R3721-F3210-F3171-HP High-End Firewalls VPN Configuration Guide-6PW101
72
[FirewallB] aft 4to6 acl number 2000 prefix-dns64 2000:: 32
NOTE:
It is optional to configure the 4to6 AFT policy for source address translation. If the policy is not confi
g
ured,
A
FT uses the first confi
g
ured DNS64 prefix to translate the resolved IPv4 address into an IPv6 address.
2. Configure Firewall A:
# Enable IPv6.
<FirewallA> system-view
[FirewallA] ipv6
# Configure an IPv6 address for interface GigabitEthernet 0/1.
[FirewallA] interface gigabitethernet 0/1
[FirewallA-GigabitEthernet0/1] ipv6 address 6::2/64
[FirewallA-GigabitEthernet0/1] quit
# Configure a static route to network 2000::/32 (the DNS64 prefix).
[FirewallA] ipv6 route-static 2000:: 32 6::1
# Specify the IPv6 address (2000:0:303:305::, which is translated from 3.3.3.5) of the DNS
server.
[FirewallA] dns server ipv6 2000:0:303:305::
# Enable dynamic domain name resolution.
[FirewallA] dns resolve
3. Configure Firewall C:
# Configure the IP address of interface GigabitEthernet 0/1.
<FirewallC> system-view
[FirewallC] interface gigabitethernet 0/1
[FirewallC-GigabitEthernet0/1] ip address 4.4.4.2 24
[FirewallC-GigabitEthernet0/1] quit
# Configure a static route to network 6.6.6.0/24, which the AFT address pool belongs to.
[FirewallC] ip route-static 6.6.6.0 24 4.4.4.1
NOTE:
You must also configure a static route to network 6.6.6.0/24 on the DNS server. The configuration
procedure is not shown.
Verifying the configuration
# Execute the ping ipv6 FirewallC.com command on Firewall A. The ping operation is successful and the
output displays that the resolved address is 2000:0:404:402::. This address is translated from the IPv4
address of Firewall C by using the DNS64 prefix.
[FirewallA] ping ipv6 FirewallC.com
Trying DNS resolve, press CTRL_C to break
Trying DNS server (2000:0:303:305::)
PING FirewallC.com (2000:0:404:402::):
56 data bytes, press CTRL_C to break
Reply from 2000:0:404:402::
bytes=56 Sequence=1 hop limit=254 time = 2 ms
Reply from 2000:0:404:402::