Ipv6 NAT-PT Transition
NAT-PT method allows IPv6-ONLY nodes to communicate with IPv4-ONLY nodes or vice versa, a sort of gateway for IPv4/IPv6 networks, so dual stack is needed ONLY on the NAT-PT device.
This Transition method could be useful when IPv6 is be the predominant connectivity type with a need to connect to specific IPv4 nodes, in their way to die out. Although this method is deprecated, it could be an excelent introduction to understand NAT64/DNS64.
Depending on your needs you can use NAT-PT in four different ways (similar to NAT for IPv4):
- Static NAT-PT.
- Dynamic NAT-PT.
- PAT overload.
- IPv4-mapped.
Also an example of NAT-PT with ALG (Application Layer Gateway) is provided.
In this lab, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix)
Figure 1 illustratesthe Lab topology used to test each of the previously mentioned NAT-PT methods.
Figure 1 Topology:
Let’s suppose you have an internal IPv6-only network, and you want to communicate with the outside world (IPv4-ONLY). All hosts will see the outside world as IPv6; also the outside world will see your addresses as IPv4 and will have no idea about what is happening inside your network. (figure 2,3)
Both networks route their traffic to the Border router (NAT gateway) supporting dual-stack, where translation from IPv6 to IPv4 and IPv4 to IPv6 is be performed.
Figure 2: The network as seen from IPv4 side.
Figure 3: The network as seen from IPv6 side
The key concept in Translation is how the IPv6 site will see IPv4 nodes, and how IPv4 site will see IPv6 nodes (figure2 & 3)
STATIC NAT-PT
Table 1 :v6v4 Address translation
| v6v4 |
IPv6 network
IPv6
|
IPv6 nodes as seen by IPv4 network |
IPv4
|
| 2001:a:b:c::1/64 |
====> will be seen as |
192.168.40.1 |
| 2001:a:b:c::2/64 |
====> will be seen as |
192.168.40.2 |
| 2001:a:b:c::3/64 |
====> will be seen as |
192.168.40.3 |
Any traffic originated from 2001:a:b:c::
will trigger v6v4 operations. (figure4)
The prefix 2001:a:b:c:: represents IPv6 address scheme inside IPv6 site.
Table 2 :v4v6 Address translation
| v4v6 |
IPv4 node |
IPv4 nodes as seen by IPv6 network |
IPv6 network
IPv6
|
| 192.168.40.200 |
====> will be seen as |
2001::c0a8:28c8/96 |
c0a8:28c8 Is the representation of IPv4 address in Hexadecimal.
The prefix 2001::/96
is called NAT-PT prefix and represents IPv6 address prefix reserved for IPv4 nodes from the IPv4 site as seen from the IPv6 site, it could be part of the IPv6 site address scheme or a different prefix allocated from the ISP for the subject in matter.
Any IPv4 node will be represented inside IPv6 site as <NAT-PT-prefix>::<IPv4-in-hex>
So any traffic destined to an IPv6 address with <NAT-PT-prefix> will trigger v4v6 operations. (figure4)
As mentioned earlier, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix).
Figure 4: v6v4 & v4v6 operations
Static NAT-PT:
!! This is the IPv6 side interface
interface FastEthernet0/0
no ip address
ipv6 address 2001:A:B:C::4/64
!! Enable IPv6 NAT
ipv6 nat
!
!! This is the IPv4 side interface
interface FastEthernet1/0
ip address 192.168.40.199 255.255.255.0
!! Enable IPv6 NAT
ipv6 nat
!
!
!! any IPv6 packet with destination 2001::c0a8:28c8 will be translated to an IPv4 destination !!192.168.40.200
ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8
!! any IPv6 packet with IPv6 source address 2001:a:b:c:X with X=1,2,3 will be translated to an IPv4 source address 192.168.40.X with X=1,2,3 respectively.
ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1
ipv6 nat v6v4 source 2001:A:B:C::2 192.168.40.2
ipv6 nat v6v4 source 2001:A:B:C::3 192.168.40.3
!! Enable IPv6 unicast routing
ipv6 unicast-routing
!
