IPv6 NPTv6 (Network Prefix Translation)

Lesson Contents

NPTv6 stands for Network Prefix Translation and like NAT it allows the translation of IPv6. The difference, however, is that NPTv6 only translates prefixes. It doesn’t translate the host address, there is no “overload” like NAT where you can have multiple source addresses behind a single address. It’s a simple 1:1 translation for prefixes.

There are plenty of global IPv6 addresses so why would you want to use NPTv6? Here are two reasons:

  • Address independence: you don’t have to change your IPv6 prefixes on your local network when your global IPv6 prefix changes. On the other hand, IPv6 renumbering is not so bad compared to IPv4.
  • ULAs (Unique Local Addresses): NPTv6 translates the prefix in your ULAs to a global prefix that is routable on the Internet.
  • Access-lists: Your host has two IPv6 addresses and only one of them is permitted through some firewall. Your host won’t know which source address is permitted through the firewall so by using NPTv6, you can translate the address to a prefix that is permitted through the firewall.


Let’s see how we configure NPTv6. I’ll use this topology:

Ipv6 Nptv6 Three Devices Topology

What do we have?

  • H1 is a host on our internal network.
  • NPTv6 is the router where we configure NPTv6.
  • H3 is some host on the Internet.

The 2001:DB8:0:2::/64 prefix on the loopback 0 interface of NPTv6 is the global prefix that we want to translate to.

I pre-configured my devices with IPv6 addresses and static routes so that we have reachability between H1 and H3.


Want to take a look for yourself? Here you will find the startup configuration of each device.


hostname H1
ipv6 unicast-routing
ipv6 cef
interface GigabitEthernet0/1
 ipv6 address 2001:DB8:0:12::1/64
ipv6 route ::/0 2001:DB8:0:12::2


hostname H3
ipv6 unicast-routing
ipv6 cef
interface GigabitEthernet0/1
 ipv6 address 2001:DB8:0:23::3/64
ipv6 route ::/0 2001:DB8:0:23::2


hostname NPTV6
ipv6 unicast-routing
interface Loopback0
 ipv6 address 2001:DB8:0:2::2/64
interface GigabitEthernet2
 ipv6 address 2001:DB8:0:12::2/64
interface GigabitEthernet3
 ipv6 address 2001:DB8:0:23::2/64

Let’s get started. We first need to define the inside and outside interfaces:

NPTV6(config)#interface GigabitEthernet 2
NPTV6(config-if)#nat66 inside

NPTV6(config)#interface GigabitEthernet 3
NPTV6(config-if)#nat66 outside

The second (and last) thing to do is to tell the router what the inside and outside prefixes are:

NPTV6(config)#nat66 prefix inside 2001:DB8:0:12::/64 outside 2001:DB8:0:2::/64

The inside prefix is the link that we use between H1 and NPTv6, the outside prefix is the one on the loopback 0 interface. That’s all we have to configure.


There are only two show commands. Here’s the first one:

NPTV6#show nat66 prefix 

Prefixes configured: 1

NAT66 Prefixes

Id: 1          Inside 2001:DB8:0:12::/64 Outside 2001:DB8:0:2::/64

This shows us the prefixes that we configured. Let’s try a quick ping from H1:

H1#ping 2001:DB8:0:23::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:DB8:0:23::3, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 3/6/12 ms

The ping works but it doesn’t tell me if the prefix is translated. There’s another command for that:

We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • Try for Just $1. The Best Dollar You’ve Ever Spent on Your Cisco Career!
  • Full Access to our 739 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

542 Sign Ups in the last 30 days

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!


Forum Replies

  1. Why did I use a loopback with a prefix instead of prefix 2001:DB8:0:23::/64 (the link between NPTv6 and H3)? I tried this the first time but it doesn’t work because H3 will do a neighbor solicitation for 2001:DB8:0:23::1/64 (the translated address). Since nobody responds to that address, the ping fails.

    I guess the question is - what if you changed the IP of H1 to 2001:DB8:0:12::2/64 (and swapped G2 to ::1)

    Then the translated address for H1 would be 2001:DB8:0:23::2/64 - so NPTV6 should respond to the neighbour solicitation :wink:

  2. Hello Fabrice

    IPv4 and IPv6 are similar in that they separate their respective addresses into two sections. The terminology used is somewhat different however. Where an IPv4 address is separated into the network portion and the host portion using a subnet mask, an IPv6 address is separated into a prefix and a host identifier using the prefix length.

    So for an IP address of 2001:DB8:0:12::1/64 as in the lesson, the prefix is 2001:DB8:0:12, the host identifier is ::1 and the prefix length is 64. 64 indicates what part of the address is the prefix, that is, the

    ... Continue reading in our forum

  3. Hello Boris

    Limitations to any technology can be a subjective matter. For one person, one aspect may be limiting while another may not. Compared to NAT, the fact that NPTv6 can only provide a one-to-one translation may be a limitation for someone that wants this functionality, however, NPTv6 was not developed for this purpose. For others, the fact that you can’t have mismatched prefix allocation sizes is a limit.

    NPTv6 was developed in order to provide a very simple functionality: rewrite the IPv6 prefix. That’s it. Now for some this is a limitation, for o

    ... Continue reading in our forum

  4. Hey Laz and Rene,

    Why there isn’t any show command like show nat66 translations?

    I know that the conversion is 1:1 but sometimes you want to see which ip address was translated and which wasn’t , and you can’t verify this with the other show commands.
    (For example - port forwarding in NPTv6 for servers environment with public services)

    Another question that I wanna ask: if there is any method like NAT ALG in the NPTv6 version?

    Thanks you very much

  5. Hello Nitay

    As far as I can see there is no way to see the actual translations of the specific IP addresses. But there is a reason for this. NAT66 does not keep track of each individual translation like NAT for IPv4 does. It simply translates the prefixes. In this sense, it is stateless as far as the specific addresses are concerned, that’s why you can’t see a record of the translations. The only way to see and verify specific translations is to do a wireshark capture and see what addresses appear in the IPv6 header.

    ... Continue reading in our forum

4 more replies! Ask a question or join the discussion by visiting our Community Forum