H3C Technologies H3C SecPath F1000-E User Manual
Page 87
75
[SecPathB] aft prefix-dns64 2000:: 32
# Configure an AFT address pool.
[SecPathB] aft address-group 1 6.6.6.10 6.6.6.20
# Configure a 6to4 AFT policy so that if the prefix of the destination address of a packet is the
DNS64 prefix (2000::/32), the source address is translated into an IPv4 address in address pool
1 and the port number is also translated.
[SecPathB] aft 6to4 prefix-dns64 2000:: 32 address-group 1
# Create ACL 2000 to permit packets from network 4.4.4.0/24 where SecPath C resides (this
step is optional).
[SecPathB] acl number 2000
[SecPathB-acl-basic-2000] rule permit source 4.4.4.0 0.0.0.255
[SecPathB-acl-basic-2000] quit
# Configure a 4to6 AFT policy for source address translation so that if the resolved IPv4 address
is in network 4.4.4.0/24, the address is translated into an IPv6 address by using DNS64 prefix
2000::/32 (this step is optional).
[SecPathB] aft 4to6 acl number 2000 prefix-dns64 2000:: 32
NOTE:
It is optional to configure the 4to6 AFT policy for source address translation. If the policy is not configured,
AFT uses the first configured DNS64 prefix to translate the resolved IPv4 address into an IPv6 address.
2.
Configure SecPath A:
# Enable IPv6.
[SecPathA] ipv6
# Configure an IPv6 address for interface GigabitEthernet 0/1.
[SecPathA] interface GigabitEthernet 0/1
[SecPathA-GigabitEthernet0/1] ipv6 address 6::2/64
[SecPathA-GigabitEthernet0/1] quit
# Configure a static route to network 2000::/32 (the DNS64 prefix).
[SecPathA] ipv6 route-static 2000:: 32 6::1
# Specify the IPv6 address (2000:0:303:305::, which is translated from 3.3.3.5) of the DNS
server.
[SecPathA] dns server ipv6 2000:0:303:305::
# Enable dynamic domain name resolution.
[SecPathA] dns resolve
3.
Configure SecPath C:
# Configure the IP address of interface GigabitEthernet 0/1.
[SecPathC] interface GigabitEthernet 0/1
[SecPathC-GigabitEthernet0/1] ip address 4.4.4.2 24
[SecPathC-GigabitEthernet0/1] quit
# Configure a static route to network 6.6.6.0/24, which the AFT address pool belongs to.
[SecPathC] ip route-static 6.6.6.0 24 4.4.4.1
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS