Configure NAT 64 on Secure Firewall Managed by FMC

Available Languages

Download Options

  • PDF     (705.9 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (762.9 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (653.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 11, 2023
Document ID:220726

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure NAT64 on Firepower Threat Defense (FTD) managed by Fire Power Management Center (FMC).

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge about Secure Firewall Threat Defense and Secure Firewall Management Center.

    Components Used

    • Firepower Management Center 7.0.4.
    • Firepower Threat Defense 7.0.4.

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Configure

    Network Diagram

    Network Diagram

    Configure Network Objects

    •  IPv6 Network Object to reference the internal IPv6 client subnet. 

        On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network > Add Object.

       

    For example, Network Object Local_IPv6_subnet is created with the IPv6 subnet FC00:0:0:1::/96.

    Edit Network Object

    • IPv4 Network Object to translate IPv6 clients to IPv4.

       On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network > Add Group.

    For example, Network Object 6_mapped_to_4 is created with the IPv4 host 192.168.0.107.

    Depending on the amount of IPv6 hosts to map in IPv4, you can use a single object network, a network group with multiple IPv4, or just NAT to the egress interface.

    Add New Network Group

    • IPv4 Network Object to reference the external IPv4 hosts on the Internet.

        On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network > Add Object.

    For example, Network Object Any_IPv4 is created with the IPv4 subnet 0.0.0.0/0.

    IPv4 Outside Network

    • IPv6 Network Object to translate external IPv4 host into our IPv6 domain.

        On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network > Add Object.

    For example, Network Object 4_mapped_to_6 is created with the IPv6 subnet FC00:0:0:F::/96.

    IPv6 Internal Mapped

    Configure Interfaces on FTD for IPv4/IPv6

    Navigate to Devices > Device Management > Edit FTD > Interfaces and configure Inside and Outside interfaces.

    Example:

        Interface Ethernet 1/1 

        Name: Inside

        Security Zone: Inside_Zone 

        If security zone is not created, you can create it in the Security Zone drop-down menu > New.

        IPv6 Address: FC00:0:0:1::1/96

    Inside Interface

    IPv6 Interface Configuration

    IPv6 Interface Configuration 2

        Interface Ethernet 1/2 

        Name: Outside

        Security Zone: Outside_Zone 

        If security zone is not created, you can create it in the Security Zone drop-down menu > New.

        IPv4 Address: 192.168.0.106/24

    Outside Interface

    IPv4 Interface Configuration

    Configure Default Route

    Navigate to Devices > Device Management > Edit FTD > Routing > Static Routing > Add Route.

    For example, default static route on the outside interface with gateway 192.168.0.254.

    Gateway

    Default Route

    Configure NAT policy 

    On the FMC GUI, navigate to Devices > NAT > New Policy > Threat Defense NAT and create a NAT policy.

    For example, NAT policy FTD_NAT_Policy is created and assigned to the test FTD FTD_LAB.

    NAT Policy

    Configure NAT rules

    Outbound NAT. 

    On the FMC GUI, navigate to Devices > NAT > Select the NAT policy > Add Rule and create NAT rule to translate Internal IPv6 network to external IPv4 pool. 

    For example, Network Object Local_IPv6_subnet is dynamically translated to Network Object 6_mapped_to_4.

    NAT Rule: Auto NAT rule

    Type: Dynamic

    Source Interface Objects: Inside_Zone

    Destination Interface Objects: Outside_Zone

    Original Source: Local_IPv6_subnet

    Translated Source: 6_mapped_to_4

    NAT Rule Zone

    NAT Rule Networks

    Inbound NAT.

    On the FMC GUI, navigate to Devices > NAT > Select the NAT policy > Add Rule and create NAT rule to translate external IPv4 traffic to Internal IPv6 network pool. This allows internal communication with your local IPv6 subnet. 

    Additionally, enable DNS rewrite on this rule so that replies from the external DNS server can be converted from A (IPv4) to AAAA (IPv6) records.

