- Table of Contents
-
- 04-Policies
- 01-Security policy
- 02-Security policy redundancy analysis
- 03-Security policy hit analysis
- 04-Security policy optimization
- 05-Policy-based NAT
- 06-Interface NAT
- 07-AFT
- 08-QoS
- 09-Bandwidth management
- 10-Application audit
- 11-Application proxy
- 12-IP reputation
- 13-Domain reputation
- 14-Blacklist
- 15-Connection limit
- 16-Server connection detection
- 17-Access rate limit
- 18-DLP
- 19-Server load balancing
- 20-Outbound link load balancing
- 21-Inbound link load balancing
- 22-Transparent DNS proxy
- 23-NetShare control
- 24-Zero trust policy
- 25-Trusted application proxies
- 26-Trusted API proxies
- 27-NAT66
- 28-uRPF
- 29-Load balancing common configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
07-AFT | 73.62 KB |
This help contains the following topics:
¡ Configure a NAT64 static port translation policy
Introduction
Address Family Translation (AFT) translates an IP address of one address family into an IP address of the other address family.
NAT64 prefix
NAT64 prefix is an IPv6 address prefix used to construct an IPv6 address representing an IPv4 node in an IPv6 network. The IPv6 hosts do not use a constructed IPv6 address as their real IP address. The length of a NAT64 prefix can be 32, 40, 48, 56, 64, or 96.
As shown in Figure 1, the construction methods vary depending on the NAT64 prefix length. Bits 64 through 71 in the constructed IPv6 address are reserved bits.
· If the prefix length is 32, 64, or 96 bits, the IPv4 address contained in the IPv6 address will be intact.
· If the prefix length is 40, 48, or 56 bits, the IPv4 address contained in the IPv6 address will be divided into two parts by bits 64 through 71.
Figure 1 IPv6 address construction with NAT64 prefix and IPv4 address
AFT translation methods
Prefix translation
AFT uses a NAT64 prefix to perform IPv4-to-IPv6 source address translation or IPv6-to-IPv4 destination address translation.
Static translation
Static AFT creates a fixed mapping between an IPv4 address and an IPv6 address. The device supports the following types of static translation types:
· IPv6-to-IPv4 static translation: Translate a source IPv6 address to an IPv4 address, or a destination IPv4 address to an IPv6 address.
· IPv4-to-IPv6 static translation: Translate a source IPv4 address to an IPv6 address, or a destination IPv6 address to an IPv4 address.
· Port block group-based IPv6-to-IPv4 source address translation: Translate a pair of source IPv6 address and port to a pair of IPv4 address and port.
Dynamic translation
Dynamic AFT creates a dynamic mapping between an IPv4 address and an IPv6 address.
When dynamic AFT performs IPv6-to-IPv4 source address translation, the Not Port Address Translation (NO-PAT) and Port Address Translation (PAT) modes are available.
· NO-PAT: NO-PAT translates one IPv6 address to one IPv4 address. An IPv4 address assigned to one IPv6 host cannot be used by any other IPv6 host until it is released.
NO-PAT supports all IP packets.
· PAT: PAT translates multiple IPv6 addresses to a single IPv4 address by mapping each IPv6 address and port to the IPv4 address and a unique port. PAT supports the following packet types:
¡ TCP packets.
¡ UDP packets.
¡ ICMPv6 echo request and echo reply messages.
PAT supports port blocks for connection limit and user tracing. Port blocks are generated by dividing the port range (1024 to 65535) by the port block size. Port block based PAT maps multiple IPv6 addresses to one IPv4 address and uses a port block for each IPv6 address.
Port block based PAT functions as follows:
a. When an IPv6 host first initiates a connection to the IPv4 network, it creates a mapping from the host's IPv6 address to an IPv4 address and a port block.
b. It translates the IPv6 address to the IPv4 address, and the source ports to ports in the port block for subsequent connections from the IPv6 host until the ports in the port block are exhausted.
AFT translation process
As shown in Figure 2, when the IPv6 host initiates access to the IPv4 host, AFT operates as follows:
1. Upon receiving a packet from the IPv6 host, AFT compares the packet with IPv6-to-IPv4 destination address translation policies.
¡ If a matching policy is found, AFT translates the destination IPv6 address according to the policy.
¡ If no matching policy is found, AFT does not process the packet.
2. AFT performs pre-lookup to determine the output interface for the translated packet. PBR is not used for the pre-lookup.
¡ If a matching route is found, the process goes to step 3.
¡ If no matching route is found, AFT discards the packet.
3. AFT compares the source IPv6 address of the packet with IPv6-to-IPv4 source address translation policies.
¡ If a matching policy is found, AFT translates the source IPv6 address according to the policy.
¡ If no matching policy is found, AFT discards the packet.
4. AFT forwards the translated packet and records the mappings between IPv6 addresses and IPv4 addresses.
5. AFT translates the IPv4 addresses in the response packet header to IPv6 addresses based on the address mappings before packet forwarding.
Figure 2 AFT process for IPv6-initiated communication
As shown in Figure 3, when the IPv4 host initiates access to the IPv6 host, AFT operates as follows:
1. Upon receiving a packet from the IPv4 host, AFT compares the packet with IPv4-to-IPv6 destination address translation policies.
¡ If a matching policy is found, AFT translates the destination IPv4 address according to the policy.
¡ If no matching policy is found, AFT does not process the packet.
2. AFT performs pre-lookup to determine the output interface for the translated packet. PBR is not used for the pre-lookup.
¡ If a matching route is found, the process goes to step 3.
¡ If no matching route is found, AFT discards the packet.
