Technical Tip: How to Create a NAT64 Firewall Policy for a VIP

RobBlenk · ‎01-16-2024

Description

This article describes how to create a NAT 64 firewall policy to allow traffic to a virtual IP on the network.

Scope

FortiOS

Solution

Step 1:
Enable IPv6 in the GUI. This article describes how to do that in detail.

Step 2:
Create a NAT64 VIP object.

NOTE: The external IPv6 address must be different but in the same range as the public address on the external facing interface.
In this context my VIP extip is 2404:a800:2a00::b47 and my public IP on the interface is 2404:a800:2a00::b46.

CLI:

config firewall vip6
edit "test-vip64-1"
set uuid bfd1d040-abe9-51ee-a64b-35170902c7b9
set extip 2404:a800:2a00::b47 <-- Ensure that this is not the same as the IP of the WAN.
set nat66 disable
set nat64 enable
set ipv4-mappedip 172.16.150.162

next
end

Step 3:

Create an SNAT IP pool that points to an arbitrary address that isn't used anywhere else on the network.

CLI:

config firewall ippool

edit "Test-ippool"

set startip 172.16.100.1

set endip 172.16.100.1

set arp-reply disable

set nat64 enable

Step 4:

Create the firewall policy enabling NAT 64 in the NAT section.

CLI:

config firewall policy
edit 1
set name "policy64-1"
set uuid 0084683e-abf7-51ee-cd9c-fa9e15de6489
set srcintf "port3"
set dstintf "port2"
set action accept
set nat64 enable
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "test-vip64-1"
set schedule "always"
set service "ALL"
set logtraffic all
set auto-asic-offload disable
set ippool enable
set poolname "Test-ippool"
next
end