Working with NAT46 Rules

Note - NAT46 rules are only supported on Security Gateways and Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Members R80.20 and higher.

Overview

NAT46 rules translate IPv4 traffic to IPv6 traffic without maintaining any session information on a Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources..

Example of NAT46 Translation Flow

Example topology:

[IPv4 Client] --- (internal) [Security Gateway] (external) --- [IPv6 Server]

Where:

Item	Description
IPv4 Client	IPv4 real address is 192.168.2.55 IPv6 NATed address is 2001:DB8:90::192.168.2.55/96
Security Gateway internal interface	IPv4 address is 192.168.2.1/24
Security Gateway external interface	IPv6 address is 2001:DB8:5001::1/96
IPv6 Server	IPv6 real address is 2001:DB8:5001::30/96 IPv4 NATed address is 1.1.1.66/24
IPv6 NATed network	IPv6 address of the network on the external Security Gateway side is 2001:DB8:90::/96 These IPv6 addresses are used to translate the IPv4 address of the IPv4 Client to IPv6 address
IPv4 NATed network	IPv4 address of the network on the internal Security Gateway side is 1.1.1.0/24 These IPv4 addresses are used to translate the IPv6 address of the IPv6 Server to IPv4 address

Traffic flow:

IPv4 Client opens an IPv4 connection to the NATed IPv4 address of the IPv6 Serve

From IPv4 address 192.168.2.55 to IPv4 address 1.1.1.66
Security Gateway performs these NAT translations:
1. From the source IPv4 address 192.168.2.55 to the source IPv6 address 2001:DB8:90::192.168.2.55/96
2. From the destination IPv4 address 1.1.1.66 to the destination IPv6 address 2001:DB8:5001::30
IPv6 Server receives this request connection as from the IPv6 address 2001:DB8:90::192.168.2.55/96 to the IPv6 address 2001:DB8:5001::30
IPv6 Server replies to this connection from the IPv6 address 2001:DB8:5001::30 to the IPv6 address 2001:DB8:90::192.168.2.55/96
Security Gateway performs these NAT translations:
1. From the source IPv6 address 2001:DB8:5001::30 to the source IPv4 address 1.1.1.66
2. From the destination IPv6 address 2001:DB8:90::192.168.2.55/96 to the destination IPv4 address 192.168.2.55
IPv4 Client receives this reply connection as from the IPv4 address 1.1.1.66 to the IPv4 address 192.168.2.55

To summarize:

Request: [IPv4 Client] ---> [Security Gateway] ---> [IPv6 Server]

Field in packet	Original IPv4 packet	NATed IPv6 packet
Source IP	192.168.2.55 / 24	2001:DB8:90::192.168.2.55 / 96
Destination IP	1.1.1.66 / 24	2001:DB8:5001::30 / 96

Reply: [IPv4 Client] <--- [Security Gateway] <--- [IPv6 Server]

Field in packet	Original IPv6 packet	NATed IPv4 packet
Source IP	2001:DB8:5001::30 / 96	192.168.2.55 / 24
Destination IP	2001:DB8:90::192.168.2.55 / 96	1.1.1.66 / 24

Known Limitations for NAT46

NAT46 rules are only supported on Security Gateways and Cluster Members R80.20 and higher.
NAT46 does not support VoIP traffic.
NAT46 does not support FTP traffic.
NAT46 does not support protocols that require state information between Control and Data connections.

Configuring NAT46

Step 1 - Prepare Security Gateway / Cluster Members for NAT46

Note - In a Cluster, you must configure all the Cluster Members in the same way.

Step

Instructions

Make sure that an IPv6 address is assigned to the interface that connects to the destination IPv6 network, and the IPv6 network prefix length is equal to 96.

Note - This can be any valid IPv6 address with the IPv6 network prefix length equal to 96.

In Gaia Portal Web interface for the Check Point Gaia operating system.:

Click Network Management > Network Interfaces.

In Gaia Clish The name of the default command line shell in Check Point Gaia operating system. This is a restricted shell (role-based administration controls the number of commands available in the shell).:

Run:

show interface <Name of Interface> ipv6-address

If such IPv6 address is not assigned yet, assign it now.

For details, see the R81 Gaia Administration Guide - Chapter Network Management - Section Network Interfaces - Section Physical Interfaces.

Make sure that the routing is configured to send the traffic that is destined to the NATed IPv4 addresses (defined in the Translated Destination column in the NAT46 rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.) through the interface that connects to the destination IPv6 network.

In Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. Portal:

Click Advanced Routing > Routing Monitor.

