Understanding NAT64 on Palo Alto Networks Firewalls

As the world transitions to IPv6, scenarios arise where IPv6-only clients need to communicate with legacy IPv4-only servers or resources. NAT64 is a crucial transition mechanism that enables this communication by translating IP headers between IPv6 and IPv4 networks.

What is NAT64?

NAT64 is a stateful Network Address and Protocol Translation technology defined in RFC 6146. Its primary purpose is to allow clients using only IPv6 addresses to initiate connections to servers using only IPv4 addresses.

• It translates the IPv6 source address of the client to an IPv4 source address (typically belonging to the NAT64 gateway/firewall).
• It translates the IPv4 destination address of the server (embedded within a specific IPv6 format) back to its original IPv4 address.
• It usually involves Port Address Translation (PAT) as well (NAPT64), allowing multiple IPv6 clients to share one or a few IPv4 addresses for translation.
• It maintains session state to translate the return IPv4 traffic back to the original IPv6 client.

How NAT64 Works (with DNS64)

NAT64 typically works in conjunction with a DNS64 server (defined in RFC 6147).

1. An IPv6-only client wants to reach `www.example-ipv4.com`. It sends a DNS query for an AAAA (IPv6) record.
2. The DNS64 server receives the query. It first looks for an actual AAAA record.
3. If no AAAA record exists, the DNS64 server queries for an A (IPv4) record (e.g., gets 192.0.2.100 ).
4. The DNS64 server then synthesizes an AAAA record by embedding the IPv4 address within a specific, configured NAT64 Prefix . A common well-known prefix is 64:ff9b::/96 . The synthesized IPv6 address might look like 64:ff9b::192.0.2.100 (or 64:ff9b::c000:0264 in hex).
5. The DNS64 server returns this synthesized AAAA record to the IPv6 client.
6. The IPv6 client initiates a connection to the synthesized IPv6 address ( 64:ff9b::c000:0264 ).
7. Traffic is routed towards the NAT64 gateway (the Palo Alto firewall).
8. The firewall matches the traffic with a NAT64 policy rule.
9. The firewall translates:
   • The IPv6 Source Address to an IPv4 Source Address (from its pool/interface).
   • The IPv6 Destination Address ( 64:ff9b::c000:0264 ) back to the original IPv4 Destination Address ( 192.0.2.100 ) by extracting the embedded IPv4 part based on the configured NAT64 prefix.
10. The translated IPv4 packet is forwarded to the IPv4 server.
11. Return traffic follows the reverse path, with the firewall translating addresses back based on the session state.

Palo Alto Implementation Details

Configuring NAT64 involves creating a specific type of NAT rule:

• Click "Add" to create a new NAT rule.
• Go to the "General" tab and set the NAT Type to nat64 .
• Original Packet Tab:
  • Source Zone: The zone containing the IPv6 clients (e.g., `IPv6_Internal`).
  • Destination Zone: The zone where the IPv4 destination resides (often `Untrust` for internet servers).
  • Destination Address: Crucially, this should be set to the NAT64 Prefix (e.g., 64:ff9b::/96 ). This tells the rule to match traffic destined for synthesized addresses.
  • Source Address, Service: Define as needed ('any' is common for source/service initially).
• Translated Packet Tab:
  • Source Address Translation: This defines the IPv4 address the IPv6 client will use. Common options:
    • Dynamic IP and Port : Select an Interface Address (e.g., the firewall's IPv4 Untrust interface) or an Address Object representing a pool of IPv4 addresses. This performs NAPT64.
    • Other types like Dynamic IP or Static IP are less common for general client access but possible.
  • Destination Address Translation: Set this to None . The firewall automatically extracts the IPv4 address from the original destination using the prefix matched in the Original Packet tab. You do *not* manually specify the IPv4 destination here.

Traffic Flow Example

• IPv6 Client: 2001:db8:1:1::100
• DNS64/NAT64 Prefix: 64:ff9b::/96
• IPv4 Server: 198.51.100.50
• Firewall IPv4 Address for SNAT: 203.0.113.10

Forward Path:

Return Path:

Interaction with Security Policy

Like other NAT types, NAT64 requires a corresponding Security Policy rule to allow the traffic. The Security Policy evaluation happens based on the original packet details but considering the destination zone where the packet will end up after routing/translation.

Why use the prefix? Because the Security Policy lookup needs to match the destination the firewall initially sees *before* the final IPv4 translation occurs. The firewall uses the NAT64 prefix in the original destination to identify NAT64 traffic.

Example Security Rule:

• Source Zone: IPv6_Internal (Where IPv6 clients are)
• Source Address: any or specific IPv6 client range
• Destination Zone: Untrust (Where IPv4 servers are)
• Destination Address: 64:ff9b::/96 (The configured NAT64 Prefix)
• Application/Service: As needed (e.g., web-browsing , any )
• Action: Allow