09-25-2021 07:19 PM - edited 09-26-2021 12:03 AM
Thank you for posting question @Deepak25
The intended use of NAT64 / DNS64 is to allow internal IPv6 only clients to communicate with IPv4 targets on Internet. The links you mentioned are detailing on how this works. The DNS64 is performed on 3rd party system, not on Palo Alto Firewall. Only NAT64 is performed by Firewall itself. Since your requirement is to allow IPv6 traffic from Untrust (Outside) interface to single IPv4 server on Trust (Inside), the NAT64 is not suitable solution.
Setting up static IPv6 to IPv4 NAT from Untrust to Trust, for example /128 address to /32 is not possible. Palo Alto Firewall expects smallest prefix to be /96 otherwise the commit will fail.
Probably the easiest way to achieve your requirement is to enable IPv6 on your Untrust interface, then configure one interface for DMZ and enable it for IPv6 as well. In this DMZ built a server that will do Reverse Proxy IPv6 to IPv4. You can do it with open source, for example NGINX or luxury way with commercial load balancers such as F5 LTM or Citrix NetScaler. In this case you can preserve server and rest of the infrastructure with IPv4 only and let Reverse Proxy expose server from outside by IPv6.
An alternative, would be to enable dual stack on Palo Alto Firewall and all intermediate nodes and bring IPv6 directly to server. If this is not possible, then alternative would be build 6to4 tunnel to hop over internal IPv4 infrastructure.
Kind Regards
Pavel
