Fortinet white logo
Fortinet white logo

Administration Guide

NAT46 policy

NAT46 policy

NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a mechanism, IPv4 environments cannot connect to IPv6 networks.

Sample topology

In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the client PC can access the server by using IP address 10.1.100.55.

Sample configuration

To configure NAT46 in the GUI:
  1. Enable IPv6:

    1. Go to System > Feature Visibility.
    2. In the Core Features section, enable IPv6.
    3. Click Apply.
  2. Configure the VIP:

    1. Go to Policy & Objects > Virtual IPs and navigate to the Virtual IP tab.
    2. Click Create new.
    3. Enter the following:

      Name

      vip46_server

      Interface

      port2

      Type

      Static NAT

      External IP address/range

      10.1.100.55

      Map to IPv6 address/range

      2000:172:16:200::55

    4. Click OK.
  3. Configure the IPv6 IP pool:

    1. Go to Policy & Objects > IP Pools and navigate to the IPv6 IP Pool tab.
    2. Click Create new.
    3. Enter the following:

      Name

      client_external

      External IP address/range

      2000:172:16:201::-2000:172:16:201::7

      NAT46

      Enable

    4. Click OK.
  4. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Name

      policy46-1

      Incoming Interface

      port10

      Outgoing Interface

      port9

      Source

      all

      Destination

      vip46_server

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      NAT46

      IP Pool Configuration

      client_external

    3. Configure the other settings as needed.
    4. Click OK.
To configure NAT46 in the CLI:
  1. Enable IPv6:

    config system global
        set gui-ipv6 enable
    end
  2. Configure the VIP:

    config firewall vip
        edit "vip46_server"
            set extip 10.1.100.55
            set nat44 disable
            set nat46 enable
            set extintf "port2"
            set ipv6-mappedip 2000:172:16:200::55
        next
    end
  3. Configure the IPv6 IP pool:

    config firewall ippool6
        edit "client_external"
            set startip 2000:172:16:201::
            set endip 2000:172:16:201::7
            set nat46 enable
        next
    end
  4. Configure the firewall policy:

    config firewall policy
        edit 2
            set name "policy46-1"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set nat46 enable
            set srcaddr "all"
            set dstaddr "vip46_server"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable
            set poolname6 "client_external"
        next
    end

Sample troubleshooting

To trace the flow and troubleshoot:
# diagnose debug flow filter saddr 10.1.100.11
# diagnose debug flow show function-name enable
show function name
# diagnose debug flow show iprope enable
show trace messages about iprope
# diagnose debug flow trace start 5

id=20085 trace_id=1 func=print_pkt_detail line=5401 msg="vd-root:0 received a packet(proto=1, 10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1."
id=20085 trace_id=1 func=init_ip_session_common line=5561 msg="allocate a new session-000003b9"
id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg="in-[port10], out-[]"
id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg="len=1"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg="checking gnum-100000 policy-1"
id=20085 trace_id=1 func=get_vip46_addr line=998 msg="find DNAT46: IP-2000:172:16:200::55, port-27592"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg="VIP-10.1.100.55:27592, outdev-unkown"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg="DNAT 10.1.100.55:8->10.1.100.55:27592"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg="find a route: flag=80000000 gw-10.1.100.55 via root"
id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg="nat64 ipv4 received a packet proto=1"
id=20085 trace_id=1 func=__iprope_check line=2112 msg="gnum-100012, check-ffffffffa0024ebe"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg="checked gnum-100012 policy-1, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg="ret-matched"
id=20085 trace_id=1 func=get_new_addr46 line=1047 msg="find SNAT46: IP-2000:172:16:201::13(from IPPOOL), port-27592"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg="policy-1 is matched, act-accept"
id=20085 trace_id=1 func=__iprope_check line=2131 msg="gnum-100012 check result: ret-matched, act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg="after check: ret-matched, act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg="allocate a new session-00000081"

NAT46 policy

NAT46 policy

NAT46 refers to the mechanism that allows IPv4 addressed hosts to communicate with IPv6 hosts. Without such a mechanism, IPv4 environments cannot connect to IPv6 networks.

Sample topology

In this example, an IPv4 client tries to connect to an IPv6 server. A VIP is configured on FortiGate to map the server IPv6 IP address 2000:172:16:200:55 to an IPv4 address 10.1.100.55. On the other side, an IPv6 IP pool is configured and the source address of packets from client are changed to the defined IPv6 address. In this setup, the client PC can access the server by using IP address 10.1.100.55.

