HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

401

402

403

404

405

406

407

408

409

410

394

Configuration procedure

1. Configure Firewall (the AFT):

# Enable IPv6.

<Firewall> system-view

[Firewall] ipv6

# Configure IP addresses for the interfaces GigabitEthernet 0/1 and GigabitEthernet 0/2 and

enable AFT on the interfaces.

[Firewall] interface gigabitethernet 0/1

[Firewall-GigabitEthernet0/1] ipv6 address 6:0:ff06:606:100::/64

[Firewall-GigabitEthernet0/1] aft enable

[Firewall-GigabitEthernet0/1] quit

[Firewall] interface gigabitethernet 0/2

[Firewall-GigabitEthernet0/2] ip address 4.4.4.1 24

[Firewall-GigabitEthernet0/2] aft enable

[Firewall-GigabitEthernet0/2] quit

# Configure the DNS64 prefix.

[Firewall] aft prefix-dns64 2000:: 32

# Configure the IVI prefix.

[Firewall] aft prefix-ivi 6::

# Create ACL 3000 to permit IP packets destined to the IPv4 network 6.6.6.0/24, which is

embedded in the IVI address.

[Firewall] acl number 3000

[Firewall-acl-adv-3000] rule permit ip destination 6.6.6.0 0.0.0.255

[Firewall-acl-adv-3000] quit

# Configure the 4to6 AFT policy for destination address translation so that the Firewall can

translate the destination address into an IPv6 address by using the IVI prefix (6::) for packets

destined to network 6.6.6.0/24.

[Firewall] aft 4to6 acl number 3000 prefix-ivi 6::

# Create ACL 2000 to permit packets from the IPv4 network 4.4.4.0/24, on which Host B resides

(this step is optional).

[Firewall] acl number 2000

[Firewall-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255

[Firewall-acl-basic-2000] quit

# Configure the 4to6 AFT policy for source address translation so that the Firewall can translate the

source address into an IPv6 address by using the DNS prefix (2000::/32) for packets from

network 4.4.4.0/24 (this step is optional).

[Firewall] aft 4to6 acl number 2000 prefix-dns64 2000:: 32

NOTE:

Configuring the 4to6 AFT policy for source address translation is optional. If the policy is not

configured, AFT uses the first configured DNS64 prefix to translate the source IPv4 address into an

IPv6 address.

2. Configure Host A:

Perform the following configurations on Host A. (Details not shown.)

{ Configure IPv6 address 6:0:ff06:606:200::/64.