HP VPN Firewall Appliances VPN Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module

401

402

403

404

405

406

407

408

409

410

397

# Create ACL 2000 to permit packets from network 4.4.4.0/24 where Host B resides (this step is

optional).

[Firewall] acl number 2000

[Firewall-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255

[Firewall-acl-basic-2000] quit

# Configure a 4to6 AFT policy for source address translation so that if the resolved IPv4 address

is in network 4.4.4.0/24, the address is translated into an IPv6 address by using DNS64 prefix

2000::/32 (this step is optional).

[Firewall] aft 4to6 acl number 2000 prefix-dns64 2000:: 32

NOTE:

It is optional to configure the 4to6 AFT policy for source address translation. If the policy is not

confi

ured, AFT uses the first confi

ured DNS64 prefix to translate the resolved IPv4 address into an

IPv6 address.

2. Configure Host A:

Perform the following configurations on Host A. (Details not shown.)

{ Configure IPv6 address 6::2/64.

{ Configure a static route to network 2000::/32 (the DNS64 prefix) and the next hop address

6::1.

{ Specify the IPv6 address (2000:0:303:305::, which is translated from 3.3.3.5) of the DNS

server.

3. Configure Host B:

Perform the following configurations on Host A: (Details not shown.)

{ Configure IPv4 address 4.4.4.2/24.

{ Configure a static route to network 6.6.6.0/24, which the AFT address pool belongs to, and the

next hop address 4.4.4.1.

NOTE:

Configure a static route to network 6.6.6.0/24 on the DNS server. The configuration procedure is

not shown.

Verifying the configuration

# Use the ping ipv6 hostc.com command on Host A. The ping operation is successful and the output

shows that the resolved address is 2000:0:404:402::. This address is translated from the IPv4 address

of Host B by using the DNS64 prefix.

# Use the display session table verbose command on Firewall to display the established sessions.

[Firewall] display session table verbose

Initiator:

Source IP/Port : 0006::0002/2628

Dest IP/Port : 2000:0:0303:0305::/53

VPN-Instance/VLAN ID/VLL ID:

Responder:

Source IP/Port : 3.3.3.5/53

Dest IP/Port : 6.6.6.10/12298

VPN-Instance/VLAN ID/VLL ID: