-
组网需求
如图1所示,实现IPv4 Host与IPv6 Host间的互访;(由于eNSP模拟器的路由器不支持NAT64实现,因此使用USG6000V)USG6000V为双协议栈,连接IPv6网络以及IPv4网络;
图1 动态/静态NAT64组网图
-
操作步骤
1、防火墙的接口划入trust区域,配置接口IP地址,并放行ping包
略
2、防火墙上开启NAT64功能,并配置NAT64前缀
nat64 enable
nat64 prefix 3000:: 96
说明:此处NAT64前缀以3000:: 96为例,如果不配置,则默认为知名前缀64:FF9b::/96
3、配置地址池,给NAT64进行IP协议转换的时候使用
nat address-group 1 0
mode pat
section 0 200.1.1.1 200.1.1.100
4、配置防火墙的NAT策略
nat-policy
rule name 1
nat-type nat64
action source-nat address-group 1
5、如果是IPv4主动访问IPv6,那么需要配置静态的NAT64映射
nat64 static 2000::1 200.1.1.200
-
结果验证
1、动态NAT64映射
#IPv6 Host上执行ping 3000::100.1.1.1
PC>ping 3000::100.1.1.1
Ping 3000::6401:101: 32 data bytes, Press Ctrl_C to break
Request timeout!
From 3000::6401:101: bytes=32 seq=2 hop limit=127 time=16 ms
From 3000::6401:101: bytes=32 seq=3 hop limit=127 time<1 ms
From 3000::6401:101: bytes=32 seq=4 hop limit=127 time=15 ms
From 3000::6401:101: bytes=32 seq=5 hop limit=127 time<1 ms
--- 3000::6401:101 ping statistics ---
5 packet(s) transmitted
4 packet(s) received
20.00% packet loss
round-trip min/avg/max = 0/7/16 ms
IPv6 Host可以ping通IPv4 Host的IPv4地址
# 在FW的任意视图下执行display firewall ipv6 session table,查看NAT64的会话表信息。
[USG6000V1]display firewall ipv6 session table
2022-06-06 06:35:41.600
Current Total IPv6 Sessions : 5
NAT64: icmpv6 VPN: public --> public 2000::1.39105[200.1.1.49:2055] --> 3000::6401:101.2048[100.1.1.1:2048]
由NAT64会话表得知IPv6与IPv4地址的转换关系
#在FW的任意视图下执行display firewall session table ,查看IPv4 NAT的会话表信息。
[USG6000V1]display firewall session table
2022-06-06 06:35:05.060
Current Total Sessions : 5
icmp VPN: public --> public 200.1.1.49:2055 --> 100.1.1.1:2048
由IPv4 NAT会话表,进一步得知IPv4地址间的转换关系
#IPv6 Host访问IPv4 Host数据包的抓取
IPv6网络侧
IPv4网络侧
2、静态NAT64映射
#IPv4 Host上执行ping 200.1.1.200
PC>ping 200.1.1.200
Ping 200.1.1.200: 32 data bytes, Press Ctrl_C to break
From 200.1.1.200: bytes=32 seq=1 ttl=254 time<1 ms
From 200.1.1.200: bytes=32 seq=2 ttl=254 time=16 ms
From 200.1.1.200: bytes=32 seq=3 ttl=254 time=16 ms
From 200.1.1.200: bytes=32 seq=4 ttl=254 time<1 ms
From 200.1.1.200: bytes=32 seq=5 ttl=254 time=15 ms
--- 200.1.1.200 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 0/9/16 ms
IPv4 Host可以ping通IPv6 Host的IPv4地址
# 在FW的任意视图下执行display firewall ipv6 session table,查看NAT64的会话表信息。
[USG6000V1]display firewall ipv6 session table
2022-06-06 03:39:05.030
Current Total IPv6 Sessions : 3
NAT64: icmpv6 VPN: public --> public 3000::6401:101.7028[100.1.1.1:7028] --> 2000::1.2048[200.1.1.200:2048]
由NAT64会话表得知IPv6与IPv4地址的转换关系
# 在FW的任意视图下执行display firewall ipv6 server-map,查看sever-map的会话表信息。
[USG6000V1]display firewall ipv6 server-map
2022-06-06 03:41:05.530
Current Total IPv6 Server-map : 1
Type: NAT64 Static, 2000::1[200.1.1.200] -> ANY, Zone:---Protocol: ANY, TTL:---, Left-Time:---, Pool:---, Section:---Vpn: public -> public