!! IPv6 prefix 2001::/96 is allocated to represent IPv4 addresses in IPv6 format and will be inspected by NAT-PT otherwise dropped
ipv6 nat prefix 2001::/96
|
connectivity check:
Routerv6_1#ping 2001::C0A8:28C8 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 72/80/88 ms
Routerv6_1#
Routerv6_2#ping 2001::C0A8:28C8 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 60/125/164 ms
Routerv6_2#
Routerv6_3#ping 2001::C0A8:28C8 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 88/134/208 ms
Routerv6_3#
|
Each traffic from each IPv6 host is translated according to the configured static NAT-PT
NAT-PT#
*Mar 1 04:18:57.446: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:18:57.502: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
*Mar 1 04:18:57.554: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:18:57.634: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
*Mar 1 04:18:57.662: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:18:57.682: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
NAT-PT#
|
NAT-PT(config)#
*Mar 1 04:25:50.854: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:25:50.962: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
*Mar 1 04:25:51.022: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:25:51.038: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
*Mar 1 04:25:51.086: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:25:51.178: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
NAT-PT(config)# |
NAT-PT(config)#
*Mar 1 04:26:13.274: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:26:13.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
*Mar 1 04:26:13.398: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:26:13.470: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
*Mar 1 04:26:13.494: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:26:13.570: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
NAT-PT(config)#
|
NAT-PT#sh ipv6 nat translations
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
— — —
192.168.40.200 2001::C0A8:28C8
— 192.168.40.1 2001:A:B:C::1
192.168.40.200 2001::C0A8:28C8
— 192.168.40.1 2001:A:B:C::1
— —
NAT-PT#
|
DYNAMIC NAT-PT
With Dynamic translation, a specific IPv6 prefix will be translated to a pool of IPv4 addresses as the source address; and the destination is translated to the static v4v6 entry.
Table 3 :v6v4 Address translation
| v6v4 |
IPv6 network
IPv6
|
IPv6 nodes as seen by IPv4 network |
IPv4
|
| Any 2001:a:b:c::/64 node (3 nodes in our case) |
====> will be represented by |
192.168.40.1 |
| 192.168.40.2 |
| 192.168.40.3 |
Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations.
Because there is three IPv6 nodes and three IPv4 addresses, a one-to-one translation will occur.
Table 4 :v4v6 Address translation
| v4v6 |
IPv4 node |
IPv4 nodes as seen by IPv6 network |
IPv6 network
IPv6
|
| 192.168.40.200 |
====> will be seen as |
2001::c0a8:28c8/96 |
interface FastEthernet0/0
no ip address
ipv6 address 2001:A:B:C::4/64
ipv6 nat
!
interface FastEthernet1/0
ip address 192.168.40.199 255.255.255.0
ipv6 nat
!
!! Enable IPv6 unicast routing
ipv6 unicast-routing
!
ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8
ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool
ipv6 nat v6v4 pool ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24
ipv6 nat prefix 2001::/96
!
ipv6 access-list list_to-ipv4
permit ipv6 2001:A:B:C::/64 any
|
Connectivity check:
NAT-PT(config)#do sh ipv6 nat trans
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
— — —
192.168.40.200 2001::C0A8:28C8
— 192.168.40.1 2001:A:B:C::1
192.168.40.200 2001::C0A8:28C8
— 192.168.40.1 2001:A:B:C::1
— —
— 192.168.40.2 2001:A:B:C::2
192.168.40.200 2001::C0A8:28C8
— 192.168.40.2 2001:A:B:C::2
— —
— 192.168.40.3 2001:A:B:C::3
192.168.40.200 2001::C0A8:28C8
— 192.168.40.3 2001:A:B:C::3
— —
NAT-PT(config)#
|
NAT-PT(config)#do sh ipv6 nat stat
Total active translations: 7 (-5 static, 12 dynamic; 0 extended)
NAT-PT interfaces:
FastEthernet0/0, FastEthernet1/0, NVI0
Hits: 0 Misses: 0
Expired translations: 0
NAT-PT(config)#
|
debug:
NAT-PT(config)#
*Mar 1 04:44:15.454: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:15.586: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
*Mar 1 04:44:15.650: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:15.730: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
*Mar 1 04:44:15.794: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:15.810: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.1) -> (2001:A:B:C::1)
NAT-PT(config)#
NAT-PT(config)#
NAT-PT(config)#
*Mar 1 04:44:29.122: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:29.230: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
*Mar 1 04:44:29.262: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:29.326: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
*Mar 1 04:44:29.386: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.2), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:29.410: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.2) -> (2001:A:B:C::2)
NAT-PT(config)#
NAT-PT(config)#
NAT-PT(config)#
*Mar 1 04:44:42.434: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:42.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
*Mar 1 04:44:42.546: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:42.574: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
*Mar 1 04:44:42.622: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.3), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:44:42.678: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.3) -> (2001:A:B:C::3)
NAT-PT(config)#
|
PAT NAT-PT
Table 5 :v6v4 Address translation
| v6v4 |
IPv6 network
IPv6
|
IPv6 nodes as seen by IPv4 network |
IPv4
|
| Any 2001:a:b:c::/64 node (3 nodes in our case) |
====> will be represented by |
192.168.40.199 |
Any traffic originated from 2001:a:b:c::/64
will trigger v6v4 operations and will be translated to the unique IPv4 outbound interface.
