Tag Archives: NAT66 fortigate

NAT66

Leave a reply

NAT66

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:

 

config firewall policy6 edit 0

set srcintf internal set dstintf wan1

set srcaddr internal_net set dstaddr all

set action accept set schedule always set service ANY

set nat enable end

 

Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:

 

config firewall ippool6 edit example_6_pool

set startip 2001:db8::

set endip 2001:db8::

end

 

Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.

config firewall address6 edit device_address

set ip6 2001:db8::132/128 end

 

Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.

 

config firewall policy6 edit 0

set srcintf internal set dstintf wan1

set srcaddr device_address set dstaddr all

set action accept set schedule always set service ANY

set nat enable

set ippool enable

set poolname example_6_pool end

 

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.

config firewall vip6 edit example-vip6

set extip 2001:db8::dd

set mappedip 2001:db8::ee end

 

Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.

 

config firewall policy6 edit 0

set srcintf internal set dstintf wan1

set srcaddr all

set dstaddr example-vip6 set action accept

set schedule always set service ANY

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!