Working with NAT64 Rules

One of these:

• A host with a networking stack that implements only IPv6.

• A host with a networking stack that implements both IPv4 and IPv6 protocols, but with only IPv6 connectivity.

• A host that runs an IPv6-only client application.

One of these:

• A host with a networking stack that implements only IPv4.

• A host with a networking stack that implements both IPv4 and IPv6 protocols, but with only IPv4 connectivity.

• A host that runs an IPv4-only server application.

• Performs N:M translation:

  • N must be greater than M

  • If M=1, performs a Hide NAT behind a single IPv4 address.

  • If M>1, performs a Hide NAT behind a range of IPv4 addresses.

• Gives good IPv4 address preservation (multiplexed using ports).

• Saves connection states and binding.

• There are no requirements on the assignment of IPv6 addresses to IPv6 clients. Any mode of IPv6 address assignment is legitimate (Manual, DHCP6, SLAAC).

• It is a scalable solution.

• [IPv6 Network] --- (Internet) --- [Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources.] --- [internal IPv4 Network]

  Common use case for Content Providers. DNS64 is not needed.

• [internal IPv6 Network] --- [Security Gateway] --- (Internet) --- [IPv4 Network]

  Common use case for Carriers, ISPs, Enterprises. DNS64 is required.

• [IPv6 Network] --- [Security Gateway] --- [IPv4 Network]

  Common use case for Enterprises. DNS64 is required.

• RFC 6144 - Framework for IPv4/IPv6 Translation

• RFC 6146 - Stateful NAT64: Network Address and Protocol Translation from IPv6 Clients to IPv4 Servers

• RFC 6052 - IPv6 Addressing of IPv4/IPv6 Translators

• RFC 6145 - IP/ICMP Translation Algorithm

• RFC 2428 - FTP Extensions for IPv6 and NATs

• RFC 6384 - An FTP Application Layer Gateway (ALG) for IPv6-to-IPv4 Translation

[IPv6 Client] --- (interface) [Security Gateway] (internal) --- [IPv4 Server]

Where:

1. IPv6 Client opens an IPv6 connection to the NATed IPv6 address of the IPv4 Server:

   From the IPv6 Client's IPv6 real address 1111:1111::0100 to the IPv4 Server's NATed IPv6 address 1111:2222::0A00:0064

   Where:

   The "1111:2222::" part is the NATed IPv6 subnet

   The "0A00:0064" part is 10.0.0.100

2. Security Gateway performs these NAT translations:

   1. Translate the IPv6 Client's source address from the real IPv6 address 1111:1111::0100 to the special concatenated source IPv6 address 0064:FF9B::0101:01X

      Where:

      The "0064:FF9B::" part is a well-known prefix reserved for NAT64 (as defined by the RFC)

      The "0101:01XX" part is 1.1.1.X

   2. Translate the IPv6 Client's source address from the special concatenated source IPv6 address 0064:FF9B::0101:01XX to the source IPv4 address 1.1.1.X

   3. Translate the IPv6 Client's NATed destination address from the IPv6 address 1111:2222::0A00:0064 to the NATed destination IPv4 address 10.0.0.100

3. IPv4 Server receives this request connection as from the source IPv4 address 1.1.1.X to the destination IPv4 address 10.0.0.100

4. IPv4 Server replies to this connection from the source IPv4 address 10.0.0.100 to the destination IPv4 address 1.1.1.X

5. Security Gateway performs these NAT translations:

   1. Translate the IPv4 Server's source real IPv4 address 10.0.0.100 to the source NATed IPv6 address 1111:2222::0A00:0064

   2. Translate the IPv6 Client's NATed destination IPv4 address 1.1.1.X to the destination special concatenated IPv6 address 0064:FF9B::0101:01X

      Where:

      The "64:FF9B::" part is a well-known prefix reserved for NAT64 (as defined by the RFC)

      The "0101:01XX" part is 1.1.1.X

   3. Translate the IPv6 Client's destination special concatenated IPv6 address 0064:FF9B::0101:01XX to the destination IPv6 real address 1111:1111::0100

