1. IPv6 NAT64 example connecting IPv6 only network to IPv4 Internet example
In this lecture, we’ll talk about net 64, and we’ll take our first example from net 64. You have an IPV6-only network that wishes to communicate with the firewall and the Internet. It’s all IPV four at that point. So we’re going to take a scenario where you don’t have IPV6 network connectivity to the Internet. You only have IPV-4 network connectivity to the Internet and want to use IPV-6 on your internal network without using any IPV-4. In this case, your hosts are IPV6-only hosts, and they connect to the outside network by using DNS six to four. DNS 6 to 4 is a mechanism by which IPV6 hosts resolve IPV4 DNS to the Internet, and the DNS server translates a resource to AAA resources. AA resources are the IPV-6 equivalent of a resource in DNS. When a host on the IPV6 network tries to resolve, for example, www.google.com, it reaches the DNS 64 server. Let’s say the DNS 64 server responds that the address of Google.com is one.
The server would respond with a synthesised font, specifying an IPV6 prefix, and the RFC The IPV6 Prefix is defined by the RFC as 64 FF 9-96, and the reason for the 96 is unknown. The IPV4 address is 32 bits long. The 32 bit is translated into hex and provided to the IPV6 host so that they can try to reach that IPV6 address. And the IPV-6 address will be translated by the firewall to an IPV-4 address. This is getting too busy. Let’s do it here one more time. So I have IPV-6 hosts here. IPV 4 is the firewall. The IPV6 host is configured as a DNS server. The IPV6 host tries to resolve an address. It’s going to talk to the DNS64 server, requesting the AAA record. The DNS 64 server will do recursive Lookup gets the A record, and then the DNS server would synthesise that response into an AAA record and then send it to the IPV6 host. The first step is IPV6 hostrequest quad, which requires a DNS 64 record.
DNS 64 sends a recursive lookup, gets a response, synthesises that response, and sends it back to the client as the IPV-6 prefix 64 FF 9B and the IPV-4 address in Hex format 96. Now the IPV6 host has the IPV6 address equivalent of the IPV4 address for the Internet host that it’s trying to reach. The next step is that the IPV6 host would send that request to the firewall, and that request would be the IPV6 address source. Let’s say the source is FD 510 64.This is the source address. The destination address is going to be the 64-synthesized response from the DNS server address 96. Now the firewall gets the request. The firewall is set up to convert a destination of 64 FF 9 bytes to IPV 4 bytes. It’s configured to translate the destination address to an IPV4 address. So now the source will be the source of the firewall. IP of the firewall. We’re going to do a dynamic net on this.
The destination address would be the IPV-4 address. Essentially the same address as returned by the recursive lockup. This is equivalent, and then the outsiders would respond, and it’s going to do the reverse translation and send the response to the IPV-6 host firewall as I PV-6 here and I PV-4 here. And the firewall would translate destination 64 FF 9B IPV 496 to the IPV 4 address. This is the source, the destination, that the firewall will translate to a dynamic IPV4 address. If I tell the firewall, “hey, anything in IBV 6” will be translated to the dynamic IP address 182-1680 165. This is the example I have in the lab. The source address would be dynamically translated to the 165 using dynamic Nat. Now the destination address will be translated to the IPV-4 address that’s embedded in the IPV-6 address. The destination address will be the IPV address, and then the return traffic will be translated back to where it was.
So, in this scenario, you can connect an IPV6 network to an IP4 network. And this comes handy in situations where you want to just use IPV6 on your internal network or you have only IPV6-capable devices. They do not support IPV-4. We’re going to see other scenarios later. However, we will base this scenario on a firewall connecting the IPV-6 network to the IPV-4 network. A main component of this is a DNS 64 server. I installed a DNS 64 server on Ubuntu, and I did the configuration. I want to show you guys the configuration of Ubuntu. Typical installation of an Ubuntu server with bind Just install it, let Ubuntu install it, and then update it to the latest bind release. Then you navigate to etc. findname.com options and enter the DNS six to four. The IPV six address prefix is going to be used to translate and map. You’re going to map any IPV-4 addresses to this IPV-6 prefix. You’re going to exclude any IPV-6 address.
