NAT66
NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.
In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:
config firewall policy6 edit 0
set srcintf internal set dstintf wan1
set srcaddr internal_net set dstaddr all
set action accept set schedule always set service ANY
set nat enable end
Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:
config firewall ippool6 edit example_6_pool
set startip 2001:db8::
set endip 2001:db8::
end
Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.
config firewall address6 edit device_address
set ip6 2001:db8::132/128 end
Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.
config firewall policy6 edit 0
set srcintf internal set dstintf wan1
set srcaddr device_address set dstaddr all
set action accept set schedule always set service ANY
set nat enable
set ippool enable
set poolname example_6_pool end
NAT66 destination address translation
NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.
config firewall vip6 edit example-vip6
set extip 2001:db8::dd
set mappedip 2001:db8::ee end
Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.
config firewall policy6 edit 0
set srcintf internal set dstintf wan1
set srcaddr all
set dstaddr example-vip6 set action accept
set schedule always set service ANY
end