F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices VPN Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module

401

402

403

404

405

406

407

408

409

410

401

594BConfiguration procedure

1. Configure Firewall (the AFT):

# Enable IPv6.

<Firewall> system-view

[Firewall] ipv6

# Configure IP addresses for the interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 and

enable AFT on the interfaces.

[Firewall] interface gigabitethernet 0/1

[Firewall-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:100::/64

[Firewall-GigabitEthernet0/1] aft enable

[Firewall-GigabitEthernet0/1] quit

[Firewall] interface gigabitethernet 0/2

[Firewall-GigabitEthernet0/2] ip address 4.4.4.1 24

[Firewall-GigabitEthernet0/2] aft enable

[Firewall-GigabitEthernet0/2] quit

# Configure the DNS64 prefix.

[Firewall] aft prefix-dns64 2000:: 32

# Configure the IVI prefix.

[Firewall] aft prefix-ivi 6::

# Create ACL 3000 to permit IP packets destined to the IPv4 network 6.6.6.0/24, which is

embedded in the IVI address.

[Firewall] acl number 3000

[Firewall-acl-adv-3000] rule permit ip destination 6.6.6.0 0.0.0.255

[Firewall-acl-adv-3000] quit

# Configure the 4to6 AFT policy for destination address translation so that the Firewall can

translate the destination address into an IPv6 address by using the IVI prefix (6::) for packets

destined to network 6.6.6.0/24.

[Firewall] aft 4to6 acl number 3000 prefix-ivi 6::

# Create ACL 2000 to permit packets from the IPv4 network 4.4.4.0/24, on which Host B resides

(this step is optional).

[Firewall] acl number 2000

[Firewall-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255

[Firewall-acl-basic-2000] quit

# Configure the 4to6 AFT policy for source address translation so that the Firewall can translate the

source address into an IPv6 address by using the DNS prefix (2000::/32) for packets from

network 4.4.4.0/24 (this step is optional).

[Firewall] aft 4to6 acl number 2000 prefix-dns64 2000:: 32

NOTE:

Configuring the 4to6 AFT policy for source address translation is optional. If the policy is not confi

ured,

FT uses the first confi

ured DNS64 prefix to translate the source IPv4 address into an IPv6 address.

2. Configure Host A:

Perform the following configurations on Host A. (Details not shown.)

{ Configure IPv6 address 6:0:ff06:606:200::/64.