So I want IPV four. If my DNS requests, for example, are for Google.com and Google.com has an IPV6 response, I want to translate that as well to synthesise this to my own prefix that I will send the devices. You have to specify “brick DNS SEC” because some of the DNS SEC responses would require that they be broken for you. If you have an IPV-6-only network that connects to an IPV-4-only network, because I want to show you this in the configuration, then I want to be able to access any website using IPV-6, and I want to replace the IPV-6 prefix with a synthesised IPV-4 address. I want to send those quad A records to the IP Sixhost so that they can try to access them, and they will try to access them, and the request is going to go through. The IP Four network gets translated using net 64 on the firewall, and the return traffic will be translated back to the IPV Six address. In this manner, an IP-6-only network communicates with an IP-4-only network. In my case, I put the DNS server here and gave it an IP Six address of FD 525.
So this FD 525 and the Windows host are configured for only IPV six.So I removed the IPV 4 address from the stack and replaced it with the IPV 6 address. It includes the DNS server, the DNS 64 server that I have here, and the lotto firewall. We’re going to configure the Net 64 translation. I’m sending the traffic to the outside using Ethernet 1, 2, and 3. And I don’t have an IPV 6-network; I only have an IPV 4-network. So I’m going to show you what needs to be done in that case. This is Ethernet 1, 3, and 4. I need to enable IPV6 just to create an IPV6 route that allows the default route to exit this interface. And then under the virtual router, I’m going to create a virtual router, and I’m not going to put it next to the top because I don’t have an IPV6 network on that interface. So we’ll be here, and we’ll create a default IPV-6 default to exit out Ethernet 1, 3, and no next hop because I don’t have IPV-6 next to the top, and then click okay. And then under Policies, I’m going to create a net64 translation. This is going to translate IPV-6 from six to four. I’m going to give it that name here; it’s Nat 64. The source zone is trust.
Destination is untrustworthy, and my destination prefix is 96. So this is the destination. Any IPV 6 traffic from trust to untrust attempting to reach the destination at 64 FF 9 will be translated to a dynamic IP address prior to address. So this is my IP before, because on the outside, I’m just talking IP before. I’m going to translate it to an interface IP address, the interface IP address of 65. So this is an overload translation because I have my DNS server on the inside. I want that DNS server to allow it to go outside. This is the only DNS 64 host that’s on the inside that is talking at DV 4. I need to add it as well, so it can resolve the A records. So DNS server net sources, destination trust, and trust. The source is that host’s address, 1100VIP-4, which is translated to do dynamic IP import as well as interface address and Ethernet 1, 3, and 3165. So that when my DNS server tries to resolve DNS entries using its IPV4 entries, it can get there. We created the IPV6 address on the interface. We created the nap policies, and now we’re going to test them out.
So here I am on the Windows host. So I’ll do a quick nest, look up, and see what happens. And let’s look up at www.google.com. So see here, it’s sending a synthesised IPV-6 address, which, if you translate 172, is going to be AC. 217 is going to be G 944-1328, four hex. And now if I try to access the IPV4 Internet using IPV6 as the only host, I’m able to do IPV four Internet using IPV six only host.If I do NetSat here on my host, I should see here that I’m connecting to only the IPV6 host. If you see here, this is my IPV6 address, and this is the connection to the synthesised IPV6 response from the DNS 64 server. If I look at the sessions I see here, let’s take this example. Take any of those here, DNS, or let’s do web browsing session ID eight four three. And we see here that my source, the client server, is my internal IPV6 address. The destination address is an IPV-6 address that has been synthesized.
