Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
pywong
Staff & Editor
Staff & Editor

Created on ‎04-11-2019 02:55 AM Edited on ‎05-13-2025 10:26 PM By Moderator

Article Id 192911

Technical Tip: Configure NAT46 on FortiGate

Description

 

This article describes how to configure IPV4 to IPV6 translation on the FortiGate. NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

 

Scope

 

FortiGate.

Solution


Diagram:

 

IPV4 Client (10.202.1.150/22)
|
|  IPv4 network (10.202.0.0/22)
|
[Port7 - 10.202.1.124/22]
Fortigate
[Port6 - 2001:1:1:2::1/64]
|
|
IPv6 Server (2001:1:1:2::100/64)

 


Configuration CLI (only relevant parts):

 

Enable IPv6, set the interfaces and IPv6 pool: 

 

config system global

    set gui-ipv6 enable

end

 

Interfaces:

 

config system interface
    edit "port7"
        set vdom "root"
        set ip 10.202.1.124 255.255.252.0
        set allowaccess ping https ssh
        set type physical
        set snmp-index 7
    next
end

config system interface
    edit "port6"
        set vdom "root"
            config ipv6
                set ip6-allowaccess ping https ssh
                set ip6-address 2001:1:1:2::1/64
            end
    next
end

 

IPv6 Pool:

 

config firewall ippool6

    edit "client_external"

        set startip 2001:1:1:2::3
        set endip 2001:1:1:2::7
        set nat46 enable

    next

end

 

Configure the VIP:

 

config firewall vip

    edit "vip46_server"

        set extip 10.202.1.100
        set nat44 disable
        set nat46 enable
        set extintf "port7"
        set ipv6-mappedip 2001:1:1:2::100

    next

end

 

Configure the firewall policy


config firewall policy

    edit 1

        set name "policy46-1"
        set srcintf "port7"
        set dstintf "port6"
        set action accept
        set nat46 enable
        set srcaddr "all"
        set dstaddr "vip46_server"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set ippool enable
        set poolname6 "client_external"

    next

end


Verification:

The IPv4 host has network connectivity with the IPv6 server.

 

C:\Users\fortinet>ping 10.202.1.100

Pinging 10.202.1.100 with 32 bytes of data:
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127
Reply from 10.202.1.100: bytes=32 time=1ms TTL=127

Ping statistics for 10.202.1.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 1ms, Maximum = 1ms, Average = 1ms


FortiGate Log:

 

date=2019-04-04 time=17:56:09 logid=0000000013 type=traffic subtype=forward level=notice vd=root srcip=10.202.1.150 srcintf="port7" dstip=10.202.1.100 dstintf="port6" poluuid=ca338086-5100-51e9-af5a-f3d62a28968b sessionid=378097 proto=1 action=accept policyid=1 dstcountry="Reserved" srccountry="Reserved" trandisp=snat+dnat tranip=2001:1:1:2::100 tranport=128 transip=64:ff9b::aca:196 transport=62464 service="PING" duration=64 sentbyte=240 rcvdbyte=240 sentpkt=4 rcvdpkt=4 appcat="unscanned"

 

Related document: 

NAT46 policy 

 

9453
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.