3. AFT compares the source IPv4 address of the packet with IPv4-to-IPv6 source address translation policies.
¡ If a matching policy is found, AFT translates the source IPv4 address according to the policy.
¡ If no matching policy is found, AFT discards the packet.
4. AFT forwards the translated packet and records the mappings between IPv4 addresses and IPv6 addresses.
5. AFT translates the IPv6 addresses in the response packet header to IPv4 addresses based on the address mappings before packet forwarding.
Figure 3 AFT process for IPv4-initiated communication
Restrictions and guidelines
· AFT compares an IPv6 packet with IPv6-to-IPv4 destination address translation policies in the following order:
a. IPv4-to-IPv6 source address static mappings.
b. NAT64 prefixes.
· AFT compares an IPv6 packet with IPv6-to-IPv4 source address translation policies in the following order:
c. IPv6-to-IPv4 source address static mappings.
d. NAT64 static port translation policies.
e. IPv6-to-IPv4 source address dynamic translation policies.
· AFT compares an IPv4 packet with IPv4-to-IPv6 source address translation policies in the following order:
f. IPv4-to-IPv6 source address static mappings.
g. NAT64 prefixes.
Configure AFT
Configure a NAT64 prefix
1. Click the Policies tab.
2. Select Interface NAT > AFT.
3. On the NAT64 Prefixes tab, click Create.
4. Configure a NAT64 prefix and click OK.
Table 1 NAT64 prefix configuration items
Item |
Description |
IPv6 prefix |
Specify a NAT64 prefix. |
NAT64 prefix length |
Select a NAT64 prefix length. Options are 32, 40, 48, 56, 64, and 96. |
Configure an AFT policy
1. Create an AFT policy:
a. Click the Policies tab.
b. Select Interface AFT > AFT.
c. On the AFT Policies tab, click Create.
d. Configure an AFT policy and click OK.
Table 2 AFT policy configuration items
Item |
Description |
Translation method |
Translation method used by the AFT policy. Supported translation methods are: · NAT64 prefix: Select this option to create an IPv6-to-IPv4 source address dynamic translation policy based on a NAT64 prefix. · v6tov4: Select this option to create an IPv6-to-IPv4 source address static mapping. · v4tov6: Select this option to create an IPv4-to-IPv6 source address static mapping. |
ACL for packet matching |
Select the ACL for matching the IPv6 packets for address translation. This parameter is available only when NAT64 prefix is selected for Translation method. |
Source address after AFT |
Specify the IPv4 address used for IPv6-to-IPv4 source address translation. You can select an address group or a loopback interface. This parameter is available only when NAT64 prefix is selected for Translation method. |
Translation mode |
Select a translation mode. Options are NO-PAT and PAT. |
Port block size |
Set the port block size, which is the number of ports in one port block. This parameter is available only when NAT64 prefix is selected for Translation method. |
Port range |
Specify the port range within which port blocks are divided. This parameter is available only when NAT64 prefix is selected for Translation method. |
Number of extended port blocks |
Set the number of port blocks used for port allocation to the IP addresses when all ports in the allocated port blocks are used. This parameter is available only when NAT64 prefix is selected for Translation method. |
VRF after AFT |
Specify the VRF to which the address belongs after AFT. |
IPv4 address |
Specify the IPv4 address for the static mapping. This parameter is available only when v6tov4 or v4tov6 is selected for Translation method. |
IPv4VPN |
Specify the VRF to which the IPv4 address belongs. This parameter is available only when v6tov4 or v4tov6 is selected for Translation method. |
IPv6 address |
Specify the IPv6 address for the static mapping. This parameter is available only when v6tov4 or v4tov6 is selected for Translation method. |
IPv6VPN |
Specify the VRF to which the IPv4 address belongs. This parameter is available only when v6tov4 or v4tov6 is selected for Translation method. |
2. Apply AFT policies to interfaces:
a. Click the Policies tab.
b. Select Interface AFT > AFT.
c. On the AFT On Interfaces tab, select the interfaces to which you want to apply all configured AFT policies.
d. Click Enable.
Configure a NAT64 static port translation policy
Use the following procedure to configure a NAT64 static port translation policy:
1. Configure a port block group for IPv6-to-IPv4 source address translation.
2. Create a NAT64 static port translation policy and apply the port block group to the policy.
Procedure
1. Create a port block group:
a. Click the Policies tab.
b. Select Interface AFT > AFT.
c. On the NAT64 Static Port Translation tab, click Port block groups.
d. Click Create.
e. Configure a port block group and click OK.
Table 3 Port block group configuration items
Item |
Description |
Group ID |
Specify a port block group ID. |
Port range |
Specify the port range used for AFT. |
Port block size |
Specify the port block size. The port range will be equally divided to port blocks of the specified size. |
Start IPv6 |
Start IPv6 address of an IPv6 address range to be translated. |
End IPv6 |
End IPv6 address of an IPv6 address range to be translated. |
Prefix length |
Prefix length of the IPv6 addresses to be translated. |
Start IP |
Start IPv4 address of an IPv4 address range used for IPv6-to-IPv4 source address translation. |
End IP |
End IPv4 address of an IPv4 address range used for IPv6-to-IPv4 source address translation. |
VRF |
VRF to which the IPv4 or IPv6 addresses belong. |
2. Configure a NAT64 static port translation policy:
a. Click the Policies tab.
b. Select Interface AFT > AFT.
c. On the NAT64 Static Port Translation tab, click Create.
d. Configure the policy parameters and click OK.
Table 4 NAT64 static port translation configuration items
Item |
Description |
Translation method |
Translation method used by the NAT64 static port translation policy. Only the v6tov4 translation method is supported. |
Port block group |
Port block group used by the policy. |