nat64 error

Reply
Highlighted
L3 Networker

nat64 error

Hello

 

I'm trying to do a NAT from ipv6 to ipv4.

On commit I have an error

 

"Nat64 needs an ipv4 in the rule for dest xlat"

 

Rule : from untrust to untrust , destination ip is ipv6 and translated address is ipv4 destination NAT

 

Thanks.

Highlighted
Community Team Member

Re: nat64 error

 

You don't need IPv4 destination NAT for this scenario (IPv6 to IPv4) :

 

Source IP : Any IPv6 address

Destination IP : NAT64 IPv6 prefix with RFC 6052 compliant netmask

Source translation : Dynamic IP and port mode using IPv4 address

Destination translation : None (this is extracted from the destination IPv6 address)

 

Note that this implementation requires a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records.

 

Have a look also at the following document that has a configuration example on how to NAT64 IPv6 to IPv4 : 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-NAT64-on-Palo-Alto-Fire...

 

Regards,

-Kim.

Highlighted
L1 Bithead

Re: nat64 error

Hi Guys,

I am struggling with the destination NAT here.

I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443.

https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/networking/nat64/configure-nat64/ipv6-init...

Article clearly says, IPv6 initiated traffic.

[...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]

 

I mean, what ?

 

I already have IPv6 on external interface on the firewall that can be reached from IPv6 network

I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do.
his is extracted from the destination IPv6 address" 
How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall) 

 

"

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!