Wednesday, January 30, 2013

NAT-64 on cisco howto get by when you have ipv4-only machines

This post will explain how to use a cisco router for ipv6-to-ipv4 NAT-PAT operation. Let's say you have the following setup


                                               ipv6-lan----------Router------------ipv4-lan


Okay so obviously that's going to cause havoc if you ever need to do anything  with ipv6 and ipv4. In my case I  had a ipv4-only printer that I wanted to use it in my all ipv6 environment ( remember my rant on ipv6,  if you have been following my blog ? and how most SOHO printers don't understand ipv6 ?)

Will the above type of IPv6----2----IPv4 issues are very common in most SOHO/SMB/ENTERPRISE networks. So in my case, I'm using a cisco router to act as some type of  protocol translator , also known as NAT-PT or the correct term of NAT64.

Router =3825ISR
IOScode= ADVENTERPRISEK9-M Version 15.1(4)M4

Okay let's look at how simple this setup could be using PAT;

IPv6 local-lan = 2001:470:C021:1::0/64
ipv4 local-lan = 192.168.0.0/24

gw = .1 in both protocol version for each lan

Okay the router for the ipv6 is setup with RA announcement for my inside hosts, so my macosx machines will receive the prefix and default gateway from this router-adv

i.e ( ifconfig en0 )

en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether 00:1f:5b:ea:0a:fa
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet6 2001:470:c021:1:21f:5bff:feea:afa prefixlen 64 autoconf
    media: autoselect (1000baseT <full-duplex,flow-control>)
    status: active


and  gateway ( output shorten )

Ken-Felixs-MacBook:downloads kenfelix1$ netstat -rn -f inet6
Routing tables

Internet6:
Destination                             Gateway                         Flags         Netif Expire
default                                 fe80::21d:70ff:fe39:7f00%en0    UGSc            en0
::1                                     ::1                             UH              lo0
2001:470:c021:1::/64                    link#4                          UC              en0
2001:470:c021:1::1                      0:1d:70:39:7f:0                 UHLW            en0
2001:470:c021:1:21f:5bff:feea:afa       0:1f:5b:ea:a:fa                 UHL             lo0


On  ipv6-lan = gi0/0 , and ipv4-lan = gi0/1 interfaces;

interface GigabitEthernet0/0
 description ipv6 lan and my test bed/lab no ipv4 address space in my lab
 no ip address
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip virtual-reassembly in
 duplex auto
 speed auto
 media-type rj45
 analysis-module monitoring
 ipv6 address 2001:470:C021:1::1/64
 ipv6 enable
 ipv6 nat

!
interface GigabitEthernet0/1
 description  my printer lan and any non ipv6 device here
 ip address 192.168.0.1 255.255.255.0
 duplex auto
 speed auto
 media-type rj45
 ipv6 enable
 ipv6 nat
end



Okay so now let's look at the ipv6 nat configuration;

1st; we define a ipv6 access-list for my  ipv6-local lan, this list would list your /64 prefix or the ipv6-addresses that you want to allow. Here, I'm allowing my  full /64 prefix

!
ipv6 access-list myv6
    remark  Ken's ipv6 internal network
    permit ipv6 2001:470:C021:1::/64 any
!



Maybe in a real setup, we would  be specific and allow just the print-server and the protocol(s) and ports.

2nd;

just like in ipv4 we assigned a source list and overload  statement, using our source-list named "myv6"

ipv6 nat v4v6 source 192.168.0.2 2001:178:178::1
ipv6 nat v6v4 source list myv6 interface GigabitEthernet0/1 overload
ipv6 nat prefix 2001:178:178::/96



So in the above lines, we specify that 2001:178:178::/96 will be the  targeted ipv6 address that our nat's will take on & when the ipv4 hosts send traffic inbound. The interface is overload against gi 0/1 ipv4 address { 192.168.0.1}

Here's what the debug ipv6 nat shows;


Jan 11 06:01:02.935: %SYS-5-CONFIG_I: Configured from console by kfelix on console
*Jan 11 06:01:04.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:06.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:08.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11 06:01:10.259: IPv6 NAT: IPv6->IPv4: icmp src (2001:470:C021:1:21F:5BFF:FEEA:AFA) -> (192.168.0.1), dst (2001:178:178::1) -> (192.168.0.2)
*Jan 11


and here's the nat translation table using cmd "show ipv6 nat tran verbose"

 router3825#show ipv6 nat trans verbose
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      192.168.0.2              2001:178:178::1
      create 00:44:43, use 00:00:05,

icmp  192.168.0.1,2817         2001:470:C021:1:21F:5BFF:FEEA:AFA,2817
      192.168.0.2,2817         2001:178:178::1,2817
      create 00:00:43, use 00:00:15, left 00:00:44,

tcp   192.168.0.1,56312       
2001:470:C021:1:21F:5BFF:FEEA:AFA,56312
      192.168.0.2,22           2001:178:178::1,22
      create 00:00:05, use 00:00:03, left 23:59:56,

router3825#


As you can see, I have both a icmp/tcp translation from  host ; 2001:470:C021:1:21F:5BFF:FEEA:AFA to 192.168.0.2


Key points to take away;


> enable ipv6 nat on the ipv6/4 interfaces
> ipv6 cef must or I should say, should be enabled
> ipv6 unicast-routing 
> ipv4 unicast-routing
> the ipv6 nat prefix must be defined with a /96 prefix definition
> same  ipv4 based configuration that we are use to, but with ipv6 nat v6v4 and v4v6 cmds


What I 've found out with cisco, if you should run into problems, the clearing of the ipv6 nat translations,  and  the removing  and re-add the ipv6 nat statements, seems to help. NAT64 has been  picky with operations on earlier cisco codes.

You can also use the same setup and conduct static 1-2-1 mappings  v6-2-v4  and v4-to-v6. I decided on a simple PAT overload in my case and setup.

I hope this post becomes helpful for those looks at ipv6 and have ipv4 devices within their network enterprise. I 'm going to try the same setup but with a  twisted  of having a ipv4/v6 on the same interface.

So basically gi 0/0 will  be dual-stacked and with ipv4 devices NAT'd into the v6 space. Stay tuned and I will post my  success of failure :). This would be some what of a hairpin NAT.

The above NAT v6v4 is what works with DNS64, where we intercept or handle ipv6 AAAA queries, but translation the A record into  ipv6 embedded address. Than the ipv6 clients routes to the embedded ipv4 address and the NAT64 at the edge, NAT's theipv6 client into the ipv4 world. Both the NAT64 router and DNS64 dns-servers,  need access into a ipv4 address space for this to work.


Ken Felix
Feelance Network/Security Engineer + ipv6  migration specialist
kfelix   at hyperfeed  dot com







No comments:

Post a Comment