This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

nat64 error

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

nat64 error

PanIst
L3 Networker

‎11-03-2015 12:54 PM

Hello

 

I'm trying to do a NAT from ipv6 to ipv4.

On commit I have an error

 

"Nat64 needs an ipv4 in the rule for dest xlat"

 

Rule : from untrust to untrust , destination ip is ipv6 and translated address is ipv4 destination NAT

 

Thanks.

0 Likes Likes
3 REPLIES 3

kiwi
Community Team Member

‎11-04-2015 01:57 AM

 

You don't need IPv4 destination NAT for this scenario (IPv6 to IPv4) :

 

Source IP : Any IPv6 address

Destination IP : NAT64 IPv6 prefix with RFC 6052 compliant netmask

Source translation : Dynamic IP and port mode using IPv4 address

Destination translation : None (this is extracted from the destination IPv6 address)

 

Note that this implementation requires a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records.

 

Have a look also at the following document that has a configuration example on how to NAT64 IPv6 to IPv4 : 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-NAT64-on-Palo-Alto-Fire...

 

Regards,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

PiankaMariusz
L1 Bithead
In response to kiwi

‎03-27-2020 01:05 PM

Hi Guys,

I am struggling with the destination NAT here.

I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-init...

Article clearly says, IPv6 initiated traffic.

[...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]

 

I mean, what ?

 

I already have IPv6 on external interface on the firewall that can be reached from IPv6 network

I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do.
his is extracted from the destination IPv6 address" 
How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall) 

 

"

0 Likes Likes

shubhamG
L1 Bithead
In response to PiankaMariusz

‎04-10-2021 06:52 AM

@PiankaMariusz 

How did you achieve your configuration then?

I also have the same exact requirement,can you please help..

 

Thanks in advance mate.

 

 

 

0 Likes Likes
  • 4079 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks