When you configure a policy for NPTv6, the Palo Alto Networks firewall performs a static, one-to-one IPv6 translation in both directions. The translation is based on the algorithm described in
In one use case, the firewall performing NPTv6 is located between an internal network and an external network (such as the internet) that uses globally routable prefixes. When datagrams are going in the outbound direction, the internal source prefix is replaced with the external prefix; this is known as source translation.
In another use case, when datagrams are going in the inbound direction, the destination prefix is replaced with the internal prefix (known as destination translation). The figure below illustrates destination translation and a characteristic of NPTv6: only the prefix portion of an IPv6 address is translated. The host portion of the address is not translated and remains the same on either side of the firewall. In the figure below, the host identifier is 111::55 on both sides of the firewall.
In an environment where you want IPv6 prefix translation, three firewall features work together: NPTv6 NAT policies, security policies, and
The NPTv6 mapping translations that the firewall performs are checksum-neutral, meaning that “... they result in IP headers that will generate the same IPv6 pseudo-header checksum when the checksum is calculated using the standard internet checksum algorithm [
RFC 6296, Section 2.6, for more information about checksum-neutral mapping.
If you are using NPTv6 to perform destination NAT, you can provide the internal IPv6 address and the external prefix/prefix length of the firewall interface in the syntax of the
CLI command. The CLI responds with the checksum-neutral, public IPv6 address to use in your NPTv6 configuration to reach that destination.
Create an NPTv6 Policy, the
option in the
tab provides a convenient way for you to have the firewall create a corresponding NAT or NPTv6 translation in the opposite direction of the translation you configured. By default,
translation is disabled.
The Palo Alto Networks implementation of NPTv6 offers the ability to filter packets to limit which packets are subject to translation. Keep in mind that NPTv6 does not perform port translation. There is no concept of Dynamic IP and Port (DIPP) translation because NPTv6 translates IPv6 prefixes only. However, you can specify that only packets for a certain service port undergo NPTv6 translation. To do so,
Create an NPTv6 Policy
that specifies a
in the Original Packet.