Understand how NPTv6 and NDP proxy work together, ND cache, NDP Proxy, NPTv6
translation, and the fact that neighbors in the ND cache aren't translated.
Where Can I Use This?
What Do I Need?
NGFW (Managed by PAN-OS or Panorama)
The following figure illustrates how NPTv6 and NDP Proxy
function together.
The ND Cache in NPTv6 Example
In the above example, multiple peers connect to the firewall though a switch, with ND
occurring between the peers and the switch, between the switch and the firewall, and
between the firewall and the devices on the trust side.
As the firewall learns of peers, it saves their addresses to its ND cache. Trusted
peers FDDA:7A3E::1, FDDA:7A3E::2, and FDDA:7A3E::3 are connected to the firewall on
the trust side. FDDA:7A3E::99 is the untranslated address of the firewall itself;
its public-facing address is 2001:DB8::99. The addresses of the peers on the untrust
side have been discovered and appear in the ND cache: 2001:DB8::1, 2001:DB8::2, and
2001:DB8::3.
The NDP Proxy in NPTv6 Example
In our scenario, we want the firewall to act as NDP Proxy for the prefixes on devices
behind the firewall. When the firewall is NDP Proxy for a specified set of
addresses/ranges/prefixes, and it sees an address from this range in an ND
solicitation or advertisement, the firewall will respond as long as a device with
that specific address doesn’t respond first, the address is not negated in the NDP
proxy configuration, and the address is not in the ND cache. The firewall does the
prefix translation (described below) and sends the packet to the trust side, where
that address might or might not be assigned to a device.
In this example, the ND Proxy table contains the network address 2001:DB8::0. When
the interface sees an ND for 2001:DB8::100, no other devices on the L2 switch claim
the packet, so the proxy range causes the firewall to claim it, and after
translation to FDD4:7A3E::100, the firewall sends it out to the trust side.
The NPTv6 Translation in NPTv6 Example
In this example, the Original Packet is configured with a
Source Address of FDD4:7A3E::0 and a
Destination of Any. The
Translated Packet is configured with the
Translated Address of 2001:DB8::0.
Therefore, outgoing packets with a source of FDD4:7A3E::0 are translated to
2001:DB8::0. Incoming packets with a destination prefix in the network 2001:DB8::0
are translated to FDD4:7A3E::0.
Neighbors in the ND Cache Are Not Translated
In our example, there are hosts behind the firewall with host identifiers :1, :2, and
:3. If the prefixes of those hosts are translated to a prefix that exists beyond the
firewall, and if those devices also have host identifiers :1, :2, and :3, because
the host identifier portion of the address remains unchanged, the resulting
translated address would belong to the existing device, and an addressing conflict
would result. In order to avoid a conflict with overlapping host identifiers, NPTv6
does not translate addresses that it finds it its ND cache.