6. IPv6 Client receives this reply connection as from the source IPv6 address 1111:2222::0A00:0064 to the destination IPv6 address 1111:1111::0100

• Request: [IPv6 Client] ---> [Security Gateway] ---> [IPv4 Server]

  Field in packet	Original IPv6 packet	NATed IPv4 packet
  Source IP	1111:1111::0100 / 96	1.1.1.X / 24
  Destination IP	1111:2222::0A00:0064 / 96	10.0.0.100 / 24

• Reply: [IPv6 Client] <--- [Security Gateway] <--- [IPv4 Server]

  Field in packet	Original IPv4 packet	NATed IPv6 packet
  Source IP	10.0.0.100 / 24	1111:2222::0A00:0064 / 96
  Destination IP	1.1.1.X / 24	1111:1111::0100 / 96

Define NAT64 rules as Manual NAT rules in the Access Control Policy.

Make sure that you add access rules that allow this NAT traffic.

1. Define a source IPv6 Network object.

   This object represents the source IPv6 addresses, which you translate to source IPv4 addresses.

   Procedure

   1. Click Objects menu > New Network.

   2. In the Object Name field, enter the applicable name.

   3. In the Comment field, enter the applicable text.

   4. Click the General page of this object.

   5. In the IPv4 section:

      Do not enter anything.

   6. In the IPv6 section:

      1. In the Network address field, enter the IPv6 address of your IPv6 network, which you translate to source IPv4 addresses.

      2. In the Prefix field, enter the prefix of your IPv6 network.

   7. On the NAT page of this object:

      Do not configure anything.

   8. Click OK.

2. Define a translated destination IPv6 Network object with an IPv4-embedded IPv6 address, or a translated destination IPv6 Host object with a static IPv6 address.

   This object represents the translated destination IPv6 address, to which the IPv6 sources connect.

   Procedure

   1. Click Objects menu > New Network.

   2. In the Object Name field, enter the applicable name.

   3. In the Comment field, enter the applicable text.

   4. Click the General page of this object.

   5. In the IPv4 section:

      Do not enter anything.

   6. In the IPv6 section:

      1. In the Network address field, enter the destination IPv4-embedded IPv6 address (also called IPv4-mapped IPv6 address), to which the IPv6 sources connect.

         Such IPv6 address contains (from left to right) 80 "zero" bits, followed by 16 "one" bits, and then the 32 bits of the IPv4 address - 0:0:0:0:0:FFFF:X.Y.Z.W, where X.Y.Z.W are the four octets of the destination IPv4 address.

         For example, for IPv4 network 192.168.3.0, the IPv4-embedded IPv6 address is 0:0:0:0:0:FFFF:192.168.3.0, or 0:0:0:0:0:FFFF:C0A8:0300. For more information, see RFC 6052.

         These IPv4-embedded IPv6 addresses are published by an external DNS64 server.

      2. In the Prefix field, enter the applicable IPv6 prefix.

      Note - You can define IPv4-embedded IPv6 addresses only for these object types: Address Range, Network, and Host.

   7. On the NAT page of this object:

      Do not configure anything.

   8. Click OK.

3. Define a translated source IPv4 Address Range object.

   This object represents the translated source IPv4 addresses, to which you translate the original source IPv6 addresses.

   Procedure

   1. Click Objects menu > More object types > Network Object > Address Range > New Address Range.

   2. In the Object Name field, enter the applicable name.

   3. In the Comment field, enter the applicable text.

   4. Click the General page of this object.

   5. In the IPv4 section:

      1. In the First IP address field, enter the first IPv4 address of your IPv4 addresses range, to which you translate the source IPv6 addresses.

      2. In the Last IP address field, enter the last IPv4 address of your IPv4 addresses range, to which you translate the source IPv6 addresses.

      Notes: This IPv4 addresses range must not use private IPv4 addresses (see RFC 1918 and Menu > Global properties > Non Unique IP Address Range This IPv4 addresses range must not be used on the IPv4 side of the network. We recommend that you define a large IPv4 addresses range for more concurrent NAT64 connections.

   6. In the IPv6 section:

      Do not enter anything.

   7. On the NAT page of this object:

      Do not configure anything.

