nat64 error

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

nat64 error

L3 Networker



I'm trying to do a NAT from ipv6 to ipv4.

On commit I have an error


"Nat64 needs an ipv4 in the rule for dest xlat"


Rule : from untrust to untrust , destination ip is ipv6 and translated address is ipv4 destination NAT




Community Team Member


You don't need IPv4 destination NAT for this scenario (IPv6 to IPv4) :


Source IP : Any IPv6 address

Destination IP : NAT64 IPv6 prefix with RFC 6052 compliant netmask

Source translation : Dynamic IP and port mode using IPv4 address

Destination translation : None (this is extracted from the destination IPv6 address)


Note that this implementation requires a DNS64 server that the IPv6 client can communicate with to synthesize AAAA records from A records.


Have a look also at the following document that has a configuration example on how to NAT64 IPv6 to IPv4 :




LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi Guys,

I am struggling with the destination NAT here.

I have a challenge where I want the IPv6 initiated host (any - internet) to be NATTED so that it can reach Private IP address port 443.

Article clearly says, IPv6 initiated traffic.

[...] Configure the destination IPv6 address as either the Well-Known Prefix or the NSP that the DNS64 server uses. (You do not configure the full IPv6 destination address in the rule.)[...]


I mean, what ?


I already have IPv6 on external interface on the firewall that can be reached from IPv6 network

I merely want not traffic that arrives at that interface on specific port to be NATTED behind some ipv4 address I can create and be forwarded to local IP address on the LAN, that seems to be impossible to do.
his is extracted from the destination IPv6 address" 
How does the IPv4 of LAN suppose to be extracted from the destination IPv6 address where IPv6 address is of something entirely different( here its Palo Alto external internet facing firewall) 




How did you achieve your configuration then?

I also have the same exact requirement,can you please help..


Thanks in advance mate.




  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!