Sample configuration

To configure NAT46 in the GUI:
  1. Enable IPv6:

    1. Go to System > Feature Visibility.
    2. In the Core Features section, enable IPv6.
    3. Click Apply.
  2. Configure the VIP:

    1. Go to Policy & Objects > Virtual IPs and navigate to the Virtual IP tab.
    2. Click Create new.
    3. Enter the following:

      Name

      vip46_server

      Interface

      port2

      Type

      Static NAT

      External IP address/range

      10.1.100.55

      Map to IPv6 address/range

      2000:172:16:200::55

    4. Click OK.
  3. Configure the IPv6 IP pool:

    1. Go to Policy & Objects > IP Pools and navigate to the IPv6 IP Pool tab.
    2. Click Create new.
    3. Enter the following:

      Name

      client_external

      External IP address/range

      2000:172:16:201::-2000:172:16:201::7

      NAT46

      Enable

    4. Click OK.
  4. Configure the firewall policy:

    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. Enter the following:

      Name

      policy46-1

      Incoming Interface

      port10

      Outgoing Interface

      port9

      Source

      all

      Destination

      vip46_server

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      NAT46

      IP Pool Configuration

      client_external

    3. Configure the other settings as needed.
    4. Click OK.
To configure NAT46 in the CLI:
  1. Enable IPv6:

    config system global
        set gui-ipv6 enable
    end
  2. Configure the VIP:

    config firewall vip
        edit "vip46_server"
            set extip 10.1.100.55
            set nat44 disable
            set nat46 enable
            set extintf "port2"
            set ipv6-mappedip 2000:172:16:200::55
        next
    end
  3. Configure the IPv6 IP pool:

    config firewall ippool6
        edit "client_external"
            set startip 2000:172:16:201::
            set endip 2000:172:16:201::7
            set nat46 enable
        next
    end
  4. Configure the firewall policy:

    config firewall policy
        edit 2
            set name "policy46-1"
            set srcintf "port10"
            set dstintf "port9"
            set action accept
            set nat46 enable
            set srcaddr "all"
            set dstaddr "vip46_server"
            set srcaddr6 "all"
            set dstaddr6 "all"
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set ippool enable
            set poolname6 "client_external"
        next
    end

Sample troubleshooting

To trace the flow and troubleshoot:
# diagnose debug flow filter saddr 10.1.100.11
# diagnose debug flow show function-name enable
show function name
# diagnose debug flow show iprope enable
show trace messages about iprope
# diagnose debug flow trace start 5

id=20085 trace_id=1 func=print_pkt_detail line=5401 msg="vd-root:0 received a packet(proto=1, 10.1.100.11:27592->10.1.100.55:2048) from port10. type=8, code=0, id=27592, seq=1."
id=20085 trace_id=1 func=init_ip_session_common line=5561 msg="allocate a new session-000003b9"
id=20085 trace_id=1 func=iprope_dnat_check line=4948 msg="in-[port10], out-[]"
id=20085 trace_id=1 func=iprope_dnat_tree_check line=822 msg="len=1"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4822 msg="checking gnum-100000 policy-1"
id=20085 trace_id=1 func=get_vip46_addr line=998 msg="find DNAT46: IP-2000:172:16:200::55, port-27592"
id=20085 trace_id=1 func=__iprope_check_one_dnat_policy line=4904 msg="matched policy-1, act=accept, vip=1, flag=100, sflag=2000000"
id=20085 trace_id=1 func=iprope_dnat_check line=4961 msg="result: skb_flags-02000000, vid-1, ret-matched, act-accept, flag-00000100"
id=20085 trace_id=1 func=fw_pre_route_handler line=183 msg="VIP-10.1.100.55:27592, outdev-unkown"
id=20085 trace_id=1 func=__ip_session_run_tuple line=3220 msg="DNAT 10.1.100.55:8->10.1.100.55:27592"
id=20085 trace_id=1 func=vf_ip_route_input_common line=2594 msg="find a route: flag=80000000 gw-10.1.100.55 via root"
id=20085 trace_id=1 func=ip4_nat_af_input line=601 msg="nat64 ipv4 received a packet proto=1"
id=20085 trace_id=1 func=__iprope_check line=2112 msg="gnum-100012, check-ffffffffa0024ebe"
id=20085 trace_id=1 func=__iprope_check_one_policy line=1873 msg="checked gnum-100012 policy-1, ret-matched, act-accept"
id=20085 trace_id=1 func=__iprope_user_identity_check line=1677 msg="ret-matched"
id=20085 trace_id=1 func=get_new_addr46 line=1047 msg="find SNAT46: IP-2000:172:16:201::13(from IPPOOL), port-27592"
id=20085 trace_id=1 func=__iprope_check_one_policy line=2083 msg="policy-1 is matched, act-accept"
id=20085 trace_id=1 func=__iprope_check line=2131 msg="gnum-100012 check result: ret-matched, act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=iprope_policy_group_check line=4358 msg="after check: ret-matched, act-accept, flag-08050500, flag2-00200000"
id=20085 trace_id=1 func=resolve_ip6_tuple line=4389 msg="allocate a new session-00000081"