Technical Tip: Configure NAT46 on FortiGate

Description

This article describes how to configure IPV4 to IPV6 translation on the FortiGate. NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

Scope

FortiGate.

Solution

Diagram:

IPV4 Client (10.202.1.150/22)
|
|  IPv4 network (10.202.0.0/22)
|
[Port7 - 10.202.1.124/22]
Fortigate
[Port6 - 2001:1:1:2::1/64]
|
|
IPv6 Server (2001:1:1:2::100/64)

Configuration CLI (only relevant parts):

Enable IPv6, set the interfaces and IPv6 pool: 

config system global

    set gui-ipv6 enable

end

Interfaces:

config system interface
    edit "port7"
        set vdom "root"
        set ip 10.202.1.124 255.255.252.0
        set allowaccess ping https ssh
        set type physical
        set snmp-index 7
    next
end

config system interface
    edit "port6"
        set vdom "root"
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2001:1:1:2::1/64
            end
    next
end

IPv6 Pool:

config firewall ippool6

    edit "client_external"

        set startip 2001:1:1:2::3
        set endip 2001:1:1:2::7
        set nat46 enable

    next

end

Configure the VIP:

config firewall vip

    edit "vip46_server"

        set extip 10.202.1.100
        set nat44 disable
        set nat46 enable
        set extintf "port7"
        set ipv6-mappedip 2001:1:1:2::100

    next

end

Configure the firewall policy

config firewall policy

    edit 1

        set name "policy46-1"
        set srcintf "port7"
        set dstintf "port6"
        set action accept
        set nat46 enable
        set srcaddr "all"
        set dstaddr "vip46_server"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set ippool enable
        set poolname6 "client_external"

    next

end

Verification:

The IPv4 host has network connectivity with the IPv6 server.

C:\Users\fortinet>ping 10.202.1.100

Pinging 10.202.1.100 with 32 bytes of data:
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127

Ping statistics for 10.202.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms

FortiGate Log:

date=2019-04-04 time=17:56:09 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.202.1.150 srcintf="port7" dstip=10.202.1.100 dstintf="port6" poluuid=ca338086-5100-51e9-af5a-f3d62a28968b sessionid=378097 proto=1 action=accept policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=2001:1:1:2::100 tranport=128 transip=64:ff9b::aca:196 transport=62464 service="PING" duration=64 sentbyte=240 rcvdbyte=240 sentpkt=4 rcvdpkt=4 appcat="unscanned"

Note: 

IPv6-to-IPv4 and IPv4-to-IPv6 NAT for internet access is not possible.

Related document: 

NAT46 policy