Manualshelf

R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
71727374757677787980
69
[FirewallB-GigabitEthernet0/1] aft enable
[FirewallB-GigabitEthernet0/1] quit
[FirewallB] interface gigabitethernet 0/2
[FirewallB-GigabitEthernet0/2] ip address 4.4.4.1 24
[FirewallB-GigabitEthernet0/2] aft enable
[FirewallB-GigabitEthernet0/2] quit
# Configure the DNS64 prefix.
[FirewallB] aft prefix-dns64 2000:: 32
# Configure the IVI prefix.
[FirewallB] aft prefix-ivi 6::
# Create ACL 3000 to permit ICMP packets destined to the IPv4 network 6.6.6.0/24, which is
embedded in the IVI address.
[FirewallB] acl number 3000
[FirewallB-acl-adv-3000] rule permit icmp destination 6.6.6.0 0.0.0.255
[FirewallB-acl-adv-3000] quit
# Configure the 4to6 AFT policy for destination address translation so that the Firewall B can
translate the destination address into an IPv6 address by using the IVI prefix (6::) for packets
destined to network 6.6.6.0/24.
[FirewallB] aft 4to6 acl number 3000 prefix-ivi 6::
# Create ACL 2000 to permit packets from the IPv4 network 4.4.4.0/24, on which Firewall C
resides (this step is optional).
[FirewallB] acl number 2000
[FirewallB-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255
[FirewallB-acl-basic-2000] quit
# Configure the 4to6 AFT policy for source address translation so that the Firewall B can translate
the source address into an IPv6 address by using the DNS prefix (2000::/32) for packets from
network 4.4.4.0/24 (this step is optional).
[FirewallB] aft 4to6 acl number 2000 prefix-dns64 2000:: 32
NOTE:
Configuring the 4to6 AFT policy for source address translation is optional. If the policy is not confi
g
ured,
A
FT uses the first confi
g
ured DNS64 prefix to translate the source IPv4 address into an IPv6 address.
2. Configure Firewall A:
# Enable IPv6.
<FirewallA> system-view
[FirewallA] ipv6
# Configure an IPv6 address for interface GigabitEthernet 0/1.
[FirewallA] interface gigabitethernet 0/1
[FirewallA-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:200::/64
[FirewallA-GigabitEthernet0/1] quit
# Configure a static route to IPv6 network 2000::/32 (the DNS64 prefix).
[FirewallA] ipv6 route-static 2000:: 32 6:0:ff06:606:100::
3. Configure Firewall C:
# Configure an IP address for interface GigabitEthernet 0/1.
<FirewallC> system-view