And if you see here, the server-to-client relationship is the reverse, which is translated to the IPV Four.So here, my source was translated to source port 80. This is the source port response from the web server on the Internet. And the destination is 182-6165, which is my netted IPV4 address. For the IPV 64 address, we are looking at the web browsing application, so it’s able to identify the application. The outbound rule is 64, and the net rule is 64. And the ingress interface is the inside, and the egress interface is the outside. So let’s see if it actually protects against threats. So I’m going to use my IPS signature here. Hello comdestest. This is my signature. And here in the session, we should see this card session and this card session. And this is because it was reset by the IPS session. Dropping the ID 963 and medication threat databases So this is a threat that was identified as a threat. As a result, it protects the IPV-6 host when it attempts to connect to the IPV-4 Internet and accessory resources.
2. IPv6 NAT64 example connecting IPv4 only network to IPv6 only network
In this lecture, we will talk about using Net 64 to provide connectivity from IPV 4 to IPV 6. Assume you have an IPVSix network that serves public services, such as a Web server, and you only use IPV6. And you want to allow the users that are coming in from an IPV-4 server to connect to your IPV-6 server. So, net 64 is used for that purpose.
What Net 64 allows you to do is monitor the traffic that is coming in. So this is a PV-4 source address, let’s say, and you’re going to net on a PV-6 host, let’s say FD-525 on port 80. So you want to offer the public service that’s running on IPV 6 to the IPV 4 Internet. So you would intercept net traffic coming in from the outside with a bad destination address, a public address. For example, in our case, it’s 192. An IPV-4 user is attempting to connect to an IPV-6 host. We’re going to net the public IP address to an IPV6 address. So we’re going to do destination networking. We’ll do a destination net for service port 80 and then net it out.
If a public IP is trying to connect to a public IP on the Internet, trying to connect to your public IP address (IPV 4 on port 80), we’re going to add the destination to go to the IPV 6 host port 80. However, the IPV-6 host does not understand IPV-4. So at the same time we’re doing destination networking, we’re going to do source networking to the net 64 64 FF 9296. When the source IP address, IPV 4, is trying to connect to the public IP address, IPV 4, you are adding port 80 to the IPV 6 address and then, at the same time, source-netting the traffic from an IPV 4 perspective to the net 6 to 4 address. From a server perspective, the server would see a connection from 64 FF 91101. Well, 10 196 is the source, and the destination would be FD 525. The server will get a connection. Since it’s an IPV6 server, it’s going to get a connection from an IPV6 address. So there is no issue. We’re talking about that. The firewall will do the translation. We’ll do destination translation for an IPV-4 address to an IPV-6 address, which is Ft. 525. And it’s going to also identify the source of the traffic using the NAT 64 address.
This enables the Nipv-4 network to communicate with an IPV-6 network without the IPV-6 network being dual-stacked, that is, running both IPV-6 and IPV-4. This could also be done in your business. So, say you have an IPV6 network in your enterprise, you transition to IPV6, and part of your network is IPV4, you will be able to allow the IPV4 network to talk directly to the IPV6 network and do the translation using net six four. Traffic from the net six four address (64, FF, 9, 2, translated 4 octets) will be seen by the IPV-6 network. So, from an IP-6 standpoint, it will see that address on a regular basis. And since you’re doing destination net, you can offer the hosts that are providing IPV6 hosts that are providing IP4 network services. You can assign them to IPV-4 addresses, and the IPV-6 host will see traffic from the net-6 address. So in our case here, I enabled the web server on the host that I currently use for DNS.
So I use it for dual purposes. And I’m going to net the traffic coming in from the outside to port 80. On port 80, IP address 182-6016-5, port 80 I’m going to add it to the IPV-6 address of that server, which is FD-525, and I’m going to add the source of the traffic to the 64 address. And this will allow the IPV Four host to connect to ports 108, 21680, and 165 on port 80 and get connected to the IPV Six host. And it will allow the IPV-6 host to respond back to the IPV-4 host because it’s going to be using the 64-bit added address. So let’s create here; we’re going to create an ad. We’ll call this network’s Web server the public Web server. The original packet would be from Untrust, and the destination is Untrust because that’s coming from Untrust to Untrust. We’re currently working on destination net. The destination address is 182-16-8165, and the source is 182-16-8165. The IPV-4 address that we’re going to hide the IPV-6 host behind, we’re going to limit it to a service, which is port 80, service HTTP.
