This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Using NAT64 to reach overlapping ipv4 networks

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using NAT64 to reach overlapping ipv4 networks

Per_vonZweigbergk
L0 Member

‎03-03-2025 06:51 AM - edited ‎03-03-2025 06:58 AM

Hello!

 

My problem is a little more complex than the scenario below, but I'm trying to keep it simple.

 

Let's say I have a machine "v6client" on an IPv6-only network with IP 2001:db8::10. It's directly connected to an interface in virtual router vr1.

 

Then, let's say I have two servers "server1" and "server2". Both of them have the same IP 192.0.2.10, but they are reachable through different virtual routers, vr1 and vr2.

 

My idea is that from v6client I would be able to reach networks in vr1 and vr2 using IPv6 addressing, and NAT64 with different prefixes. For example, I might have the NAT64 prefix 2001:db8:64:1::/96 that maps to IP addresses in vr1 and 2001:db8:64:2::/96 that maps to IP addresses in vr2.

 

In such a case, I would like to be able to reach server1 using IP 2001:db8:64:1::192.0.2.10, and server2 using IP 2001:db8:64:2::192.0.2.10.

 

So my idea is to use NAT64 to configure this, bit I'm running into an "order of operations" problem.

 

Because NAT is applied before routing, by the time you get to the routing table, the distinction between 2001:db8:64:1::192.0.2.10 and 2001:db8:64:2::192.0.2.10 is lost, it'll do the routing over ipv4 using the IP address 192.0.2.10 and I'll always end up reaching the machine in vr1.

 

Two solutions to this that I've already figured out but that I don't like:

 

1. Use PBF to match the NAT64 address and then choose the destination interface. Strangely enough, PBF seems to be able to route based on the pre-NAT64 IP! I don't know why. And it's not really practical to create a PBF for every single network in our environment. (See it's more complicated than the simple scenario.)

 

2. Use 2 seperate vsys instead of 2 vr and perform the NAT on the edge between the VSYS. The problem is this'll require a lot of refactoring of firewall rules becuase we will "lose" any zone information when transitioning betwen the vsys. (I would do this if this was a new environment, but it's not...)

 

3. Add route in vr1 to 2001:db8:64:2::/96 next-vr vr2 and route in vr2 to 2001:db8:64:1::/96 next-vr vr1. Doesn't work because unlike for PBR, it doesn't look like the IPv6 routes are actually hit because routing happens after NAT... (but not PBF? weird.)

 

Is there any better way of doing this?

0 Likes Likes
0 REPLIES 0
  • 138 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks