This post will explain how to use a cisco router for ipv6-to-ipv4 NAT-PAT operation. Let's say you have the following setup
ipv6-lan----------Router------------ipv4-lan
Okay so obviously that's going to cause havoc if you ever need to do anything with ipv6 and ipv4. In my case I had a ipv4-only printer that I wanted to use it in my all ipv6 environment ( remember my rant on ipv6, if you have been following my blog ? and how most SOHO printers don't understand ipv6 ?)
Will the above type of IPv6----2----IPv4 issues are very common in most SOHO/SMB/ENTERPRISE networks. So in my case, I'm using a cisco router to act as some type of protocol translator , also known as NAT-PT or the correct term of NAT64.
Router =3825ISR
IOScode= ADVENTERPRISEK9-M Version 15.1(4)M4
Okay let's look at how simple this setup could be using PAT;
IPv6 local-lan = 2001:470:C021:1::0/64
ipv4 local-lan = 192.168.0.0/24
gw = .1 in both protocol version for each lan
Okay the router for the ipv6 is setup with RA announcement for my inside hosts, so my macosx machines will receive the prefix and default gateway from this router-adv
i.e ( ifconfig en0 )
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
ether 00:1f:5b:ea:0a:fa
inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
inet6 2001:470:c021:1:21f:5bff:feea:afa prefixlen 64 autoconf
media: autoselect (1000baseT <full-duplex,flow-control>)
status: active
and gateway ( output shorten )
Ken-Felixs-MacBook:downloads kenfelix1$ netstat -rn -f inet6
Routing tables
Internet6:
Destination Gateway Flags Netif Expire
default fe80::21d:70ff:fe39:7f00%en0 UGSc en0
::1 ::1 UH lo0
2001:470:c021:1::/64 link#4 UC en0
2001:470:c021:1::1 0:1d:70:39:7f:0 UHLW en0
2001:470:c021:1:21f:5bff:feea:afa 0:1f:5b:ea:a:fa UHL lo0
On ipv6-lan = gi0/0 , and ipv4-lan = gi0/1 interfaces;
interface GigabitEthernet0/0
description ipv6 lan and my test bed/lab no ipv4 address space in my lab
no ip address
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip virtual-reassembly in
duplex auto
speed auto
media-type rj45
analysis-module monitoring
ipv6 address 2001:470:C021:1::1/64
ipv6 enable
ipv6 nat
!
interface GigabitEthernet0/1
description my printer lan and any non ipv6 device here
ip address 192.168.0.1 255.255.255.0
duplex auto
speed auto
media-type rj45
ipv6 enable
ipv6 nat
end
Okay so now let's look at the ipv6 nat configuration;
1st; we define a ipv6 access-list for my ipv6-local lan, this list would list your /64 prefix or the ipv6-addresses that you want to allow. Here, I'm allowing my full /64 prefix
!
ipv6 access-list myv6
remark Ken's ipv6 internal network
permit ipv6 2001:470:C021:1::/64 any
!
Maybe in a real setup, we would be specific and allow just the print-server and the protocol(s) and ports.
2nd;
just like in ipv4 we assigned a source list and overload statement, using our source-list named "myv6"
ipv6 nat v4v6 source 192.168.0.2 2001:178:178::1
ipv6 nat v6v4 source list myv6 interface GigabitEthernet0/1 overload
ipv6 nat prefix 2001:178:178::/96
So in the above lines, we specify that 2001:178:178::/96 will be the targeted ipv6 address that our nat's will take on & when the ipv4 hosts send traffic inbound. The interface is overload against gi 0/1 ipv4 address { 192.168.0.1}
Here's what the debug ipv6 nat shows;
Jan 11 06:01:02.935: %SYS-5-CONFIG_I: Configured from console by kfelix on console
*Jan 11 06:01:04.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:06.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:08.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:10.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11
and here's the nat translation table using cmd "show ipv6 nat tran verbose"
router3825#show ipv6 nat trans verbose
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
192.168.0.2 2001:178:178::1
create 00:44:43, use 00:00:05,
icmp 192.168.0.1,2817 2001:470:C021:1:21F:5BFF:FEEA:AFA,2817
192.168.0.2,2817 2001:178:178::1,2817
create 00:00:43, use 00:00:15, left 00:00:44,
tcp 192.168.0.1,56312 2001:470:C021:1:21F:5BFF:FEEA:AFA,56312
192.168.0.2,22 2001:178:178::1,22
create 00:00:05, use 00:00:03, left 23:59:56,
router3825#
As you can see, I have both a icmp/tcp translation from host ; 2001:470:C021:1:21F:5BFF:FEEA:AFA to 192.168.0.2
Key points to take away;
> enable ipv6 nat on the ipv6/4 interfaces
> ipv6 cef must or I should say, should be enabled
> ipv6 unicast-routing
> ipv4 unicast-routing
> the ipv6 nat prefix must be defined with a /96 prefix definition
> same ipv4 based configuration that we are use to, but with ipv6 nat v6v4 and v4v6 cmds
What I 've found out with cisco, if you should run into problems, the clearing of the ipv6 nat translations, and the removing and re-add the ipv6 nat statements, seems to help. NAT64 has been picky with operations on earlier cisco codes.
You can also use the same setup and conduct static 1-2-1 mappings v6-2-v4 and v4-to-v6. I decided on a simple PAT overload in my case and setup.
I hope this post becomes helpful for those looks at ipv6 and have ipv4 devices within their network enterprise. I 'm going to try the same setup but with a twisted of having a ipv4/v6 on the same interface.
So basically gi 0/0 will be dual-stacked and with ipv4 devices NAT'd into the v6 space. Stay tuned and I will post my success of failure :). This would be some what of a hairpin NAT.
The above NAT v6v4 is what works with DNS64, where we intercept or
handle ipv6 AAAA queries, but translation the A record into ipv6
embedded address. Than the ipv6 clients routes to the embedded ipv4
address and the NAT64 at the edge, NAT's theipv6 client into the ipv4 world. Both the NAT64
router and DNS64 dns-servers, need access into a ipv4 address space for this to work.
Ken Felix
Feelance Network/Security Engineer + ipv6 migration specialist
kfelix at hyperfeed dot com
No comments:
Post a Comment