FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pywong
Staff
Staff
Article Id 192911

Description

 

This article describes how to configure IPV4 to IPV6 translation on the FortiGate. NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

Solution


Diagram:

 

IPV4 Client (10.202.1.150/22)
|
|  IPv4 network (10.202.0.0/22)
|
[Port7 - 10.202.1.124/22]
Fortigate
[Port6 - 2001:1:1:2::1/64]
|
|
IPv6 Server (2001:1:1:2::100/64)


Configuration CLI (only relevant parts):

   1. Interfaces:

 

config system interface
    edit "port7"
        set vdom "root"
        set ip 10.202.1.127 255.255.252.0
        set allowaccess ping https ssh
        set type physical
        set snmp-index 7
    next
end

config system interface
    edit "port6"
        set vdom "root"
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2001:1:1:2::1/64
            end
    next
end

 

  1. Enable NAT64 (note that the default prefix for NAT64 is 64:ff9b::/96):

    config system nat64
        set status enable
    end

     

  2. Configure VIP46:

    config firewall vip46
        edit "nat46_jw"
            set extip 10.202.1.100
            set mappedip 2001:1:1:2::100
        next
    end

     

  3. Configure firewall policy46:

    config firewall policy46
        edit 1
            set srcintf "port7"
            set dstintf "port6"
            set srcaddr "all"
            set dstaddr "nat46_jw"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic enable
        next
    end


Verification:

The IPv4 host has network connectivity with the IPv6 server.

 

C:\Users\fortinet>ping 10.202.1.100

Pinging 10.202.1.100 with 32 bytes of data:
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127

Ping statistics for 10.202.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


FortiGate Log:

 

date=2019-04-04 time=17:56:09 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.202.1.150 srcintf="port7" dstip=10.202.1.100 dstintf="port6" poluuid=ca338086-5100-51e9-af5a-f3d62a28968b sessionid=378097 proto=1 action=accept policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=2001:1:1:2::100 tranport=128 transip=64:ff9b::aca:196 transport=62464 service="PING" duration=64 sentbyte=240 rcvdbyte=240 sentpkt=4 rcvdpkt=4 appcat="unscanned"


This article applies only to FortiOS 6.4 and below. For FortiOS 7.0.x and newer, refer to the following guide:

NAT64 policy and DNS64 (DNS proxy)