NAT64 policy and DNS64 (DNS proxy)

1 Reply

NAT64 policy and DNS64 (DNS proxy)

NAT64 policy translates IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 policy is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. DNS proxy and DNS64 are interchangeable terms.

Sample topology

In this example, a host on the internal IPv6 network communicates with ControlPC.qa.fortinet.com that only has IPv4 address on the Internet.

  1. The host on the internal network does a DNS lookup for qa.fortinet.com by sending a DNS query for an AAAA record for ControlPC.qa.fortinet.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy. The DNS proxy performs an A-record query for qa.fortinet.com and gets back an RRSet containing a single A record with the IPv4 address 172.16.200.55.
  3. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.16.200.55.
  4. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.16.200.55.
  5. The packet is routed to the FortiGate internal interface (port10) where it is accepted by the NAT64 security policy.
  6. The FortiGate unit translates the destination address of the packets from IPv6 address

64:ff9b::172.16.200.55 to IPv4 address 172.16.200.55 and translates the source address of the packets to 172.16.200.200 (or another address in the IP pool range) and forwards the packets out the port9 interface to the Internet.

Sample configuration

To enable display for IPv6, NAT46/NAT64, and DNS Database using the GUI:

  1. Go to System > Feature Visibility.
  2. In the Basic Features section, enable IPv6.
  3. In the Additional Features section, enable the following features: l NAT46 & NAT64 l DNS Database
  4. Click Apply.

To enable display for IPv6, NAT46/NAT64, and DNS Database using the CLI:

config system global set gui-ipv6 enable

end

config system settings set gui-nat46-64 enable set gui-dns-database enable

end

To enable DNS proxy on the IPv6 interface using the GUI:

  1. Go to Network > DNS Servers.
  2. In DNS Service on Interface, click Create New.
  3. For Interface, select port10.
  4. Click OK.

To enable DNS proxy on the IPv6 interface using the CLI:

config system dns-server edit “port10” set mode forward-only

next

end

To configure IPv6 DHCP server using the CLI:

config system dhcp6 server edit 1 set subnet 2001:db8:1::/64 set interface “port10” config ip-range edit 1 set start-ip 2001:db8:1::11 set end-ip 2001:db8:1::20

next

end

set dns-server1 2001:db8:1::10

next

end

To enable NAT64 and related settings using the CLI:

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

nat64-prefix setting is the nat64 prefix. By default, it is 64:ff9b::/96.

config system nat64 set status enable end

To create NAT64 policy using the GUI:

  1. Add an IPv4 firewall address for the external network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. For Name, enter external-net4.
    4. For IP/Network, enter 200.0/24.
    5. For Interface, select
    6. Click OK.
  2. Add an IPv6 firewall address for the internal network.
    1. Go to Policy & Object > Addresses.
    2. Click Create New.
    3. Change Category to IPv6 Address.
    4. For Name, enter internal-net6.
    5. For IPv6 Address, enter 2001:db8:1::/48.
    6. Click OK.
  3. Add an IP pool containing the IPv4 address that is used as the source address of the packets exiting port9.
    1. Go to Policy & Object > IP Pools.
    2. Click Create New.
    3. For Name, enter exit-pool4.
    4. For External IP Range, enter 16.200.200-172.16.200.210.
    5. Click OK.
  4. Add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network.
    1. Go to Policy & Object > NAT64 Policy.
    2. Click Create New.
    3. For Incoming Interface, select port10.
    4. For Outgoing Interface, select port9.
    5. For Source Address, select internal-net6.
    6. For Destination Address, select external-net4.
    7. Set IP Pool Configuration to Use Dynamic IP Pool and select the IP pool exit-pool4. Click OK.

To create NAT64 policy using the CLI:

config firewall address edit “external-net4” set associated-interface “port9” set subnet 172.16.200.0 255.255.255.0

next

end

config firewall address6 edit “internal-net6” set ip6 2001:db8:1::/48

next

end

config firewall ippool edit “exit-pool4”

set startip 172.16.200.200 set endip 172.16.200.210

next

end

config firewall policy64 edit 1 set srcintf “port10” set dstintf “port9” set srcaddr “internal-net6” set dstaddr “external-net4” set action accept set schedule “always” set service “ALL” set ippool enable set poolname “exit-pool4”

next

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

One thought on “NAT64 policy and DNS64 (DNS proxy)

  1. DINAGARAN

    We have done the following. But not working
    1. Configured IPV6 address (fd01::a0a:0e0f/120) for PC. 2.configured firewall LAN int (fd01::a0a:0e01/120)

    NAt64,DNS-Server configured. Policy for outgoing configured. When we browse the URL, we are not getting. Pl support

    Reply

Leave a Reply to DINAGARAN Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.