Friday, April 4, 2014

NAT66 in a crunch on a fortigate

Sometime in the ipv6 world, we have to quickly provide access for internal clients. NAT66 is a means for source-NAT'ing  (aka  SNAT ) ipv6-address to your outside interface.

This provides for a quick means to deliver ipv6 access for ipv6 enabled hosts. Review this topology;

Here we have an unrouted ipv6  network prefix and will apply ipv6 NAT66 policies for the inside hosts located within the 2001:d8::/64 space.

A simple policy could  be craft to allow the clients internally access to the ipv6 internet;

example policy;

NOTE: pre fortios 5.x code does not have the "set nat enable" option available

NAT66 helps in a crunch and when  you are limited or do not have enough ip6-prefixes.It's not ideal but will work in  the same fashion of ipv4 SNAT'ing and provide an alternative means for local client access.

YMMV but with the size and availability of ipv6 prefixes, you should have NO requirement for  SNATs imho.

NOTE: Firewall from  cisco and juniper also allows for NAT66 & linux iptables allows for NAT66

Ken Felix
Freelance Network / Security Engineer Consultant
 " A ipv6 migration expert :) "
kfelix  ----a@t---socpuppets ---<dot>----com

         ^         ^
=(   <@> <@>   )=
           /     \

No comments:

Post a Comment