Table 6 :v4v6 Address translation
| v4v6 |
IPv4 node |
IPv4 nodes as seen by IPv6 network |
IPv6 network
IPv6
|
| 192.168.40.200 |
====> will be seen as |
2001::c0a8:28c8/96 |
We’re still communicating to IPv4 node 192.168.40.200 represented by 2001::c0a8:28c8/96.
By the way, IOS will not allow you to disable configured commands, if their corresponding translations are still active, so you have to clear all translation entries before making any changes in the configuration.
NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool
NAT-PT(config)#$ ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24
%Pool ipv4_pool in use, cannot destroy
NAT-PT(config)#
*Mar 1 04:56:14.094: %Dynamic mapping in use, cannot remove
NAT-PT(config)#do clear ipv6 nat trans *
NAT-PT(config)#
NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool
NAT-PT(config)#no ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24
NAT-PT(config)#
|
interface FastEthernet0/0
no ip address
ipv6 address 2001:A:B:C::4/64
ipv6 nat
!
interface FastEthernet1/0
ip address 192.168.40.199 255.255.255.0
ipv6 nat
ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8
ipv6 nat v6v4 source list list_to-ipv4 interface overload
ipv6 nat prefix 2001::/96
!
ipv6 access-list list_to-ipv4
permit ipv6 2001:A:B:C::/64 any
|
NAT-PT(config)#do sh ipv6 nat translation
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
— — —
192.168.40.200 2001::C0A8:28C8
icmp 192.168.40.199,7704 2001:A:B:C::1,7704
192.168.40.200,7704 2001::C0A8:28C8,7704
icmp 192.168.40.199,7126 2001:A:B:C::2,7126
192.168.40.200,7126 2001::C0A8:28C8,7126
icmp 192.168.40.199,9979 2001:A:B:C::3,9979
192.168.40.200,9979 2001::C0A8:28C8,9979
NAT-PT(config)#
|
NAT-PT(config)#do sh ipv6 nat stat
Total active translations: 4 (-5 static, 9 dynamic; 3 extended)
NAT-PT interfaces:
FastEthernet0/0, FastEthernet1/0, NVI0
Hits: 0 Misses: 0
Expired translations: 0
NAT-PT(config)#
|
NAT-PT(config)#
*Mar 1 04:59:10.218: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:10.310: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 04:59:10.366: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:10.418: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 04:59:10.466: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:10.514: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
NAT-PT(config)#
NAT-PT(config)#
*Mar 1 04:59:20.674: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:20.766: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2)
*Mar 1 04:59:20.826: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:20.882: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2)
*Mar 1 04:59:20.918: IPv6 NAT: icmp src (2001:A:B:C::2) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:20.950: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::2)
NAT-PT(config)#
NAT-PT(config)#
*Mar 1 04:59:24.266: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:24.354: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3)
*Mar 1 04:59:24.402: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:24.450: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3)
*Mar 1 04:59:24.482: IPv6 NAT: icmp src (2001:A:B:C::3) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 04:59:24.526: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::3)
NAT-PT(config)#
|
DNS embedded data (ALG)
Let’s keep previously configured PAT and see how NAT-PT handle application layer data like IPv6 addresses embedded in the DNS traffic.
