New India’s most advanced hyper-realistic security training lab is live now. Visit PurpleSynapz for more information.

IMPLEMENTING NAT64 ON CHECK POINT

Raghu K By Raghu K in Check Point
10298 Views
0 Comments

Overview

  1. IPv6 addresses are of 128-bit in length, where 8 blocks of 16-bit Hexadecimal fields separated by colons i.e. In the format of x:x:x:x:x:x:x:x .
  2. Considering a sample IPv6 address say 2001:0DB8:0000:0000:0000:FF00:0042:8329 , the leading zeroes from any groups of hexadecimal digits can be removed. So, the above address can also be written as 2001:DB8:0: 0: 0:FF00: 42:8329 .
  3. Consecutive sections of zeroes can be replaced with a double colon (::). So, the above address will become 2001:DB8::FF00: 42:8329 .
  4. Commonly used IPv6 address formats,
  5. IPv6 Address Type IPv6 Format IPv6 Compressed Format
    Unicast 2001:0DB8:0000:0000:0000:FF00:0042:8329 2001:DB8::FF00: 42:8329
    Multicast FF01:0:0:0:0:0:0:101 FF01::101
    Solicited Multicast FF02:0000:0000:0000:0000:0001:FFxx:xxxx FF02::1:FFxx:xxxx
    Loopback 0:0:0:0:0:0:0:1 ::1

  6. IPv6 does not implement broadcast, so ARP functionality will not be there in IPv6. The Neighbour Discovery Pro tocol (NDP) is used at the link layer to map Layer 3 IPv6 addresses to Layer 2 addresses, such as the MAC address of Ethernet network cards. Let’s consider the below communication between machine A & B,

Packet level this communication on Wireshark be,

Requirement

Demonstrate NAT64 on Check Point Cluster Setup.

LAB Setup Details

Check Point Cluster Interface Details

Interface VIP C-LAB-FW1 C-LAB-FW2
eth0 10.10.10.5 10.10.10.3 10.10.10.4
eth1 10.20.20.5 10.20.20.3 10.20.20.4
2001:DB8:AAAA:A::5 2001:DB8:AAAA:A::3 2001:DB8:AAAA:A::4
eth2 NA (Sync) 10.30.30.3 10.30.30.4
eth3 10.30.30.5 10.30.30.3 10.30.30.4
2001:DB8:AAAA:B::5 2001:DB8:AAAA:B::3 2001:DB8:AAAA:B::4

Client & Server Details

Web Server IPv4 Address 10.20.20.10
NAT64 of Web Server 2001:DB8:AAAA:A::7
IPv6 Client Address 2001:DB8:AAAA:B::6

 

Topology Diagram

 

Procedure

1. Enable the IPv6 support option on both the cluster members (which takes a reboot).




2. Configure the IPv6 address on Server-side interface (eth1) and External interface (eth3) on cluster members.


3. Configure IPv6 default route on both the members.


4. Fetch the topology on the Cluster object in the SmartConsole.

5. Define the IPv6 VIP for eth1 and eth3 interface.

6. Install the configuration on cluster members by installing the policy.

7. Create an IPv4 Host object in the Server Segment and don’t define any NAT settings here.

8.Create an IPv6 Host Object which will be the IPv6 NAT address for the IPv4 Web Server. In our case we are looking to NAT Web Server (10.20.20.10) behind a Global IPv6 address (2001:DB8:AAAA:A::7).

9. Create an IPv4 Address Range object (only IPv4 public IP-address pool is supported).



10. Create a rule to allow IPv6 neighbour discovery ( Solicitation & Advertisement messages) between the next-hop device (usually an IPv6 router) and the IPv6 Solicited Node Multicast Address of Cluster Members. Here, the object IPv6_Next_Hop is 2001:DB8:AAAA:B::6 and IPv6_Sol_Multicast_Add is
ff02::1 .

11. Create a rule to access the Web Server on IPv6 address (using NAT64 method).



12. Define the Manual NAT rule for Web Server Access over IPv6 Address. Here, whenever an external IPv6 user trying to access the Web Server IPv6 address (2001:DB8:AAAA:A::7) then the Source IPv6 address will be translated to one of the IP-address in the defined IPv4 pool (NAT64_IPv4_Range) and Destination IPv6 address will be translated to actual IPv4 address of Web Server (10.20.20.10) using NAT64 method.

13. Under Global Properties, enable Merge manual proxy ARP configuration and Enable IP Pool NAT options.

14. Install the policy on the Cluster.


15. When any machine (next-hop device) wants to access the Web Server’s IPv6 address where the IPv6 traffic will hit on the External interface of the active cluster member. So, we need to facilitate the cluster members to take the ownership of the NAT64 IPv6 address of the Web Server.

In order to achieve this requirement, create a file local.ndp in $FWDIR/conf/ direc tory on both cluster members. Add the entry in the following format:
<NAT64 IPv6 address> <MAC-address of External Interface>


16. Post this install the policy on the Cluster to apply the changes made on local.ndp file.

17. Capture IPv6 packets on the external interface (eth3) of cluster members to check whether IPv6 Neighbour Discovery are entertained.

18. Now, access the Web Server using its NAT64 IPv6 address from the client machine.

19. Lets see the logs when we accessed the Web Server’s IPv6 address.

Here, Source IPv6 address been translated to one of the IPv4 address in the defined IPv4 pool (55.55.55.1 55.55.55.254) and Destination IPv6 address translated to IPv4 Web Server Address (10.20.20.10).

Leave a Reply

Your email address will not be published. Required fields are marked *

Take a sneak-peek into our minds.

Read our musings on what’s changing and impacting the world in the field of cyber security and analytics.

Subscribe our Newsletter and recieve updates directly to your inbox

We don't spam!