FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff
Article Id 337459
Description This article describes the steps to configure NAT66 on a FortiGate device, including the necessary firewall policies and configuration steps along with troubleshooting commands.
Scope FortiGate.
Solution

NAT66 (Network Address Translation for IPv6) allows the translation of one IPv6 address to another, similar to how NAT is implemented for IPv4 (NAT44) using VIP. This can be useful when you need to translate internal IPv6 addresses to external IPv6 addresses in specific scenarios, such as network security, load balancing, or to meet routing requirements.

 

Prerequisites:

  • A FortiGate device running a supported version of FortiOS.
  • Configured IPv6 interfaces(both WAN and LAN) with valid addressing.
  • Administrative access to the FortiGate CLI and GUI.

 

Step 1: Create the IPv6 VIP:

  • Navigate to 'Policy & Objects -> Virtual IPs'.
  • Select the 'Virtual IP' tab.
  • Select 'Create New'.
  • Configure the following settings:
    • VIP type 'IPv6'
    • Name 'example-vip6'
    • External IP address/range '2a02:xx::xx'
    • Map to IPv6 address/range '2001:xx::xx'
    • Click `OK` to save the IPv6 VIP.

 

GUI:

 

NAT66_VIP.PNG

 

CLI:

 

config firewall vip6

edit "example-vip6"

set extip 2a02:xx::xx
set mappedip 2001:xx::xx
set nat66 enable

end

 

Step 2: Apply the IPv6 VIP in a Firewall Policy:

 

  • Navigate to 'Policy & Objects -> Firewall Policy'.
  • Select 'Create New' or edit an existing policy.
  • Configure the required policy parameters such as source, destination, and services.
  • In the 'Destination' field, select 'example-vip6' from the drop-down menu.
  • Enable NAT and choose the 'Use Outgoing Interface Address' option. This will translate the source IP address of packets that match this policy to the IP address of the outgoing interface.
  • Select 'OK' to apply the policy.

 

GUI:

 

NAT66_Policy.PNG

 

CLI:

 

config firewall policy

edit 'ID'

set name "NAT66"
set srcintf "Internet_WAN"
set dstintf "DMZ"
set action accept
set srcaddr6 "srcaddr6"
set dstaddr6 "example-vip6"
set schedule "always"
set service "ALL"
set nat enable

next

end

 

Troubleshooting commands:

 

Routing & Neighbor solicitation list commands: 

 

get sys status
get router info6 routing-table connected
get router info6 routing-table static
diagnose ipv6 neighbor-cache list
diagnose ipv6 addr list
get router info6 kernel

 

IPv6 traffic debug Commands:

 

di de reset
di de flow filter6 clear
di de flow filter6 addr xxxx::xx # Replace xxxx::xx with users source IP address
di de flow show function-name enable
di de flow trace start6 1000
di de enable

 

To stop the debug:

 

di de dis

 

IPv6 session list:

 

di sys session6 filter clear
di sys session6 filter src xxxx::xx # Replace xxxx::xx with users source IP address
di sys session6 list

 

Sniffer Commands:


di sniffer packet any "host xxxx::xx" 6 0 l # Replace xxxx::xx with users source IP address

 

Contributors