Fortinet black logo

Cookbook

NAT64 policy and DNS64 (DNS proxy)

Copy Link
Copy Doc ID 5be0d1a4-3f0d-11eb-96b9-00505692583a:443324
Download PDF

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet.

  1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.
  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.
  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.
  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
  6. The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:
  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable the following features:
    • NAT46 & NAT64
    • DNS Database
  4. Click Apply.
To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:
config system global
   set gui-ipv6 enable
end
config system settings
   set gui-nat46-64 enable
   set gui-dns-database enable
end
To enable DNS proxy on the IPv6 interface using the GUI:
  1. Go to Network > DNS Servers.
  2. In DNS Service on Interface, click Create New.
  3. For Interface, select port10.
  4. Click OK.
To enable DNS proxy on the IPv6 interface using the CLI:
config system dns-server
   edit "port10"
       set mode forward-only
   next
end
To configure IPv6 DHCP server using the CLI:
config system dhcp6 server
   edit 1
       set subnet 2001:db8:1::/64
       set interface "port10"
       config ip-range
           edit 1
               set start-ip 2001:db8:1::11
               set end-ip 2001:db8:1::20
           next
       end
       set dns-server1 2001:db8:1::10
   next
end
To enable NAT64 and related settings using the CLI:

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.

config system nat64
   set status enable
end
To create NAT64 policy using the GUI:
  1. Add an IPv4 firewall address for the external network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. For Name, enter external-net4.
    4. For IP/Network, enter 17216.200.0/24.
    5. For Interface, select port9.
    6. Click OK.
  2. Add an IPv6 firewall address for the internal network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. Change Category to IPv6 Address.
    4. For Name, enter internal-net6.
    5. For IPv6 Address, enter 2001:db8:1::/48.
    6. Click OK.
  3. Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
    1. Go to Policy & Object > IP Pools.
    2. Click Create New.
    3. For Name, enter exit-pool4.
    4. For External IP Range, enter 172.16.200.200-172.16.200.210.
    5. Click OK.
  4. Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
    1. Go to Policy & Object > NAT64 Policy.
    2. Click Create New.
    3. For Incoming Interface, select port10.
    4. For Outgoing Interface, select port9.
    5. For Source Address, select internal-net6.
    6. For Destination Address, select external-net4.
    7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4.
    8. Click OK.
To create NAT64 policy using the CLI:
config firewall address
    edit "external-net4"
        set associated-interface "port9"
        set subnet 172.16.200.0 255.255.255.0
    next
end
config firewall address6
    edit "internal-net6"
        set ip6 2001:db8:1::/48
    next
end
config firewall ippool
    edit "exit-pool4"
        set startip 172.16.200.200
        set endip 172.16.200.210
    next
end
config firewall policy64
    edit 1
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "internal-net6"
        set dstaddr "external-net4"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "exit-pool4"
    next
end

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet.

  1. The host on the internal network does a DNS lookup for ControlPC.qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for ControlPC.qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.
  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.
  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.
  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
  6. The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:
  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable the following features:
    • NAT46 & NAT64
    • DNS Database
  4. Click Apply.
To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:
config system global
   set gui-ipv6 enable
end
config system settings
   set gui-nat46-64 enable
   set gui-dns-database enable
end
To enable DNS proxy on the IPv6 interface using the GUI:
  1. Go to Network > DNS Servers.
  2. In DNS Service on Interface, click Create New.
  3. For Interface, select port10.
  4. Click OK.
To enable DNS proxy on the IPv6 interface using the CLI:
config system dns-server
   edit "port10"
       set mode forward-only
   next
end
To configure IPv6 DHCP server using the CLI:
config system dhcp6 server
   edit 1
       set subnet 2001:db8:1::/64
       set interface "port10"
       config ip-range
           edit 1
               set start-ip 2001:db8:1::11
               set end-ip 2001:db8:1::20
           next
       end
       set dns-server1 2001:db8:1::10
   next
end
To enable NAT64 and related settings using the CLI:

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.

config system nat64
   set status enable
end
To create NAT64 policy using the GUI:
  1. Add an IPv4 firewall address for the external network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. For Name, enter external-net4.
    4. For IP/Network, enter 17216.200.0/24.
    5. For Interface, select port9.
    6. Click OK.
  2. Add an IPv6 firewall address for the internal network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. Change Category to IPv6 Address.
    4. For Name, enter internal-net6.
    5. For IPv6 Address, enter 2001:db8:1::/48.
    6. Click OK.
  3. Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
    1. Go to Policy & Object > IP Pools.
    2. Click Create New.
    3. For Name, enter exit-pool4.
    4. For External IP Range, enter 172.16.200.200-172.16.200.210.
    5. Click OK.
  4. Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
    1. Go to Policy & Object > NAT64 Policy.
    2. Click Create New.
    3. For Incoming Interface, select port10.
    4. For Outgoing Interface, select port9.
    5. For Source Address, select internal-net6.
    6. For Destination Address, select external-net4.
    7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4.
    8. Click OK.
To create NAT64 policy using the CLI:
config firewall address
    edit "external-net4"
        set associated-interface "port9"
        set subnet 172.16.200.0 255.255.255.0
    next
end
config firewall address6
    edit "internal-net6"
        set ip6 2001:db8:1::/48
    next
end
config firewall ippool
    edit "exit-pool4"
        set startip 172.16.200.200
        set endip 172.16.200.210
    next
end
config firewall policy64
    edit 1
        set srcintf "port10"
        set dstintf "port9"
        set srcaddr "internal-net6"
        set dstaddr "external-net4"
        set action accept
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "exit-pool4"
    next
end