HP VPN Firewall Appliances VPN Configuration Guide

396

Figure 306 Network diagram

Configuration consideration

To meet the requirements, perform the following configurations:

• On Firewall, enable AFT, and configure a DNS64 prefix and a 6to4 AFT policy because the

address of Host A is not an IVI address.

• On Host A, specify the IPv6 address 2000:0:303:305:: of the DNS server (which is translated from

IPv4 address 3.3.3.5 by using the DNS64 prefix).

Configuration procedure

1. Configure Firewall (the AFT):

# Enable IPv6.

<Firewall> system-view

[Firewall] ipv6

# Configure IP addresses for the interfaces GigabitEthernet 0/1, GigabitEthernet 0/2, and

GigabitEthernet 0/3 and enable AFT on the interfaces.

[Firewall] interface gigabitethernet 0/1

[Firewall-GigabitEthernet0/1] ipv6 address 6::1/64

[Firewall-GigabitEthernet0/1] aft enable

[Firewall-GigabitEthernet0/1] quit

[Firewall] interface gigabitethernet 0/2

[Firewall-GigabitEthernet0/2] ip address 4.4.4.1 24

[Firewall-GigabitEthernet0/2] aft enable

[Firewall-GigabitEthernet0/2] quit

[Firewall] interface gigabitethernet 0/3

[Firewall-GigabitEthernet0/3] ip address 3.3.3.1 24

[Firewall-GigabitEthernet0/3] aft enable

[Firewall-GigabitEthernet0/3] quit

# Configure the DNS64 prefix.

[Firewall] aft prefix-dns64 2000:: 32

# Configure an AFT address pool.

[Firewall] aft address-group 1 6.6.6.10 6.6.6.20

# Configure a 6to4 AFT policy so that if the prefix of the destination address of a packet is the

DNS64 prefix (2000::/32), the source address is translated into an IPv4 address in address pool

1 and the port number is also translated.

[Firewall] aft 6to4 prefix-dns64 2000:: 32 address-group 1