Configuring NAT66 Policy in FortiOS for Seamless IPv6 Address Translation

Understanding the Importance of NAT66 in FortiGate

NAT66, an essential feature in FortiGate devices, is utilized for translating an IPv6 source or destination address to a different IPv6 address. While NAT66 may not be as widely used as IPv4 NAT due to the abundance of IPv6 addresses, it proves invaluable in specific scenarios. For instance, if your network devices undergo IP address changes, but you want the traffic to appear from old addresses, NAT66 becomes crucial.

Configuring NAT66 in FortiOS

In FortiOS, adding NAT66 options to an IPv6 security policy is quite straightforward, resembling the configuration process of NAT in an IPv4 security policy. Here’s a detailed guide:

Step 1: Set Up NAT66 for Outgoing Interface Address Translation

1. Navigate to Policy & Objects > Firewall Policy.
2. Click Create New.
3. Configure the necessary policy parameters.
4. Enable NAT and select Use Outgoing Interface Address.
5. Click OK.

With this setup, packets matching this policy will have their source IP address translated into the IP address of the outgoing interface.

Step 2: Translate IPv6 Source Address Using IP Pools

1. Navigate to Policy & Objects > IP Pools and select the IPv6 IP Pool tab.
2. Click Create New.
3. Enter the following details:

• Name: test-ippool6-1
• External IP Range: 2000:172:16:101::1-2000:172:16:101::1

Click OK.

To utilize this IPv6 pool in a firewall policy:

1. Go to Policy & Objects > Firewall Policy.
2. Click Create New or edit an existing policy.
3. Configure the necessary policy parameters.
4. Enable NAT and select Use Dynamic IP Pool.
5. Click OK.

NAT66 Destination Address Translation

Alongside source address translation, NAT66 offers destination address translation using IPv6 virtual IPs (VIPs). This feature helps map a destination address to a different IPv6 address. Follow the steps below to configure:

1. Navigate to Policy & Objects > Virtual IPs and select the Virtual IP tab.
2. Click Create New.
3. Enter the following details:

• VIP Type: IPv6
• Name: example-vip6
• External IP Address/Range: 2001:db8::dd
• Map to IPv6 Address/Range: 2001:db8::ee

Click OK.

To utilize the IPv6 VIP in a firewall policy:

1. Go to Policy & Objects > Firewall Policy.
2. Click Create New or edit an existing policy.
3. Configure necessary policy parameters.
4. In the Destination field, select example-vip6 from the dropdown menu.
5. Click OK.

Conclusion

By following the steps outlined, users can effectively configure NAT66 on their FortiGate devices, facilitating smooth IPv6 address translation and efficient network traffic management. Be sure to leverage these configurations to ensure your network remains robust and adaptable to changes in IP addressing.