NAT46 policy
NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a mechanism, IPv4 environments cannot connect to IPv6 networks.
Sample topology
In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server IPv6 IP address 2000:172:16:200:55
to an IPv4 address 10.1.100.55
. On the other side, an IPv6 IP pool is configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the client PC can access the server by using IP address 10.1.100.55
.
Sample configuration
To configure NAT46 in the GUI:
-
Enable IPv6:
- Go to System > Feature Visibility.
- In the Core Features section, enable IPv6.
- Click Apply.
-
Configure the VIP:
- Go to Policy & Objects > Virtual IPs and navigate to the Virtual IP tab.
- Click Create new.
- Enter the following:
Name
vip46_server
Interface
port2
Type
Static NAT
External IP address/range
10.1.100.55
Map to IPv6 address/range
2000:172:16:200::55
- Click OK.
-
Configure the IPv6 IP pool:
- Go to Policy & Objects > IP Pools and navigate to the IPv6 IP Pool tab.
- Click Create new.
- Enter the following:
Name
client_external
External IP address/range
2000:172:16:201::-2000:172:16:201::7
NAT46
Enable
- Click OK.
-
Configure the firewall policy:
- Go to Policy & Objects > Firewall Policy and click Create New.
- Enter the following:
Name
policy46-1
Incoming Interface
port10
Outgoing Interface
port9
Source
all
Destination
vip46_server
Schedule
always
Service
ALL
Action
ACCEPT
NAT
NAT46
IP Pool Configuration
client_external
- Configure the other settings as needed.
- Click OK.
To configure NAT46 in the CLI:
-
Enable IPv6:
config system global set gui-ipv6 enable end
-
Configure the VIP:
config firewall vip edit "vip46_server" set extip 10.1.100.55 set nat44 disable set nat46 enable set extintf "port2" set ipv6-mappedip 2000:172:16:200::55 next end
-
Configure the IPv6 IP pool:
config firewall ippool6 edit "client_external" set startip 2000:172:16:201:: set endip 2000:172:16:201::7 set nat46 enable next end
-
Configure the firewall policy:
config firewall policy edit 2 set name "policy46-1" set srcintf "port10" set dstintf "port9" set action accept set nat46 enable set srcaddr "all" set dstaddr "vip46_server" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set logtraffic all set auto-asic-offload disable set ippool enable set poolname6 "client_external" next end
Sample troubleshooting
To trace the flow and troubleshoot:
# diagnose debug flow filter saddr 10.1.100.11 # diagnose debug flow show function-name enable show function name # diagnose debug flow show iprope enable show trace messages about iprope # diagnose debug flow trace start 5 id=20085 trace_id=1 func=print_pkt_detail line=5401 msg="vd-root:0 received a packet(proto=1, 10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1." id=20085 trace_id=1 func=init_ip_session_common line=5561 msg="allocate a new session-000003b9" id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg="in-[port10], out-[]" id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg="len=1" id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg="checking gnum-100000 policy-1" id=20085 trace_id=1 func=get_vip46_addr line=998 msg="find DNAT46: IP-2000:172:16:200::55, port-27592" id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000" id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100" id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg="VIP-10.1.100.55:27592, outdev-unkown" id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg="DNAT 10.1.100.55:8->10.1.100.55:27592" id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg="find a route: flag=80000000 gw-10.1.100.55 via root" id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg="nat64 ipv4 received a packet proto=1" id=20085 trace_id=1 func=__iprope_check line=2112 msg="gnum-100012, check-ffffffffa0024ebe" id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg="checked gnum-100012 policy-1, ret-matched, act-accept" id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg="ret-matched" id=20085 trace_id=1 func=get_new_addr46 line=1047 msg="find SNAT46: IP-2000:172:16:201::13(from IPPOOL), port-27592" id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg="policy-1 is matched, act-accept" id=20085 trace_id=1 func=__iprope_check line=2131 msg="gnum-100012 check result: ret-matched, act-accept, flag-08050500, flag2-00200000" id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg="after check: ret-matched, act-accept, flag-08050500, flag2-00200000" id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg="allocate a new session-00000081"