Create an NPTv6 Policy
Focus
Focus

Create an NPTv6 Policy

Table of Contents

Create an NPTv6 Policy

Perform this task when you want to configure a NAT NPTv6 policy to translate one IPv6 prefix to another IPv6 prefix. The prerequisites for this task are:
  • Enable IPv6. Select
    Device
    Setup
    Session
    . Click
    Edit
    and select
    IPv6 Firewalling
    .
  • Configure a Layer 3 Ethernet interface with a valid IPv6 address and with IPv6 enabled. Select
    Network
    Interfaces
    Ethernet
    , select an interface, and on the
    IPv6
    tab, select
    Enable IPv6 on the interface
    .
  • Create network security policies, because NPTv6 does not provide security.
  • Decide whether you want source translation, destination translation, or both.
  • Identify the zones to which you want to apply the NPTv6 policy.
  • Identify your original and translated IPv6 prefixes.
  1. Create a new NPTv6 policy.
    1. Select
      Policies
      NAT
      and click
      Add
      .
    2. On the
      General
      tab, enter a descriptive
      Name
      for the NPTv6 policy rule.
    3. (
      Optional
      ) Enter a
      Description
      and
      Tag
      .
    4. For
      NAT Type
      , select
      NPTv6
      .
  2. Specify the match criteria for incoming packets; packets that match all of the criteria are subject to the NPTv6 translation.
    Zones are required for both types of translation.
    1. On the
      Original Packet
      tab, for
      Source Zone
      , leave
      Any
      or
      Add
      the source zone to which the policy applies.
    2. Enter the
      Destination Zone
      to which the policy applies.
    3. (
      Optional
      ) Select a
      Destination Interface
      .
    4. (
      Optional
      ) Select a
      Service
      to restrict what type of packets are translated.
    5. If you are doing source translation, enter a
      Source Address
      or select
      Any
      . The address could be an address object. The following constraints apply to
      Source Address
      and
      Destination Address
      :
      • Prefixes of
        Source Address
        and
        Destination Address
        for the
        Original Packet
        and
        Translated Packet
        must be in the format xxxx:xxxx::/yy, although leading zeros in the prefix can be dropped.
      • The IPv6 address cannot have an interface identifier (host) portion defined.
      • The range of supported prefix lengths is /32 to /64.
      • The
        Source Address
        and
        Destination Address
        cannot both be set to
        Any
        .
    6. If you are doing source translation, you can optionally enter a
      Destination Address
      . If you are doing destination translation, the
      Destination Address
      is required. The destination address (an address object is allowed) must be a netmask, not just an IPv6 address and not a range. The prefix length must be a value from /32 to /64, inclusive. For example, 2001:db8::/32.
  3. Specify the translated packet.
    1. On the
      Translated Packet
      tab, if you want to do source translation, in the Source Address Translation section, for
      Translation Type
      , select
      Static IP
      . If you do not want to do source translation, select
      None
      .
    2. If you chose
      Static IP
      , the
      Translated Address
      field appears. Enter the translated IPv6 prefix or address object. See the constraints listed in the prior step.
      It is a best practice to configure your
      Translated Address
      to be the prefix of the untrust interface address of your firewall. For example, if your untrust interface has the address 2001:1a:1b:1::99/64, make your
      Translated Address
      2001:1a:1b:1::0/64.
    3. (
      Optional
      ) Select
      Bi-directional
      if you want the firewall to create a corresponding NPTv6 translation in the opposite direction of the translation you configure.
      If you enable
      Bi-directional
      translation, it is very important to make sure you have Security policy rules in place to control the traffic in both directions. Without such policy rules,
      Bi-directional
      translation allows packets to be automatically translated in both directions, which you might not want.
    4. If you want to do destination translation, select
      Destination Address Translation
      . In the
      Translated Address
      field, choose an address object or enter your internal destination address.
    5. Click
      OK
      .
  4. Configure NDP Proxy.
    When you configure the firewall to act as an NDP Proxy for addresses, it allows the firewall to send Neighbor Discovery (ND) advertisements and respond to ND solicitations from peers that are asking for MAC addresses of IPv6 prefixes assigned to devices behind the firewall.
    1. Select
      Network
      Interfaces
      Ethernet
      and select an interface.
    2. On the
      Advanced
      NDP Proxy
      tab, select
      Enable NDP Proxy
      and click
      Add
      .
    3. Enter the
      IP Address(es)
      for which NDP Proxy is enabled. It can be an address, a range of addresses, or a prefix and prefix length. The order of IP addresses does not matter. These addresses are ideally the same as the Translated Addresses that you configured in an NPTv6 policy.
      If the address is a subnet, the NDP Proxy will respond to all addresses in the subnet, so you should list the neighbors in that subnet with
      Negate
      selected, as described in the next step.
    4. (
      Optional
      ) Enter one or more addresses for which you do not want NDP Proxy enabled, and select
      Negate
      . For example, from an IP address range or prefix range configured in the prior step, you could negate a smaller subset of addresses. It is recommended that you negate the addresses of the neighbors of the firewall.
  5. Commit the configuration.
    Click
    OK
    and
    Commit
    .

Recommended For You