Introduction
This document describes how to configure NAT64 on Firepower Threat Defense (FTD) managed by Fire Power Management Center (FMC).
Prerequisites
Requirements
Cisco recommends that you have knowledge about Secure Firewall Threat Defense and Secure Firewall Management Center.
Components Used
- Firepower Management Center 7.0.4.
- Firepower Threat Defense 7.0.4.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Network Diagram
Configure Network Objects
- IPv6 Network Object to referencethe internal IPv6 client subnet.
On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network> Add Object.
For example, Network ObjectLocal_IPv6_subnetis created with the IPv6 subnet FC00:0:0:1::/96.
- IPv4 Network Object to translate IPv6 clients to IPv4.
On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network> Add Group.
For example, Network Object6_mapped_to_4is created with the IPv4 host 192.168.0.107.
Depending on the amount of IPv6 hosts to map in IPv4, you can use a single object network, a network group with multiple IPv4, or just NATto the egress interface.
- IPv4 Network Object to reference the external IPv4 hosts on the Internet.
On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network> Add Object.
For example, Network ObjectAny_IPv4is created with the IPv4 subnet 0.0.0.0/0.
- IPv6 Network Object to translate external IPv4 host into our IPv6 domain.
On FMC GUI, navigate to Objects > Object Management > Select Network from left Menu > Add Network> Add Object.
For example, Network Object4_mapped_to_6is created with the IPv6 subnet FC00:0:0:F::/96.
Configure Interfaces on FTD forIPv4/IPv6
Navigate to Devices > Device Management > Edit FTD > Interfaces and configure Inside and Outside interfaces.
Example:
Interface Ethernet 1/1
Name: Inside
Security Zone: Inside_Zone
If security zone is not created, you can create it in the Security Zone drop-down menu > New.
IPv6 Address: FC00:0:0:1::1/96
Interface Ethernet 1/2
Name: Outside
Security Zone:Outside_Zone
If security zone is not created, you can create it in the Security Zone drop-down menu > New.
IPv4 Address: 192.168.0.106/24
Configure Default Route
Navigate toDevices > Device Management > Edit FTD > Routing > Static Routing > Add Route.
For example, default static route on the outside interface with gateway192.168.0.254.
Configure NATpolicy
On the FMC GUI, navigate to Devices > NAT> New Policy > Threat Defense NATand create a NAT policy.
For example, NATpolicy FTD_NAT_Policy is created and assigned to the test FTD FTD_LAB.
Configure NAT rules
Outbound NAT.
On the FMC GUI, navigate to Devices > NAT > Select the NAT policy > Add Rule and create NAT rule to translate Internal IPv6 network to external IPv4 pool.
For example, Network Object Local_IPv6_subnet is dynamically translated to Network Object6_mapped_to_4.
NAT Rule: Auto NAT rule
Type:Dynamic
Source Interface Objects: Inside_Zone
Destination Interface Objects: Outside_Zone
Original Source:Local_IPv6_subnet
Translated Source:6_mapped_to_4
Inbound NAT.
On the FMC GUI, navigate to Devices > NAT > Select the NAT policy > Add Ruleandcreate NAT rule to translate external IPv4 traffic toInternal IPv6 network pool. This allows internal communication with your local IPv6 subnet.
Additionally,enable DNS rewrite on this rule so that replies from the external DNS server can be converted from A (IPv4) to AAAA (IPv6) records.
For example, Outside NetworkAny_IPv4is statically translated to IPv6 subnet2100:6400::/96 defined in the object4_mapped_to_6.
NAT rule: Auto NAT Rule
Type: Static
Source Interface Objects: Outside_Zone
Destination Interface Objects: Inside_Zone
Original Source:Any_IPv4
Translated Source:4_mapped_to_6
Translate DNS replies that match this rule:Yes (Enable checkbox)
Proceed to deploy changes to FTD.
Verification
- Display interface names and IP configuration.
> show nameif
Interface Name Security
Ethernet1/1 inside 0
Ethernet1/2 Outside 0> show ipv6 interface brief
inside [up/up]
fe80::12b3:d6ff:fe20:eb48
fc00:0:0:1::1> show ip
System IP Addresses:
Interface Name IP address Subnet mask
Ethernet1/2 Outside 192.168.0.106 255.255.255.0
- Confirm IPv6 connectivity from FTD inside interface to client.
IPv6 internal host IP fc00:0:0:1::100.
FTD Inside interfacefc00:0:0:1::1.
> ping fc00:0:0:1::100
Please use 'CTRL+C' to cancel/abort...
Sending 5, 100-byte ICMP Echos to fc00:0:0:1::100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
- Display NAT configuration on the FTD CLI.
> show running-config nat
!
object network Local_IPv6_subnet
nat (inside,Outside) dynamic 6_mapped_to_4
object network any_IPv4
nat (Outside,inside) static 4_mapped_to_6 dns
- Capture traffic.
For example, capturetraffic from internal IPv6 hostfc00:0:0:1::100 to DNS server isfc00::f:0:0:ac10:a64 UDP 53.
Here, the destination DNS server isfc00::f:0:0:ac10:a64. The last 32 bits are ac10:0a64. These bits are the octet-by-octet equivalent to 172,16,10,100. Firewall 6-to-4 translates IPv6 DNS server fc00::f:0:0:ac10:a64 to the equivalent IPv4 172.16.10.100.
> capture test interface inside trace match udp host fc00:0:0:1::100 any6 eq 53> show capture test
2 packets captured
1: 00:35:13.598052 fc00:0:0:1::100.61513 > fc00::f:0:0:ac10:a64.53: udp
2: 00:35:13.638882 fc00::f:0:0:ac10:a64.53 > fc00:0:0:1::100.61513: udp
> show capture test packet-number 1[...]
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
object network any_IPv4
nat (Outside,inside) static 4_mapped_to_6 dns
Additional Information:
NAT divert to egress interface Outside(vrfid:0)
Untranslate fc00::f:0:0:ac10:a64/53 to 172.16.10.100/53 <<<< Destination NAT[...]
Phase: 6
Type: NAT
Subtype:
Result: ALLOW
Config:
object network Local_IPv6_subnet
nat (inside,Outside) dynamic 6_mapped_to_4
Additional Information:
Dynamic translate fc00:0:0:1::100/61513 to 192.168.0.107/61513 <<<<<<<< Source NAT> capture test2 interface Outside trace match udp any any eq 53
2 packets captured1: 00:35:13.598152 192.168.0.107.61513 > 172.16.10.100.53: udp
2: 00:35:13.638782 172.16.10.100.53 > 192.168.0.107.61513: udp
