(Remember, NAT is evil!)
Mapping is done under a rule-set, for example, here we happen to have a FireBrick that has a Native IP block from AAISP, and a Tunnel from TunnelBroker.net. We want to map one of the Tunneled IPs to a machine on our LAN which has been assigned one of our native IPv6 addresses from AAISP.
<rule-set name="Mapping Example"> <rule name="HE to Web server" target-ip="2001:470:1F09:B40::2" target-port="80" set-target-ip="2001:8B0:1635::D685:64FF:FEC9:E630" target-port="80" set-nat="true" log="true"/> </rule-set>
You can of course use IPv4 addresses, and map the public IP of your FireBrick to a natted RFC1918 IP on the LAN. See the manual for other elements of the <rule ...> tag.