So that’s the traffic coming in from the outside. And then, on translation, we’re going to do destination translation. And now we’re going to put the IPV6 host address, and then we’re going to also do static IP, and then we’re going to do the 64, FF, 92, 96. This way, my IP address for the host will be embedded in the IPV-6 address. It’s not bidirectional; it’s just one way now. So we’ll go ahead and click, okay, so we’re doing sourcenet and source-netting traffic to our PV-6 net 64 address. Oh, we forgot to specify net 64. It has to be; you have to select NET 64. So we’re going from public Web server untrust to public Web server untrust. If it’s trying to reach 182.16.0.165 on port 80, it’s going to be destination translated to FD 525, and then the source translation is going to be the net 64 address. I’ll go ahead and commit LMPTU. As a result, we can see that it is listening on TCP port 6, IPV6 port 6, and TCP port 80. It’s listening. It’s an Apache server. And once we connect from the outside, we’re going to see that connection to the host.
Now we’re going to connect to 192-168-0165. And we see here that we have a connection. Let’s look at the host. Here we see the local address. The foreign address is the IPV4 address translated into hacks, which is in my case 192-6308, eight FZ-50, and the source port, which is 7147. We can see that session if we look at the firewall. As we can see at Session 365. So we’re going to see here that my source IP is four. That’s my source IP. It’s going to the iPad address, the net address that I specified, and the destination net, which is 1926-806-5408. And it’s going this way: client to server, server to client. This is the reverse, which comes in from FD 525 to the 64-bit added address. And we see that it’s using the netpublic web server, and it’s identifying the application. It’s doing the layers of processing, which is the content ID. So this is a good example of how to get your IPV-4 host to talk to your IPV-6 host. In the previous lecture, we saw how an IPV6 network can talk to an IPV4 network by relying on DNS 6 to 4 to translate the A record to a quad A record. In this case, we’re doing a translation of the IPV-4 destination to the IPVSix address and source-netting the IPV-4 address to the six-four IP address.
3. IPv6 issues related to Windows and policy based on IPv6 addresses, example
In this lecture, we will talk about using Net 64 to provide connectivity from IPV 4 to IPV 6. Assume you have an IPVSix network that serves public services, such as a Web server, and you only use IPV6. And you want to allow the users that are coming in from an IPV-4 server to connect to your IPV-6 server. So, net 64 is used for that purpose. What Net 64 allows you to do is monitor the traffic that is coming in. So this is a PV-4 source address, let’s say, and you’re going to net on a PV-6 host, let’s say FD-525 on port 80. So you want to offer the public service that’s running on IPV 6 to the IPV 4 Internet. So you would intercept net traffic coming in from the outside with a bad destination address, a public address. For example, in our case, it’s 192. An IPV-4 user is attempting to connect to an IPV-6 host. We’re going to net the public IP address to an IPV6 address.
So we’re going to do destination networking. We’ll do a destination net for service port 80 and then net it out. If a public IP is trying to connect to a public IP on the Internet, trying to connect to your public IP address (IPV 4 on port 80), we’re going to add the destination to go to the IPV 6 host port 80. However, the IPV-6 host does not understand IPV-4. So at the same time we’re doing destination networking, we’re going to do source networking to the net 64 64 FF 9296. When the source IP address, IPV 4, is trying to connect to the public IP address, IPV 4, you are adding port 80 to the IPV 6 address and then, at the same time, source-netting the traffic from an IPV 4 perspective to the net 6 to 4 address.