In Gaia Clish:

Run:

show route

If such route does not already exist, add it in Gaia Clish.

For details, see the R81 Gaia Administration Guide.

Run these commands in Gaia Clish:

Add the static route:

set static route <NATed Destination IPv4 Addresses>/<NATed IPv4 Net Mask> nexthop gateway logical <Name of Interface that connects to the real IPv6 Network> on

Example topology:

[IPv4 Client] --- (NATed IPv4 of IPv6 side are 1.1.1.0/24) [Security Gateway] (eth3) --- [IPv6 Server]

In such case, configure the IPv4 route using this command:

set static route 1.1.1.0/24 nexthop gateway logical eth3 on

Save the configuration:

save config

Make sure that the number of IPv6 CoreXL Performance-enhancing technology for Security Gateways on multi-core processing platforms. Multiple Check Point Firewall instances are running in parallel on multiple CPU cores. Firewall instances is equal to the number of IPv4 CoreXL Firewall instances.

Connect to the command line on the Security Gateway.
Log in to Gaia Clish, or Expert mode.

Show the number of IPv6 CoreXL Firewall instances:

fw6 ctl multik stat

Show the number of IPv4 CoreXL Firewall instances. Run:

fw ctl multik stat

If the number of IPv6 CoreXL Firewall instances is less than the number of IPv4 CoreXL Firewall instances, then do these steps:

Run:

cpconfig

Select Check Point CoreXL
Select Change the number of IPv6 firewall instances
Configure the number of IPv6 CoreXL Firewall instances to be the same as the number of IPv4 CoreXL Firewall instances
Select Exit
Reboot the Security Gateway

Connect to the command line on the Security Gateway.
Log in to Gaia Clish, or Expert mode.

Show the number of IPv6 CoreXL Firewall instances. Run:

fw6 ctl multik stat

Show the number of IPv4 CoreXL Firewall instances. Run:

fw ctl multik stat

Example output:

[Expert@GW:0]# fw6 ctl multik stat
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 3      |           0 |        0
 1 | Yes     | 2      |           0 |        4
 2 | Yes     | 1      |           0 |        2
[Expert@GW:0]#
[Expert@GW:0]# fw ctl multik stat
ID | Active  | CPU    | Connections | Peak
----------------------------------------------
 0 | Yes     | 3      |          10 |       14
 1 | Yes     | 2      |           6 |       15
 2 | Yes     | 1      |           7 |       15
[Expert@GW:0]#

Step 2 - Configure NAT46 Rules

Configure NAT46 rules as Manual NAT rules in the Access Control Policy.

Make sure that you add Access Control rules that allow this NAT traffic.

Configure an applicable source IPv4 object (IPv4 Host, IPv4 Address Range, or IPv4 Network).
To configure a source IPv4 Host object
1. Click Objects menu > New Host.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 address field, enter the source IPv4 address.
6. In the IPv6 section:
  
  Do not enter anything
7. On the NAT page of this object:
  
  Do not configure anything.
8. Configure the applicable settings on other pages of this object.
9. Click OK.
To configure a source IPv4 Network object
1. Click Objects menu > New Network.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 section:
  1. In the Network address field, enter the IPv4 address of your source IPv4 network.
  2. In the Net mask field, enter the net mask of your source IPv4 network.
6. In the IPv6 section:
  
  Do not enter anything.
7. On the NAT page of this object:
  
  Do not configure anything.
8. Click OK.
To configure a source IPv4 Address Range object
1. Click Objects menu > More object types > Network Object > Address Range > New Address Range.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 section:
  1. In the First IP address field, enter the first IPv4 address of your IPv4 addresses range.
  2. In the Last IP address field, enter the last IPv4 address of your IPv4 addresses range.
6. In the IPv6 section:
  
  Do not enter anything.
7. On the NAT page of this object:
  
  Do not configure anything.
8. Click OK.
Configure a destination IPv4 Host object.

This object represents the destination IPv4 address, to which the IPv4 sources connect.
To configure a translated destination IPv4 Host object
1. Click Objects menu > New Network.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 section:
  1. In the Network address field, enter the IPv4 address of your destination IPv4 network.
  2. In the Net mask field, enter the net mask of your destination IPv4 network.
6. In the IPv6 section:
  
  Do not enter anything.
7. On the NAT page of this object:
  
  Do not configure anything.
8. Click OK.
Configure a translated source IPv6 Network object with an IPv6 address defined with the 96-bit prefix.

