NAT66 Example, Simple IPv6 Interface PAT

A simple approach for implementing NAT66 is to dynamically assign internal addresses to different ports on the outside interface IPv6 address.

When you configure an interface PAT rule for NAT66, all the global addresses that are configured on that interface are used for PAT mapping. Link-local or site-local addresses for the interface are not used for PAT.

Before you begin

Ensure that you have interface objects (security zones or interface groups) that contain the interfaces for the device. In this example, we will assume the interface objects are security zones named inside and outside. To configure interface objects, select Objects > Object Management, then select Interface.

Procedure

Step 1

Create the network object that defines the inside IPv6 network.

Choose Objects > Object Management.
Select Network from the table of contents and click Add Network > Add Object.
Define the inside IPv6 network.

Name the network object (for example, inside_v6) and enter the network address, 2001:db8:122:2091::/96.
Click Save.

Step 2

Configure the dynamic PAT rule for the inside IPv6 network.

Select Devices > NAT and create or edit the threat defense NAT policy.
Click Add Rule.
Configure the following properties:
- NAT Rule = Auto NAT Rule.
- Type = Dynamic.
On Interface Objects, configure the following:
- Source Interface Objects = inside.
- Destination Interface Objects = outside.
On Translation, configure the following:
- Original Source = inside_v6 network object.
- Translated Source = Destination Interface IP.
On Advanced, select IPv6, which indicates that the IPv6 address of the destination interface should be used.
Click OK.

With this rule, any traffic from the 2001:db8:122:2091::/96 subnet on the inside interface going to the outside interface gets a NAT66 PAT translation to one of the IPv6 global addresses configured for the outside interface.