Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.2.5 Administration Guide
7.2.5
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

NAT66 policy

NAT66 policy

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy.

To configure NAT66:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

  3. Configure the required policy parameters.

  4. Enable NAT and select Use Outgoing Interface Address. For packets that match this policy, its source IP address is translated to the IP address of the outgoing interface.

  5. Click OK.

Nat66 can also translate one IPv6 source address to another address that is not the same as the address of the existing interface. You can do this using IP pools.

To configure the IPv6 pool:

  1. Go to Policy & Objects > IP Pools.

  2. Click Create New.

  3. Enter the following:

    IP Pool Type IPv6 Pool
    Name test-ippool6-1
    External IP Range 2000:172:16:101::1-2000:172:16:101::1

  4. Click OK.

To use the IPv6 pool in the firewall policy:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New or edit an existing policy.

  3. Configure the required policy parameters.

  4. Enable NAT and select Use Dynamic IP Pool.

  5. Click OK.

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, the destination address 2001:db8::dd can be mapped to 2001:db8::ee.

To configure the IPv6 VIP:

  1. Go to Policy & Objects > Virtual IPs.

  2. Click Create New.

  3. Enter the following:

    VIP type IPv6
    Name example-vip6
    External IP address/range 2001:db8::dd
    Map to IPv6 address/range 2001:db8::ee

  4. Click OK.

To use the IPv6 VIP in the firewall policy:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New or edit an existing policy.

  3. Configure the required policy parameters.

  4. In the Destination field, select example-vip6 from the dropdown menu.

  5. Click OK.

Previous
Next

NAT66 policy

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy.

To configure NAT66:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New.

  3. Configure the required policy parameters.

  4. Enable NAT and select Use Outgoing Interface Address. For packets that match this policy, its source IP address is translated to the IP address of the outgoing interface.

  5. Click OK.

Nat66 can also translate one IPv6 source address to another address that is not the same as the address of the existing interface. You can do this using IP pools.

To configure the IPv6 pool:

  1. Go to Policy & Objects > IP Pools.

  2. Click Create New.

  3. Enter the following:

    IP Pool Type IPv6 Pool
    Name test-ippool6-1
    External IP Range 2000:172:16:101::1-2000:172:16:101::1

  4. Click OK.

To use the IPv6 pool in the firewall policy:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New or edit an existing policy.

  3. Configure the required policy parameters.

  4. Enable NAT and select Use Dynamic IP Pool.

  5. Click OK.

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, the destination address 2001:db8::dd can be mapped to 2001:db8::ee.

To configure the IPv6 VIP:

  1. Go to Policy & Objects > Virtual IPs.

  2. Click Create New.

  3. Enter the following:

    VIP type IPv6
    Name example-vip6
    External IP address/range 2001:db8::dd
    Map to IPv6 address/range 2001:db8::ee

  4. Click OK.

To use the IPv6 VIP in the firewall policy:

  1. Go to Policy & Objects > Firewall Policy.

  2. Click Create New or edit an existing policy.

  3. Configure the required policy parameters.

  4. In the Destination field, select example-vip6 from the dropdown menu.

  5. Click OK.

Previous
Next