R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
71
Figure 63 Network diagram
Configuration procedure
1. Configure Firewall B (the AFT):
# Enable IPv6.
<FirewallB> system-view
[FirewallB] ipv6
# Configure IP addresses for the interfaces and enable AFT on the interfaces.
[FirewallB] interface gigabitethernet 0/1
[FirewallB-GigabitEthernet0/1] ipv6 address 6::1/64
[FirewallB-GigabitEthernet0/1] aft enable
[FirewallB-GigabitEthernet0/1] quit
[FirewallB] interface gigabitethernet 0/2
[FirewallB-GigabitEthernet0/2] ip address 4.4.4.1 24
[FirewallB-GigabitEthernet0/2] aft enable
[FirewallB-GigabitEthernet0/2] quit
[FirewallB] interface gigabitethernet 0/3
[FirewallB-GigabitEthernet0/3] ip address 3.3.3.1 24
[FirewallB-GigabitEthernet0/3] aft enable
[FirewallB-GigabitEthernet0/3] quit
# Configure the DNS64 prefix.
[FirewallB] aft prefix-dns64 2000:: 32
# Configure an AFT address pool.
[FirewallB] aft address-group 1 6.6.6.10 6.6.6.20
# Configure a 6to4 AFT policy so that if the prefix of the destination address of a packet is the
DNS64 prefix (2000::/32), the source address is translated into an IPv4 address in address pool
1 and the port number is also translated.
[FirewallB] aft 6to4 prefix-dns64 2000:: 32 address-group 1
# Create ACL 2000 to permit packets from network 4.4.4.0/24 where Firewall C resides (this
step is optional).
[FirewallB] acl number 2000
[FirewallB-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255
[FirewallB-acl-basic-2000] quit
# Configure a 4to6 AFT policy for source address translation so that if the resolved IPv4 address
is in network 4.4.4.0/24, the address is translated into an IPv6 address by using DNS64 prefix
2000::/32 (this step is optional).
Firewall A
Firewall B
Firewall C
GE0/1
6::2/64
GE0/1
6:0:/64
GE0/2
4.4.4.1/24
GE0/1
4.4.4.2/24
IPv6 network IPv4 network
3.3.3.5/24
DNS server
GE0/3
3.3.3.1/24