How to setup IPv6 NPTv6 source NAT
1355
Created On 11/27/23 05:16 AM - Last Modified 10/29/25 20:56 PM
Objective
An internal IPv6 network with prefix fd00::/48 needs to reach to the internet via Palo Alto Networks firewall with the following information provided by the IPv6 ISP (Internet Service Provider):-
- Public IPv6 network prefix assigned: 2001:db8:1001:::/48
- IPv6 default gateway: 2001:db8:1001::1
- Layer 3 IPv6 address 2001:db8:1001::2/48 on untrust interface (ethernet1/3)
- Layer 3 IPv6 address fd00::1/48 on trust interface (ethernet1/6), which is the default gateway of client hosts
- Static route next hop IPv6 address 2001:db8:1001::1 for the default gateway on the default virtual router
- Security policy rule to allow traffic from trust zone to untrust zone
Environment
- PAN-OS
- NGFW
- IPv6
- NPTv6
- NDP Proxy
Procedure
- Create a NAT policy rule (Policies > NAT) with the following settings:-
- NAT Type: nptv6
- Source Zone: trust
- Destination Zone: untrust
- Source Address Translation > Translation Type: Static IP
- Source Address Translation > Translation Address: 2001:db8:1001::/48
- Enable NDP Proxy on untrust interface (Network > Interfaces > ethernet1/3 > Advanced > NDP Proxy):-
- Enable NDP Proxy: checked
- Add > Address: 2001:db8:1001::/48
- Initial some internet traffic from a client and verify the source NAT translation and return traffic on the firewall (Monitor > Logs > Traffic).
Additional Information
With the NAT policy rule configured in Step 1, the source IPv6 address of client hosts will be translated to a public IPv6 address, for example:-
- Source IP fd00::32 => NAT Source IP 2001:db8:1001:bf46::32
References: