IPv4 infrastructure.

 

Kind Regards

Pavel

 

 

 

 

 

Help the community: Like helpful comments and mark solutions.

L3 Networker

@PavelK 

 

Thanks for reply.

 

So to achieve our requirement public ipv6 ip is needed and NAT64 nat do not require. Is it correct ?

 

If we are using reverse proxy for ipv6 to ipv4 ,

A. can we enable ipv6 on same DMZ interface?

B. ipv6 ip of proxy server will be as a destination nat private ip ..right ?

 

How we can configure 6to4 tunnel in palo alto ?

Cyber Elite
Cyber Elite

Thank you for reply @Deepak25

 

Yes, this is correct. You will need GUA IPv6 (Public IPv6) and in this case you do not have to configure NAT64.

 

A. Yes, you can enabled IPv6 on existing interface. The configuration is fairly straightforward. Below is a sample from one of the implementation:

PavelK_1-1632778348847.png

PavelK_2-1632778435973.png

 

B. Yes, this is correct.

 

For 6to4 tunnel, I found this article: https://weberblog.net/ipv6-through-ipv4-vpn-tunnel-with-palo-alto/ however I think GRE tunnel with IPv6 would be better solution: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/gre-tunnels/create-a-gre-tunnel...

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 4093 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!