This object represents the translated source IPv6 addresses, to which you translate the source IPv4 addresses.
To configure a translated source IPv6 Network object with an IPv6 address defined with the 96-bit prefix
1. Click Objects menu > New Network.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 section:
  
  Do not enter anything.
6. In the IPv6 section:
  1. In the Network address field, enter the translated source IPv6 address.
  2. In the Prefix field, enter the number 96.
7. On the NAT page of this object:
  
  Do not configure anything.
8. Click OK.
Configure a translated destination IPv6 Host object.

This object represents the translated destination IPv6 address, to which the translated IPv4 sources connect.
To configure a translated destination IPv6 Host object
1. Click Objects menu > New Host.
2. In the Object Name field, enter the applicable name.
3. In the Comment field, enter the applicable text.
4. Click the General page of this object.
5. In the IPv4 section:
  
  Do not enter anything.
6. In the IPv6 section:
  
  In the Network address field, enter the destination static IPv6 address.
7. On the NAT page of this object:
  
  Do not configure anything.
8. Configure the applicable settings on other pages of this object.
9. Click OK.

Create a Manual NAT46 rule.

Procedure

From the left Navigation Toolbar, click Security Policies.
In the top Access Control section, click NAT.

Right-click on the Manual Lower Rules section title, and near the New Rule, click Above or Below.

Configure this NAT46 rule:

Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services
*Any or Source IPv4 Host object or Source IPv4 Address Range object or Source IPv4 Network object	IPv4 Host object	*Any	IPv6 Network object with an IPv6 address defined with the 96-bit prefix	IPv6 Host object	= Original

Original
Source

Original
Destination

Original
Services

Translated
Source

Translated
Destination

Translated
Services

*Any

Source
IPv4
Host
object

Source
IPv4
Address Range
object

Source
IPv4
Network
object

IPv4
Host
object

*Any

IPv6
Network
object
with an
IPv6 address
defined with
the 96-bit
prefix

IPv6
Host
object

= Original

Do these steps:

In the Original Source column, add the applicable IPv4 object.

In this rule column, NAT46 rules support only these types of objects:
- *Any
- Host with a static IPv4 address
- Address Range with IPv4 addresses
- Network with IPv4 address
In the Original Destination column, add the IPv4 Host object that represents the destination IPv4 address, to which the IPv4 sources connect.

In this rule column, NAT46 rules support only IPv4 Host objects.
In the Original Services column, you must leave the default Any.
In the Translated Source column, add the IPv6 Network object with an IPv6 address defined with the 96-bit prefix.

In this rule column, NAT64 rules support only IPv6 Network objects with an IPv6 address defined with the 96-bit prefix.
In the Translated Source column, right-click the IPv6 Network object with the 96-bit prefix > click NAT Method > click Stateless NAT46.

The 46 icon shows in the Translated Source column.
In the Translated Destination column, add the IPv6 Host object represents the translated destination IPv6 address, to which the translated IPv4 sources connect.

In this rule column, NAT46 rule supports only an IPv6 Host objects.
In the Translated Services column, you must leave the default = Original.

To summarize, you must configure only these NAT46 rules (rule numbers are for convenience only):

#	Original Source	Original Destination	Original Services	Translated Source	Translated Destination	Translated Services
1	`*Any`	IPv4 Host object	`*Any`	IPv6 Network object with an IPv6 address defined with the 96-bit prefix	IPv6 Host object	`= Original`
2	IPv4 Host object with a static IPv4 address	IPv4 Host object	`*Any`	IPv6 Network object with an IPv6 address defined with the 96-bit prefix	IPv6 Host object	`= Original`
3	IPv4 Address Range object	IPv4 Host object	`*Any`	IPv6 Network object with an IPv6 address defined with the 96-bit prefix	IPv6 Host object	`= Original`
4	IPv4 Network object	IPv4 Host object	`*Any`	IPv6 Network object with an IPv6 address defined with the 96-bit prefix	IPv6 Host object	`= Original`

Install the Access Control Policy.

Logging of NAT46 Traffic

Explanation

In the Security Gateway log for NAT64 connection, the source and destination IPv6 addresses show in their original IPv6 format.

To identify a NAT46 entry, look in the More section of the Log Details window.

Field in Log	Description
Xlate (NAT) Source IP	Shows the translated source IPv6 address, to which the Security Gateway translated the original source IPv4 address
Xlate (NAT ) Destination IP	Shows the translated destination IPv6 address, to which the Security Gateway translated the original destination IPv4 address
More	Identifies the entry as NAT46 traffic (`Nat46 enabled`)