From a server perspective, the server would see a connection from 64 FF 91101. Well, 10 196 is the source, and the destination would be FD 525. The server will get a connection. Since it’s an IPV6 server, it’s going to get a connection from an IPV6 address. So there is no issue. We’re talking about that. The firewall will do the translation. We’ll do destination translation for an IPV-4 address to an IPV-6 address, which is Ft. 525. And it’s going to also identify the source of the traffic using the NAT 64 address. This enables the Nipv-4 network to communicate with an IPV-6 network without the IPV-6 network being dual-stacked, that is, running both IPV-6 and IPV-4. This could also be done in your business.
So, say you have an IPV6 network in your enterprise, you transition to IPV6, and part of your network is IPV4, you will be able to allow the IPV4 network to talk directly to the IPV6 network and do the translation using net six four. Traffic from the net six four address (64, FF, 9, 2, translated 4 octets) will be seen by the IPV-6 network. So, from an IP-6 standpoint, it will see that address on a regular basis. And since you’re doing destination net, you can offer the hosts that are providing IPV6 hosts that are providing IP4 network services. You can assign them to IPV-4 addresses, and the IPV-6 host will see traffic from the net-6 address. So in our case here, I enabled the web server on the host that I currently use for DNS. So I use it for dual purposes. And I’m going to net the traffic coming in from the outside to port 80. On port 80, IP address 182-6016-5, port 80 I’m going to add it to the IPV-6 address of that server, which is FD-525, and I’m going to add the source of the traffic to the 64 address. And this will allow the IPV Four host to connect to ports 108, 21680, and 165 on port 80 and get connected to the IPV Six host.
And it will allow the IPV-6 host to respond back to the IPV-4 host because it’s going to be using the 64-bit added address. So let’s create here; we’re going to create an ad. We’ll call this network’s Web server the public Web server. The original packet would be from Untrust, and the destination is Untrust because that’s coming from Untrust to Untrust. We’re currently working on destination net. The destination address is 182-16-8165, and the source is 182-16-8165. The IPV-4 address that we’re going to hide the IPV-6 host behind, we’re going to limit it to a service, which is port 80, service HTTP. So that’s the traffic coming in from the outside. And then, on translation, we’re going to do destination translation. And now we’re going to put the IPV6 host address, and then we’re going to also do static IP, and then we’re going to do the 64, FF, 92, 96. This way, my IP address for the host will be embedded in the IPV-6 address. It’s not bidirectional; it’s just one way now. So we’ll go ahead and click, okay, so we’re doing sourcenet and source-netting traffic to our PV-6 net 64 address. Oh, we forgot to specify net 64. It has to be; you have to select NET 64. So we’re going from public Web server untrust to public Web server untrust.
If it’s trying to reach 182.16.0.165 on port 80, it’s going to be destination translated to FD 525, and then the source translation is going to be the net 64 address. I’ll go ahead and commit LMPTU. As a result, we can see that it is listening on TCP port 6, IPV6 port 6, and TCP port 80. It’s listening. It’s an Apache server. And once we connect from the outside, we’re going to see that connection to the host. Now we’re going to connect to 192-168-0165. And we see here that we have a connection. Let’s look at the host. Here we see the local address. The foreign address is the IPV4 address translated into hacks, which is in my case 192-6308, eight FZ-50, and the source port, which is 7147. We can see that session if we look at the firewall. As we can see at Session 365. So we’re going to see here that my source IP is four.
That’s my source IP. It’s going to the iPad address, the net address that I specified, and the destination net, which is 1926-806-5408. And it’s going this way: client to server, server to client. This is the reverse, which comes in from FD 525 to the 64-bit added address. And we see that it’s using the netpublic web server, and it’s identifying the application. It’s doing the layers of processing, which is the content ID. So this is a good example of how to get your IPV-4 host to talk to your IPV-6 host. In the previous lecture, we saw how an IPV6 network can talk to an IPV4 network by relying on DNS 6 to 4 to translate the A record to a quad A record. In this case, we’re doing a translation of the IPV-4 destination to the IPVSix address and source-netting the IPV-4 address to the six-four IP address.
