During my lab time last night, I did a bunch of IPv6 transitional labs that I will be showcasing on my blog in the coming days. The first of these will be IPv6 NAT-PT. What NAT-PT accomplishes is it allows for bi-directional connectivity between IPv4 and IPv6 domains during an IPv4 to IPv6 transition. Our topology below shows two new IPv6 subnets on our corporate network, FD04:400::/64 and FD04:453::/64. These subnets still need access to a web server on the 10.1.45.0/24 network. The diagram we will be using for this lab is below.
There are many different variants you can use for NAT-PT; they are;
- Dynamic NAT-PT
- Static NAT-PT
- IPv4 Mapped
- PAT Overload
This blog post will look at Static and Dynamic NAT-PT.
Static NAT-PT
This is a 1 to 1 relationship between the IPv6 and IPv4 addresses. What we need to accomplish is to allow FD04:453::23 to be able to talk to 10.1.45.11. All the configuration is going to be done on NY_Core_1. For NAT-PT to work, you need a device in the IPv6 and IPv4 networks to do the translation. The first thing we will do is enable IPv6 nat on both interfaces on NY_Core_1.
Configuration
NY_Core_1(config)#interface fastethernet0/0
NY_Core_1(config-if)#ipv6 nat
NY_Core_1(config-if)#exit
NY_Core_1(config)#exit
NY_Core_1(config)#interface Serial0/3/0
NY_Core_1(config-if)#ipv6 nat
*Mar 29 04:21:02.679: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to upNow, we need to specify the static translation from IPv6 to IPv4
NY_Core_1(config)#ipv6 nat v6v4 source FD04:453::23 172.16.34.5
NY_Core_1(config)#ipv6 nat v4v6 source 10.1.45.11 FD04:678::23
NY_Core_1(config)#ipv6 nat prefix FD04:678::/96Verification
Now, to verify, on NY-Team-WKS1, we are going to surf over to FD04:678::23, and we should see a connection on the HTTP server for 172.16.34.5
HTTP server current connections:
local-ipaddress:port remote-ipaddress:port in-bytes out-bytes
10.1.45.11:80 172.16.34.5:43047 0 0So, how the above command is broken out, we will look at the debug ipv6 nat command.
IPv6 NAT: tcp src (FD04:453::23) > (172.16.34.5), dst (FD04:678::23) > (10.1.45.11)
IPv6 NAT: tcp src (10.1.45.11) > (FD04:678::23), dst (172.16.34.5) > (FD04:453::23)Looking at the above debug, we see that when we initiate our HTTP session to FD04:678::23, the NAT-PT process sees we have a mapping for our destination to map FD04:678::23 to 10.1.45.11 and our source FD04:453::23 to 172.16.34.5, so when we get to NY_Core_1 our IPv6 source is FD04:453::23 and the IPv6 destination is FD04:678::23 which gets mapped to an IPv4 source of 172.16.34.5 and our destination is 10.1.45.11.
Dynamic NAT-PT
We will look at what is needed to have IPv6 hosts communicate with IPv4 hosts only.
NY_Core_1(config)#ipv6 access-list NAT-PT-ACL
NY_Core_1(config-ipv6-acl)#permit ipv6 FD04:453::/64 any
NY_Core_1(config-ipv6-acl)#exit
NY_Core_1(config)#ipv6 nat v4v6 source 10.1.45.11 FD04:678::23
NY_Core_1(config)#ipv6 nat v6v4 pool NATV4_POOL 172.16.34.10 172.16.34.20 prefix-length 24
NY_Core_1(config)#ipv6 nat v6v4 source list NAT-PT-ACL pool NATV4_POOL
NY_Core_1(config)#ipv6 nat prefix FD04:678::/96The dynamic NAT-PT configuration is similar to how you would set up IPv4 dynamic NAT, except for adding the IPv6 nat prefix (like we do with static). What this does is it puts a static route to the prefix into the routing table, and we would redistribute that into the IPv6 routing domain.