We a need static translation to access the specific IPv4 node (DNS server).
Name lookup is enabled and DNS IPv6 address configured.
NAT-PT:
ipv6 nat v4v6 source 192.168.40.104
2001::C0A8:2858
!
ip domain lookup
ip domain name nouri.com
ip name-server 2001::C0A8:2858
|
On Clients:
ip domain lookup
ip domain name nouri.com
ip name-server 2001::C0A8:2858
|
The following shows successful connectivity with the DNS server:
Routerv6_1#ping 2001::C0A8:2858 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 2001::C0A8:2858, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 88/88/88 ms
Routerv6_1#
|
NAT-PT(config)#
*Mar 1 05:37:46.478: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104)
*Mar 1 05:37:46.586: IPv6 NAT: src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1)
NAT-PT(config)#
|
Routerv6_1#ping Routerv4_1.nouri.com
Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]
Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]
Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/111/256 ms
Routerv6_1#
|
Debug:
The NAT device:
- Receive a DNS request packet with IPv6 source (2001:A:B:C::1) and IPv6 destination (2001::C0A8:2858).
- Translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)
- Translate the IPv6 dst (2001::C0A8:2858) -> IPv4 dst (192.168.40.104)
- Send DNS request AAA to IPv4 DNS server with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.104)
- Receive DNS response with IPv4 src (192.168.40.104) + IPv4 dst. (192.168.40.199) + embedded response to AAA IPv4 (192.168.40.200)
- Translate embedded response IPv4 (192.168.40.200) -> IPv6 (2001::C0A8:28C8)
- Translate back the IPv4 src (192.168.40.104)-> IPv6 src (2001::C0A8:2858)
- Translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)
- Send DNS response with IPv6 src (2001::C0A8:2858) + IPv6 dst. (2001:A:B:C::1) + embedded response to AAA IPv6 (2001::C0A8:28C8)
Internal IPv6 node:
send ping with IPv6 src (2001:A:B:C::1) + IPv6 dst (2001::C0A8:28C8)
The NAT device:
- Translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)
- Translate the IPv6 dst (2001::C0A8:28C8) -> IPv4 dst (192.168.40.200)
- Send ping with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.200)
- Receive ping reply with IPv4 src (192.168.40.200) + IPv4 dst. (192.168.40.199)
- Translate back the IPv4 src (192.168.40.200) -> IPv6 src (2001::C0A8:28C8)
- Translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)
- Send ping reply with IPv6 src (2001::C0A8:28C8) + IPv6 dst. (2001:A:B:C::1)
NAT-PT(config)#
*Mar 1 05:46:33.854: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104)
*Mar 1 05:46:33.994: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.166: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104)
*Mar 1 05:46:34.230: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.246: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:2858) -> (192.168.40.104)
*Mar 1 05:46:34.278: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.322: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 05:46:34.346: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.442: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 05:46:34.650: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.726: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 05:46:34.758: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.774: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 05:46:34.802: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
*Mar 1 05:46:34.818: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst (2001::C0A8:28C8) -> (192.168.40.200)
*Mar 1 05:46:34.834: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst (192.168.40.199) -> (2001:A:B:C::1)
NAT-PT(config)#
|
IPv4 MAPPED
So far, we have been dealing with specific IPv4 hosts inside IPv4 network, but what if we just want to make connections to any IPv4 hosts (ex: to Internet)?
In this case the mapping of destination addresses should be automatic, that is the role of IPv4 mapped:
interface FastEthernet0/0
no ip address
ipv6 address 2001:A:B:C::4/64
ipv6 nat
!
interface FastEthernet1/0
ip address 192.168.40.199 255.255.255.0
ipv6 nat
!
! DNS still need Translation
ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858
! PAT Translation is the appropriate configuration for this case
ipv6 nat v6v4 source list list_to-ipv4 interface FastEthernet1/0 overload
ipv6 nat prefix 2001::/96 v4-mapped WHAT_to_IPv4
!
!
