How to setup Destination-NAT for IPv6.

How to setup Destination-NAT for IPv6.

8637
Created On 05/16/21 10:19 AM - Last Modified 06/29/23 03:50 AM


Objective


This article provides configuration steps about Destination-NAT on IPv6 so that traffic coming on Untust interface goes to Trust server 2401:efXX:X000::10.

Environment


Packet flow:

Untrust---->PA ---->Trust server 2401:efXX:X000::10.

Untrust interface IPv6 address: 2402:efXX:X000:0000::2/64.

Procedure


To configure Destination-NAT for IPv6, first determine the checksum neutral public IPv6 address. If you are using NPTv6 to perform destination NAT, you can provide the internal IPv6 address and the external prefix/prefix length of the firewall interface in the syntax of the following CLI command:
test nptv6 cks-neutral source-ip <internal IPv6 address> dest-network <external IPv6 prefix>

The CLI responds with the checksum-neutral, public IPv6 address to use in your NPTv6 configuration to reach that destination. Below is the checksum neutral public IPv6 address for the above topology:

> test nptv6 cks-neutral source-ip 2401:efXX:X000::10 dest-network 2402:efXX:X000:0::/64
The checksum neutral address of 2401:efXX:X000::10 is 2402:efXX:X000:0:XXfd::10 in 2402:efXX:X000:0::/64 subnet

The relevant NAT policy would look like below:
User-added image
User-added image
User-added image


The Untrust interface also needs an entry for 2402:efXX:X000:0:XXfd::10 under Advanced>NDP Proxy.
User-added image

Additional Information


https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nptv6.html
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM6fCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language