    For example, Outside Network Any_IPv4 is statically translated to IPv6 subnet 2100:6400::/96 defined in the object 4_mapped_to_6.

    NAT rule: Auto NAT Rule

    Type: Static

    Source Interface Objects: Outside_Zone

    Destination Interface Objects: Inside_Zone

    Original Source: Any_IPv4

    Translated Source: 4_mapped_to_6

    Translate DNS replies that match this rule: Yes (Enable checkbox)

    NAT Rule 2 Zone

    NAT Rule 2 Network

    NAT Rule 2 Advanced Options

    Final NAT Policy

    Proceed to deploy changes to FTD.

    Verification

    • Display interface names and IP configuration.
    > show nameif
    Interface Name Security
    Ethernet1/1 inside 0
    Ethernet1/2 Outside 0

    > show ipv6 interface brief

    inside [up/up]
    fe80::12b3:d6ff:fe20:eb48
    fc00:0:0:1::1


    > show ip
    System IP Addresses:
    Interface    Name      IP address     Subnet mask 
    Ethernet1/2  Outside   192.168.0.106  255.255.255.0
    • Confirm IPv6 connectivity from FTD inside interface to client.

    IPv6 internal host IP fc00:0:0:1::100.

    FTD Inside interface fc00:0:0:1::1.

    > ping fc00:0:0:1::100
    Please use 'CTRL+C' to cancel/abort...
    Sending 5, 100-byte ICMP Echos to fc00:0:0:1::100, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

    • Display NAT configuration on the FTD CLI.
    > show running-config nat
    !
    object network Local_IPv6_subnet
    nat (inside,Outside) dynamic 6_mapped_to_4
    object network any_IPv4
    nat (Outside,inside) static 4_mapped_to_6 dns
    • Capture traffic.

    For example, capture traffic from internal IPv6 host fc00:0:0:1::100 to DNS server is fc00::f:0:0:ac10:a64 UDP 53.

    Here, the destination DNS server is fc00::f:0:0:ac10:a64. The last 32 bits are ac10:0a64. These bits are the octet-by-octet equivalent to 172,16,10,100. Firewall 6-to-4 translates IPv6 DNS server fc00::f:0:0:ac10:a64 to the equivalent IPv4 172.16.10.100.

    > capture test interface inside trace match udp host fc00:0:0:1::100 any6 eq 53


    > show capture test 
    2 packets captured
     1: 00:35:13.598052 fc00:0:0:1::100.61513 > fc00::f:0:0:ac10:a64.53: udp  
     2: 00:35:13.638882 fc00::f:0:0:ac10:a64.53 > fc00:0:0:1::100.61513: udp  


    > show capture test packet-number 1

    [...]
    Phase: 3
    Type: UN-NAT
    Subtype: static
    Result: ALLOW
    Config:
    object network any_IPv4
    nat (Outside,inside) static 4_mapped_to_6 dns
    Additional Information:
    NAT divert to egress interface Outside(vrfid:0)
    Untranslate fc00::f:0:0:ac10:a64/53 to 172.16.10.100/53 <<<< Destination NAT

    [...]
    Phase: 6
    Type: NAT
    Subtype: 
    Result: ALLOW
    Config:
    object network Local_IPv6_subnet
    nat (inside,Outside) dynamic 6_mapped_to_4
    Additional Information:
    Dynamic translate fc00:0:0:1::100/61513 to 192.168.0.107/61513 <<<<<<<< Source NAT


    > capture test2 interface Outside trace match udp any any eq 53

    2 packets captured

     1: 00:35:13.598152 192.168.0.107.61513 > 172.16.10.100.53: udp 
     2: 00:35:13.638782 172.16.10.100.53 > 192.168.0.107.61513: udp



    Revision History

    Revision Publish Date Comments
    1.0
    11-Aug-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Benjamin Cabrera Romero
      Cisco TAC Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products