!
ipv6 access-list list_to-ipv4
permit ipv6 2001:A:B:C::/64 any
!
ipv6 access-list WHAT_to_IPv4
permit ipv6 any 2001::/96
|
CONCLUSION
IPv6 NAT-PT, as with IPv4 NAT, represents a single point of failure in the network and cannot support end-to-end security.
Keep in mind that, the primary goal is to build a native IPv6 connectivity, so as transition mechanisms, it is recommended to use 6to4 tunneling.
About ajnouri
CCIE, the beginning! 
This is a GR8T!! post. I keep wondering why NAT-PT isn’t the premier transition technique. Thanks a lot for this. I will soak it in and incorporate it in my own teaching.
Hi Mukom,
Well, 6to4 tunneling and NAT-PT are in the first place temporary transition techniques, so the final goal is to deploy full IPv6 globally routed networks.
With 6to4 tunneling which means encapsulation of IPv6 into IPv4 traffic we still have a chance to preserve the original traffic inside the tunnel (routing, security, multicast…); but NAT-PT is a complete transition of protocols between IPv4 and IPv6 which inherit all the general problematic and issues related to NAT (split routing, restrictions with IPSec, difficulties with multicasting, multi-homing and high availability schemes…).
Thank you for your comment and sorry for the delay 🙂
Pingback: T.A.Z. or a Cacophony of Communication | macbroadcast.org
This is useful.but it is not working when i applied on Cisco1841.
Hi Joby,
Nothing will work or not by itself, “you” will make it work p-)
Here is a general brief description of a one-to-one translation :
—
Let’s suppose IPv4-only host1 wants to communicate with IPv6-only host2
0)- Enable unicast-routing
ipv6 unicast-routing
1)- enable NAT-PT
Enable IPv6 NAT on interface facing IPv6 network :
ipv6 nat
Enable IPv6 NAT on interface facing IPv6 network :
ipv6 nat
2)- NAT-PT configuration:
ipv6 nat v4v6 source
ipv6 nat v6v4 source
3)- A special prefix is reserved for IPv4 hosts that will be accesses from IPv6 site:
ipv6 nat prefix
4) Debugging
enable “debug ipv6 nat” (IPv6 end host) an “debug ip nat” (IPv4 end host)
observe what is happening
Good work.
First of all thank you for this excellent tutorial. It really helped me a lot.
However I too have a problem with Cisco’s 1812 series router acting as the nat device. This is my topology:
r1 r2 r3
I’m trying to ping r1 from r3. Now the translations are occuring both ways and r1 is sending echo replies back, but the packets never reach r3. They do get to r2 though.
I did everything per your instrustions and even got some outside help on the matter (and they confirmed my config as being correct), but I’m trully stumped now. Have you got any ideas?
Cheers
Urban
Hi Urban,
It looks like a routing issue, here is a couple of check :
A) Before deploying NAT-PT :
– Enable IPv6 unicast routing on IPv6 devices, even if the topology doesn’t require it.
– Verify if both R1 and R3 have a route to each other (default or static) through R2,
– Verify if you can ping both R1 and R3 from R2.
B) After configuring translation:
– Check NAT translation table.
– Enable debug & check whether translations are done correctly
If translation is done correctly and R2 routing is correctly pointing to both R1 and R3, it should be OK.
Just in case please post :
– translation commands.
– a couple of lines of debug.
– routing table on R2.
AJN
Thanks for the quick reply.
Everything you stated in point A is as it’s suppose to be and work just fine. I’m running RIPng on the IPv6 part of the network.
As for point B, the translations are done correctly as both the debug ipv6 nat & show ipv6 nat trans commands prove this.
Yesterday a ccie college of mine checked my configuration and was stunned that it didn’t work. Hopefully I’ll get another router to play with soon enough and see if there is a problem with the 18xx series when it comes to nat-pt.
