Understanding NPTv6 on Palo Alto Networks Firewalls
NPTv6 (Network Prefix Translation for IPv6), defined in RFC 6296, is a stateless, transport-agnostic IPv6-to-IPv6 translation mechanism. Unlike traditional stateful NAT (like NAT44 PAT or NAT64), NPTv6 focuses solely on translating the
IPv6 network prefix
while preserving the host identifier portion of the address and maintaining a 1:1 mapping between internal and external addresses within the translated prefixes.
What is NPTv6?
NPTv6 allows an organization to use stable internal IPv6 addresses (often Unique Local Addresses - ULAs, like
fd00::/8
, or a stable Global Unicast Address - GUA) while using different, potentially changing, public GUA prefixes provided by ISPs for external communication.
-
Stateless (Mostly):
It algorithmically translates prefixes, meaning it doesn't need to keep complex state tables for each connection like traditional NAT. This simplifies the process and potentially improves performance. (Note: The firewall still tracks sessions for security policy.)
-
1:1 Address Mapping:
For every internal address within the source prefix, there is a corresponding unique external address within the translated prefix (and vice-versa).
-
Prefix Translation Only:
Only the network portion (typically the first /48 or /64) of the IPv6 address is changed. The Interface Identifier (host portion) remains the same.
-
Checksum Neutral:
The algorithm is designed so that the IP header checksum remains valid after translation, minimizing processing overhead.
-
No Port Translation:
NPTv6 does *not* modify TCP/UDP port numbers.
Key Differences from NAT44/NAT64
-
NAT44 (PAT):
IPv4-to-IPv4, typically many-to-one (overloading), stateful, translates IP and Ports. Hides internal topology. Breaks end-to-end principle at IP layer.
-
NAT64:
IPv6-to-IPv4 (and vice-versa), stateful, translates IPs and often Ports (NAPT64). Transition mechanism.
-
NPTv6:
IPv6-to-IPv6, one-to-one prefix translation, stateless (at the NAT level), translates *only* the IPv6 prefix. Aims to preserve address mapping transparency.
Primary Use Cases
-
ISP Multi-homing:
Use stable internal addresses while having prefixes from multiple ISPs. NPTv6 translates internal addresses to the appropriate ISP prefix for outbound traffic.
-
Network Renumbering:
Change ISP or public prefix without needing to re-address all internal hosts. Just update the NPTv6 translation rules.
-
Provider Independence:
Use provider-independent internal addressing (like ULAs) while still interacting with the global IPv6 internet using provider-assigned prefixes.
Palo Alto Implementation Details
NAT Policies are configured under: Policies > NAT
Configuring NPTv6 involves creating a specific type of NAT rule:
-
Click "Add" to create a new NAT rule.
-
Go to the "General" tab and set the
NAT Type
to
nptv6
.
-
Original Packet Tab:
-
Source Zone/Destination Zone:
Define the zones involved in the traffic flow (e.g., Internal_IPv6 to External_IPv6).
-
Source Address:
The
Internal IPv6 Prefix
(e.g.,
fd00:aaaa:bbbb::/48
) that needs translation when going outbound.
-
Destination Address:
Typically
any
, unless you only want to translate for specific destinations.
-
Translated Packet Tab:
-
Source Address Translation:
Select "Static IP" and enter the
External IPv6 Prefix
(e.g.,
2001:db8:100::/48
) that the internal source prefix should be translated *to*. The firewall automatically preserves the host bits.
-
Destination Address Translation:
To handle return traffic correctly (translating the external destination back to internal), select "Static IP" and enter the
Internal IPv6 Prefix
(e.g.,
fd00:aaaa:bbbb::/48
). The firewall will translate incoming packets destined for the External Prefix back to the Internal Prefix.
Bi-directional Configuration:
Unlike simple SNAT, NPTv6 usually requires defining *both* the Source and Destination Address Translation within the *same rule* to handle traffic in both directions correctly. The "Original Packet" defines the traffic match, and the "Translated Packet" defines how source *and* destination prefixes are swapped.
Traffic Flow Example
-
Internal Prefix:
fd00:aaaa:bbbb::/48
-
External (ISP) Prefix:
2001:db8:100::/48
-
Internal Client:
fd00:aaaa:bbbb::1234
-
External Server:
2001:db8:ffff::5678
Forward Path (Internal Client -> External Server):
# Original Packet
Source IP: fd00:aaaa:bbbb::1234
Destination IP: 2001:db8:ffff::5678
# Packet After NPTv6 (Firewall -> External Server)
Source IP: 2001:db8:100::1234 <-- Source Prefix Translated
Destination IP: 2001:db8:ffff::5678 <-- Destination Unchanged by *this* translation direction
Return Path (External Server -> Internal Client):
# Original Packet (External Server -> Firewall External Prefix Host)
Source IP: 2001:db8:ffff::5678
Destination IP: 2001:db8:100::1234
# Packet After Reverse NPTv6 (Firewall -> Internal Client)
Source IP: 2001:db8:ffff::5678 <-- Source Unchanged by *this* translation direction
Destination IP: fd00:aaaa:bbbb::1234 <-- Destination Prefix Translated
(Note: The "Destination Address Translation" part of the NPTv6 rule handles the return path destination translation.)
Interaction with Security Policy
Because NPTv6 primarily translates prefixes algorithmically and aims to be stateless at the NAT level, the translation often happens relatively late in the packet processing flow, similar to Source NAT.
Key Point:
Security Policy rules for traffic subject to NPTv6 should generally match the
original (pre-translation) source and destination zones
and the
original (pre-translation) source and destination addresses/prefixes
.
Example Security Rule (Allowing internal ULA prefix out):
-
Source Zone:
Internal_IPv6
-
Source Address:
fd00:aaaa:bbbb::/48
(Internal Prefix)
-
Destination Zone:
External_IPv6
-
Destination Address:
any
(or specific external destinations)
-
Application/Service:
As needed
-
Action:
Allow
The Security policy allows the original flow based on internal addresses, and the NPTv6 rule then translates the prefix just before the packet leaves the firewall (or translates the destination prefix as it arrives on the return path).