   8. Click OK.

4. Create a Manual NAT64 rule.

   Procedure

   1. From the left navigation panel, click Security Policies.

   2. In the top Access Control section, click NAT.

   3. Right-click on the Manual Lower Rules section title, and near the New Rule, click Above or Below.

      Configure this Manual NAT64 rule:

      Important - Some combinations of object types are not supported in the Original Source and Original Destination columns. See the summary table with the supported NAT rules at the bottom of this section.

      1. In the Original Source column, add the IPv6 object for your original source IPv6 addresses.

         In this rule column, NAT64 rules support only these types of objects:

         • *Any

         • Host with a static IPv6 address

         • Address Range with IPv6 addresses

         • Network with IPv6 address

      2. In the Original Destination column, add a translated destination IPv6 object with an IPv4-embedded IPv6 address.

         In this rule column, NAT64 rules support only these types of objects:

         • Host with a static IPv6 address

         • Address Range with IPv4-embedded IPv6 addresses

         • Network with an IPv4-embedded IPv6 address

      3. In the Original Services column, you must leave the default Any.

      4. In the Translated Source column, add the IPv4 Address Range object for your translated source IPv4 addresses range.

         In this rule column, NAT64 rules support only these types of objects:

         • Host with a static IPv4 address, only if in the Original Source column you selected a Host with a static IPv6 address

         • Address Range with IPv4 addresses

      5. In the Translated Source column, right-click the IPv4 Address Range object > click NAT Method > click Stateful NAT64:

         • The Translated Packet Destination column shows = Embedded IPv4 Address.

         • The 64 icon shows in both the Translated Source and Translated Destination columns.

         In this rule column, NAT64 rule supports only these types of objects:

         • Host with a static IPv4 address, only if in the Original Source column you selected a Host with a static IPv6 address

         • Embedded IPv4 Address

      6. In the Translated Services column, you must leave the default = Original.

   4. Install the Access Control Policy.

5. Install the Access Control Policy.

To summarize, you must configure only these Manual NAT64 rules (rule numbers are for convenience only):

You can configure the additional settings that control the NAT64 translation mechanism.

These settings are compliant with RFC 6145.

Procedure

1. Close all SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. windows connected to the Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

2. Connect with Database Tool (GuiDBEdit Tool) (see sk13009) to the applicable Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server. or Domain Management Server.

3. In the top left section, click Table > Global Properties > properties.

4. In the top right section, click firewall_properties.

5. In the bottom section, scroll to these Field Names:

   • nat64_add_UDP_checksum

   • nat64_avoid_PMTUD_blackhole

   • nat64_copy_type_of_service

   • nat64_error_message_on_dropped_packets

6. Right-click the applicable parameter in the Field Name column and click Edit.

7. Select the applicable Value (true, or false) and click OK.

   Field Name	Description
   nat64_add_UDP_checksum	This parameter controls whether the translator should calculate and add a valid UDP checksum value to a packet, if the packet checksum value is zero. This is important because, by default, an IPv4 UDP packet with a checksum value of zero is dropped on the IPv6 side. Default: false
   nat64_avoid_PMTUD_blackhole	This parameter controls whether to allow packet fragmentation on the IPv4 (destination) side during PMTU discovery. Enable this setting if some equipment combinations cause PMTU discovery to fail. Default: false
   nat64_copy_type_of_service	This parameter controls whether to copy the traffic Class Field to the Type Of Service field, and set the Type Of Service field in the translated packet to zero. Default: true
   nat64_error_message_on_dropped_packets	This parameter controls whether to generate an audit log after a connection is closed. For each closed connection, the log shows: Connection information (source and destination IP address, source port, and service). Translated source IP address and source port. Start time and end time. If the connection was closed because the connection expired, log shows additional information in the TCP End Reason field. If this field does not show in the log, the connection was closed with a TCP RST, or with a TCP FIN, and did not expire. Default: true

8. Save the changes (click File > Save All).

9. Close the Database Tool (GuiDBEdit Tool).

10. Connect with the SmartConsole to the applicable Security Management Server or Domain Management Server.

11. Install the Access Control Policy.