But anyway:
-translation commands:
ipv6 nat v4v6 source 172.25.5.73 2000::AC19:549
ipv6 nat v6v4 source 2001:AAAA:BBBB:1::2 172.25.5.79
ipv6 nat prefix 2000::/96
-debug ipv6 nat
*Sep 3 12:29:59.947: IPv6 NAT: IPv6->IPv4: icmp src (2001:AAAA:BBBB:1::2) -> (172.25.5.79), dst (2000::AC19:549) -> (172.25.5.73)
*Sep 3 12:29:59.951: IPv6 NAT: IPv4->IPv6: src (172.25.5.73) -> (2000::AC19:549), dst (172.25.5.79) -> (2001:AAAA:BBBB:1::2)
-routing table on R2:
IPv6
C 2000::/96 [0/0]
via NVI0, directly connected
C 2001:AAAA:BBBB:1::/64 [0/0]
via FastEthernet1, directly connected
L 2001:AAAA:BBBB:1::1/128 [0/0]
via FastEthernet1, receive
L FF00::/8 [0/0]
via Null0, receive
IP
172.25.0.0/24 is subnetted, 1 subnets
C 172.25.5.0 is directly connected, FastEthernet0
S* 0.0.0.0/0 [1/0] via 172.25.5.73
Thank you for your help
Urban
Follow up. The configuration worked on another series router, so it seems there is a problem with the 18xx series.
porfin encontre lo que querie les agradesco de antemano en ningun lugar he podido encontrar esta informacion
I tried to get this working but can’t for some reason.
I’m on the static nat portion.
I’ve configured everything exactly as shown, with static routes to the nat-pt router on the other routers
I’ve turned on icmp debugging on all routers, and ipv6 nat debugging on the nat-pt router. In fact, I at one point had detailed nat pt debugging turned on, but I kept getting “IPv6 NAT: Found prefix” like once a second and didn’t know what that meant but so I turned it off, but worth noting. Let me know if it tells you anything.
Leaving the ICMP debugging on also didn’t seem to do much because when pinging 2001::C0A8:28C8 from the router with the IPv6 address of 2001:A:B:C::1, I didnt see any acknowledgement messages on the nat-pt router, which, as a I said before, is where I’ve assigned a static ipv6 route of EVERYTHING to go to. However, since I’m not getting ANY messages of any kind, its almost as if those pings aren’t getting to the nat-pt router.
HELP!!!! I’m pulling my hair out over what – on the surface – appears to be a simple issue that I just can’t overcome.
Nevermind – I stupidly failed to turn on ipv6 unicast-routing.
there is a mistake in here
168 is 1010 1000 ==> hex : a8 ; not 18 .
Corrected. Thank you Mehdi, appreciate it.
You’re Welcome , please i’am wondering how to create the static routes ? because we don’t have a next hop in ipv6 , same thing for ipv4 ? should we create them with the new v4v6/v6v4 adresses ?
my topologie is : pc1-R1-PC2
Thank you
Mehdi
The concept is the same, nevertheless, beware of some particularities :
– Enable IPv6 unicast routing first. Without it you can have back-to-back connectivity because it uses link-local addresses, but you will experience issues with non-directly configured devices.
– With PTP (Point-to-Point links) Ethernet or serial, it will be enough to mention the outgoing interface, because there is only one next-hop.
You also use the next-hop and the outgoing interface will be resolved using a recursive lookup
– With a multi-access links with multiple next-hops reachable, the better is to use a fully specified
route (next-hop + outgoing interface) because ND (Network Discovery Protocol) doesn’t perform proxy resolution as with IPv4 proxy-ARP.
thanks for the great post! I’ve reproduced this in my lab (with gns, with 1800 series and even with 2500 series) but I still have issues and I am not able to figure out why.
