Fortinet Document Library

Version:

Version:


Table of Contents

Administration Guide

Download PDF
Copy Link

Configuring an IPv6 SNAT policy

IPv4 and IPv6 central SNAT maps are displayed in the same table.

To configure an IPv6 policy with central SNAT in the GUI:
  1.  Enable central SNAT:
    1. In the Global VDOM, go to System > VDOM.
    2. Select a VDOM and click Edit. The Edit Virtual Domain Settings pane opens.
    3. Enable Central SNAT.
    4. Click OK.

  2. Go in to the VDOM with central SNAT enabled (FG-traffic in this example).
  3. Go Policy & Objects > Central SNAT and click Create New.
  4. Configure the policy settings:
    1. For Type, select IPv6.
    2. Enter the interface, address, and IP pool information.
    3. Configure the other settings as needed.
    4. Click OK.

      The matching SNAT traffic will be handled by the IPv6 central SNAT map.

To configure an IPv6 policy with central SNAT in the CLI:
  1. Enable central SNAT:
    config vdom
        edit FG-traffic
            config system settings
                set central-nat enable
            end
        next
    end
  2. Create an IPv6 central SNAT policy:
    config vdom
        edit FG-traffic
            config firewall central-snat-map
                edit 2
                    set type ipv6
                    set srcintf "wan2"
                    set dstintf "wan1"
                    set orig-addr6 "all"
                    set dst-addr6 "all"
                    set nat-ippool6 "test-ippool6-1"
                next
            end
        next
    end
  3. Verify the SNAT traffic:
    (FG-traffic) # diagnose sniffer packet any icmp6 4
    interfaces=[any]
    filters=[icmp6]
    3.602891 wan2 in 2000:10:1:100::41 -> 2000:172:16:200::55: icmp6: echo request seq 0
    3.602942 wan1 out 2000:172:16:200::199 -> 2000:172:16:200::55: icmp6: echo request seq 0
    3.603236 wan1 in 2000:172:16:200::55 -> 2000:172:16:200::199: icmp6: echo reply seq 0
    3.603249 wan2 out 2000:172:16:200::55 -> 2000:10:1:100::41: icmp6: echo reply seq 0
    4.602559 wan2 in 2000:10:1:100::41 -> 2000:172:16:200::55: icmp6: echo request seq 1
    4.602575 wan1 out 2000:172:16:200::199 -> 2000:172:16:200::55: icmp6: echo request seq 1
    4.602956 wan1 in 2000:172:16:200::55 -> 2000:172:16:200::199: icmp6: echo reply seq 1
    4.602964 wan2 out 2000:172:16:200::55 -> 2000:10:1:100::41: icmp6: echo reply seq 1
    ^C
    8 packets received by filter
    0 packets dropped by kernel

Configuring an IPv6 SNAT policy

IPv4 and IPv6 central SNAT maps are displayed in the same table.

To configure an IPv6 policy with central SNAT in the GUI:
  1.  Enable central SNAT:
    1. In the Global VDOM, go to System > VDOM.
    2. Select a VDOM and click Edit. The Edit Virtual Domain Settings pane opens.
    3. Enable Central SNAT.
    4. Click OK.

  2. Go in to the VDOM with central SNAT enabled (FG-traffic in this example).
  3. Go Policy & Objects > Central SNAT and click Create New.
  4. Configure the policy settings:
    1. For Type, select IPv6.
    2. Enter the interface, address, and IP pool information.
    3. Configure the other settings as needed.
    4. Click OK.

      The matching SNAT traffic will be handled by the IPv6 central SNAT map.

To configure an IPv6 policy with central SNAT in the CLI:
  1. Enable central SNAT:
    config vdom
        edit FG-traffic
            config system settings
                set central-nat enable
            end
        next
    end
  2. Create an IPv6 central SNAT policy:
    config vdom
        edit FG-traffic
            config firewall central-snat-map
                edit 2
                    set type ipv6
                    set srcintf "wan2"
                    set dstintf "wan1"
                    set orig-addr6 "all"
                    set dst-addr6 "all"
                    set nat-ippool6 "test-ippool6-1"
                next
            end
        next
    end
  3. Verify the SNAT traffic:
    (FG-traffic) # diagnose sniffer packet any icmp6 4
    interfaces=[any]
    filters=[icmp6]
    3.602891 wan2 in 2000:10:1:100::41 -> 2000:172:16:200::55: icmp6: echo request seq 0
    3.602942 wan1 out 2000:172:16:200::199 -> 2000:172:16:200::55: icmp6: echo request seq 0
    3.603236 wan1 in 2000:172:16:200::55 -> 2000:172:16:200::199: icmp6: echo reply seq 0
    3.603249 wan2 out 2000:172:16:200::55 -> 2000:10:1:100::41: icmp6: echo reply seq 0
    4.602559 wan2 in 2000:10:1:100::41 -> 2000:172:16:200::55: icmp6: echo request seq 1
    4.602575 wan1 out 2000:172:16:200::199 -> 2000:172:16:200::55: icmp6: echo request seq 1
    4.602956 wan1 in 2000:172:16:200::55 -> 2000:172:16:200::199: icmp6: echo reply seq 1
    4.602964 wan2 out 2000:172:16:200::55 -> 2000:10:1:100::41: icmp6: echo reply seq 1
    ^C
    8 packets received by filter
    0 packets dropped by kernel