4. IPv6 dhcpv6 relay on PaloAlto firewall example
In this lecture, we will talk about the DHCP relay for IPV Six. You’re probably familiar with DHCP relay. Just a quick overview DHCP relay is a feature that allows hosts on one segment to receive GSP servers from another segment the host. When it comes up, it sends a DSP request, which is relayed to the server, and the response comes back to the router, which is then handed back to the host. And this way, you don’t have to have a GCP server sitting on every segment of your network.
That’s the purpose of GCP relay in our lab here. I shut down the interface connecting to the FD-5 network, and I’m going to create a new interface here, EthernetOne 4, and make it FD Six. So I’m going to proceed in Ethernet. I’m going to include it so that it has a layer three interface with Putin’s security brochure, an auto default zone, and trust IPV4. I’m going to assign it an IPv4 address, even though we’re not using IPV4, but we don’t have one due to firewall complaints. Enable IPV on six interfaces. I’m going to assign the number 6164 to this interface. I’m going to set that to send router advertisements. Enable the duplicate address section, which is good to have, and enable the other advertisement.
I’m going to tell the host to use the Manage configuration under management. I’m going to specify the management interface inside the interface. The next step is to go to DHCP, click on the DHCP relay tab, then click Add, and we’ll basically relay. In the same zone, the firewall has two interfaces, but one is Ethernet and the other is Internet Protocol version 2. The DHCP server is FD 525. It’s sitting on this interface. So the request will arrive on Ethernet One Four and will be routed three times to Ethernet One Two. So that’s what we need to put in our firewall settings. So the interface is going to be Ethernet. That’s the request that’s going to become an Ethernet connection to the GCP server. That is the server IPV Six server address, and then which interface on its Ethernet is reachable, and then click okay, so now I’m at the firewall when you get a request for Dspv Six on Ethernet, forwarded out Ethernet. And on the GCP server, I created a new subnet, FD 664.
I use the same host identifier because the host identifier doesn’t change any interface that connects to the host. If you use the same host identifier, you’re going to have to give the host a different name. I just defined it with “Netfd Six” to indicate that this is the FD Six network and gave it the fixed address FD 612. And now we look at the network settings. This is the new network interface. Click on detail, and we have FD 612. So let’s look at the request from a packet capture perspective and see what we have. So I’m going to capture the interface of DCP Server, and I’m going to capture the interface of DCP Server and show you the DCPrelay request on the Windows host. I’m going to disable the interface, restart, and watch the capture here. I’m going to watch for ICMPV.6 or DHCPV. Six. So I’m looking at the host name for the interface I’m capturing on the DNS server. So, if I look here and see “DSPV-6 request,” I know I’m looking at a relay message. The DHCP Version 6 client identifier is the same as the one used in the other interface.
Temporary address, fully qualified domain It’s basically putting the information of the client, including specifying what vendor it is (vendor ID), and then the server would respond, responding here with the DCPV-6 message, which should provide the IPV-6 address. It’s given here. DNS server address, sulphate and domain search list, FDNtest.com, and then client identifier. We should see the IPV6 address here. So if I look here at my machine now, I have FD 612, the address, and if I try to access the Internet from this host, I’m able to access the Internet. Let’s see what my session looks like. Session. ID. Then there was one. So I see here that FT 612 is the client-server flow. It’s still doing the 64 translation, and then the reverse traffic is from the IPV-4 destination to the IPV-4 source, which is the interface IP, and it’s matching the rule outbound. So that shows you how to do the DSPV60 lay function on the Palo Alto firewall. Just to summarise here, we still have to renew the DCP delay. We had to specify the interface, the DHCP relay, where we specify the interface, where it’s coming from, where it’s going, and the IPV6 server address in the router advertisement.