My configuration has same ip address and nat… Here some details:
R2#sh run | in nat
ipv6 nat
ipv6 nat
ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8
ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1
ipv6 nat prefix 2001::/96
R1#sii6
FastEthernet0/0 [up/up]
FE80::1
2001:A:B:C::1
R3#sii
Interface IP-Address OK? Method Status Protocol
FastEthernet0/1 192.168.40.200 YES manual up up
R1#show ipv6 route
S 2001::/96 [1/0]
via FastEthernet0/0, directly connected
ok.. If I do a ping from R3 to R1 I can see the correct nat translation in R2:
*Mar 30 16:05:01.043: IPv6 NAT: Found prefix 2001::/96
*Mar 30 16:05:01.043: IPv6 NAT: IPv4->IPv6:
src (192.168.40.200 -> 2001::C0A8:28C8)
dst (0.0.0.0 -> ::)
ref_count = 1, usecount = 0, flags = 513,
rt_flags = 0, more_flags = 0
*Mar 30 16:05:01.043: IPv6 NAT: IPv4->IPv6:
src (0.0.0.0 -> ::)
dst (192.168.40.1 -> 2001:A:B:C::1)
ref_count = 1, usecount = 0, flags = 257,
rt_flags = 0, more_flags = 0
and I can see the traffic is sent to R1:
R2:
*Mar 30 16:05:06.047: IPV6: source FE80::2 (local)
*Mar 30 16:05:06.047: dest 2001:A:B:C::1 (FastEthernet0/0)
*Mar 30 16:05:06.047: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating
*Mar 30 16:05:06.047: IPv6-Fwd: Sending on FastEthernet0/0
*Mar 30 16:05:06.047: IPV6: source 2001:A:B:C::1 (FastEthernet0/0)
*Mar 30 16:05:06.047: dest FE80::2 (FastEthernet0/0)
*Mar 30 16:05:06.047: traffic class 224, flow 0x0, len 64+14, prot 58, hops 255, forward to ulp
then R1 replies:
*Mar 30 15:45:48.065: dest 2001::C0A8:28C8 (FastEthernet0/0)
*Mar 30 15:45:48.065: traffic class 0, flow 0x0, len 120+0, prot 58, hops 64, originating
*Mar 30 15:45:48.065: IPv6-Fwd: Encapsulation postponed, performing resolution
*Mar 30 15:45:48.069: IPV6: source 2001:A:B:C::1 (local)
*Mar 30 15:45:48.069: dest FF02::1:FFA8:28C8 (FastEthernet0/0)
*Mar 30 15:45:48.069: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating
*Mar 30 15:45:48.069: IPv6-Fwd: Sending on FastEthernet0/0
but I don’ see the traffic going back to R2..
thanks if someone can read and help on this.
Hi Oliver,
Did you enable IPv6 unicast routing “ipv6 unicast-routing” on both R1 and R2?
Hi cciethebeginning .. thanks for your reply.
I did it.. yes.. btw I’ve tried the configuration again on 3 routers on gns3 and it worked.. then I’ve tried again on 3 real routers from scratch and still the problem persists.. I’ve seen doing a ping from ipv4 to ipv6 some really strange addresses (while doing a debug ipv6 pack detail on the NAT-PT router).. I will post them here tomorrow for reference..
Weird problem.. 😦
Pingback: SLAAC Attack – 0day Windows Network Interception Configuration Vulnerability | InfoSec Resources
Erstklassige Angelegenheit. Ich fuer meinen Teil finde es absoluter Wahnsinn, was ihr alles auf die Beine stellt. Macht weiter so.
Pingback: Network Address Translation – Protocol Translation Issues/Workarounds (NAT-PT) | routersysco
Pingback: NAT-PT Network Address Translation Issues | routersysco
Pingback: The SLAAC Attack – using IPv6 as a weapon against IPv4 « wirewatcher
Good text but why!!!!!
-Can’t scale
-dnssec is broken
IPv4 is enough, lets go IPv6!!!!
I agree Pucko, the purpose of this lab is mainly pedagogical, I consider NAT-PT a perfect introduction to NAT64/DNS64. Once you understand the limitations of NAT-PT you can build upon it to appreciate the advantages of NAT64/DNS64.
As I mentioned in previous IPv6 labs, the final goal should be IPv6-only. The purpose of the blog is not to propose networking best practices, but to flex the brain muscle.
dynamic nat-pt not working i tried static nat-pt its working but dynamic not working
Pingback: SLAAC Attack – 0day Windows Network Interception Configuration Vulnerability
i’m a newbie for implementing NAt-PT as a ipv4 to ipv6 translation mechanism , i want to ask especially for the configuration and the ipv6 address given to the router, i use 2811 version of Cisco router. i really need your help , because i want to finish my final project in my college . really need your suggestion and advice
thanks a lot
// a very good explanation, thank you //
// I think the right configuration is: //
ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2868
// instead //
ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858