FW的配置如下:
配置IPv4接口:
[FW] interface GE0/0/1
[FW-GigabitEthernet0/0/1] ip address 10.1.1.254
[FW] firewall zone trust
[FW-zone-trust] add interface GigabitEthernet0/0/1
配置IPv6接口:
[FW] interface GE0/0/2
[FW-GigabitEthernet0/0/2] ipv6 enable
[FW-GigabitEthernet0/0/2] ipv6 address 2001::FFFF 64
[FW] firewall zone untrust
[FW-zone-untrust] add interface GigabitEthernet0/0/2
配置NAT64的IPv6前缀:
[FW] nat64 prefix 3001:: 96
配置NAT64地址池及nat64地址转换策略:
[FW] nat64 address-group 1 20.1.1.1 20.1.1.20
[FW] nat64-policy interzone trust untrust inbound
[FW-nat64-policy-interzone-trust- untrust -inbound] policy 10
[FW-nat64-policy-interzone-trust- untrust -inbound-10] action nat64
[FW-nat64-policy-interzone-trust- untrust -inbound-10] address-group 1
配置IPv6域间包过滤规则:
[FW] policy ipv6 interzone trust untrust inbound
[FW-policy-interzone-trust-untrust-inbound] policy 10
[FW-policy-interzone-trust-untrust-inbound-10] policy source 2001:: 64
[FW-policy-interzone-trust-untrust-inbound-10] action permit
完成配置后,PC2即可访问PC1,但是问题是,PC2用什么目的地址来访问PC1?
PC2使用3001::0A01:0101这个地址来访问PC1,但是为什么是这个地址?3001::/96这个前缀是我们在配置的时候指定的NAT64地址前缀,而这个目的地址的最后32bits,也就是0A01:0101,换算成10进制就是10.1.1.1,因此当防火墙收到目的地址为3001::0A01:0101的IPv6数据包时,根据该地址的最后32bits计算得到IPv4地址, 这就是协议转换后的IPv4目的地址,而IPv4源地址则从NAT64地址池中挑一个。
display firewall ipv6 session table
Current Total IPv6 Sessions: 1
---------------------------------------------------------------------
Source Address : 2001::1
Destination Address : 3001::A01:101
Source Port : 44064
Destination Port : 2048
Protocol : ICMP6
SessType : NAT64
display nat64 session tableCurrent Total Sessions: 1
--------------------------------------------------------------------
IPv6 Source Address : 2001::1
IPv6 Destination Address : 3001::A01:101
IPv6 Source Port : 44066
IPv6 Destination Port : 2048
IPv4 Source Address : 20.1.1.2
IPv4 Destination Address : 10.1.1.1
IPv4 Source Port : 2010
IPv4 Destination Port : 2048
Protocol : ICMPv6
TTL : 00:00:20
Left Time : 00:00:18