Thursday, January 31, 2013

NAT64 on a hairpin interface with cisco ios 15.X

Okay if you followed my earlier post, that I  posted just last night from my notes of previous NAT and ipv6 setups. I got to thinking;

Can we conduct a NAT64 on a hairpin interface? Will I found the answer after investing about 1hr of playin around. 1st Let's  look at the design;
ipv6-lan = 2001:470:C021:1::/64
ipv4-lan = 1.1.1.0/24
NAT4_address = 5.0.0.5
NAT6_address = 2001:179:179::1 

Router =3825ISR
IOScode= ADVENTERPRISEK9-M Version 15.1(4)M4

Here's a graphical representation of the design;


The goal here; "was to do all of the  NAT on a single interface". We are using a  cisco3825 for the NAT64. It's connected to a layer2 switch with a ipv4 and ipv6 host on the same layer2 lan segment. The single gige interface, will handle both ipv6 and ipv4 traffic.
The cfg ( 3825 gig0/0 intf ) ;

    
!

interface GigabitEthernet0/0
 description this is a single dual/stacked interface both ipv4/v6

 ip address 1.1.1.253 255.255.255.0

 ip flow ingress

 ip flow egress

 duplex auto

 speed auto

 media-type rj45

 ipv6 address 2001:470:C021:1::1/64

 ipv6 enable

 ipv6 nat

end
Okay now let's look at the simple ipv6v4 nat cfg.

 1st I had problems using a  source-list and pool, so I revert my cfg to a static nat for this example. I will continue into look at the issues with regards to the source list and nat pool. Once I figured that out, I will post an update, and another post on my  blog, so stay tuned.
Here's my nat rules, I left some of the old cfg in place and comment it out for your reference and pleasure ;

 !
ipv6 nat translation icmp-timeout 5

ipv6 nat v4v6 source 1.1.1.2 2001:179:179::1
! the following line is one method I tried that failed, don't why but one packet was entering
!

! ipv6 nat v6v4 source list myv6 pool nat6 overload
!

ipv6 nat v6v4 source 2001:470:C021:1:21F:5BFF:FEEA:AFA 5.0.0.5
! the follow line below didn't work either during my testing
!

! ipv6 nat v6v4 pool nat6 10.0.0.2  10.0.0.2 prefix-length 30
!

ipv6 nat prefix 2001:179:179::/96


Okay here's what the  debug ipv6 nat shows;


-->
Feb  1 01:37:30.943: IP: tableid=0, s=5.0.0.5 (FastEthernet0/0), d=1.1.1.2 (FastEthernet0/0), routed via RIB

*Feb  1 01:37:30.943: IP: s=5.0.0.5 (FastEthernet0/0), d=1.1.1.2 (FastEthernet0/0), len 36, rcvd 3

*Feb  1 01:37:30.947:     ICMP type=8, code=0

*Feb  1 01:37:30.947: IP: tableid=0, s=1.1.1.2 (local), d=5.0.0.5 (FastEthernet0/0), routed via FIB

*Feb  1 01:37:30.947: IP: s=1.1.1.2 (local), d=5.0.0.5 (FastEthernet0/0), len 36, sending

*Feb  1 01:37:30.947:     ICMP type=0, code=0

and our nat translation table as seen on the single NAT hairpin interface;
;

-->
router3825#sh ipv6 nat tr ver

Prot  IPv4 source              IPv6 source

      IPv4 destination         IPv6 destination

---   ---                      ---

      1.1.1.2                  2001:179:179::1

      create 00:20:42, use 00:00:03,



tcp   5.0.0.5,61837            2001:470:C021:1:21F:5BFF:FEEA:AFA,61837

      1.1.1.2,22               2001:179:179::1,22

      create 00:00:03, use 00:00:00, left 23:59:59,



---   5.0.0.5                  2001:470:C021:1:21F:5BFF:FEEA:AFA

      ---                      ---

      create 00:01:07, use 00:00:03,


and our ipv6 nat table;

 router3825>show ipv6 nat statistics
Total active translations: 4 (2 static, 2 dynamic; 2 extended)
NAT-PT interfaces:
  GigabitEthernet0/0
Hits: 10  Misses: 0
Expired translations: 36
router3825>

And here's  the cisco1841 device that I configured for my ipv4 host & for testings;

-->
ccie02#show ip int fas 0/0  | i add

  Internet address is 1.1.1.2/24

  Broadcast address is 255.255.255.255

  Helper address is not set

  Network address translation is disabled

ccie02#

 
And when we finally had things working, we could ping and ssh from my macosx host  ( ipv6) to the cisco (ipv4) and on a hair-pinned interface.

Ken-Felixs-MacBook:~ root# ping6 2001:179:179::1
PING6(56=40+8+8 bytes) 2001:470:c021:1:21f:5bff:feea:afa --> 2001:179:179::1
Request timeout for icmp_seq=0
Request timeout for icmp_seq=1
16 bytes from 2001:179:179::1, icmp_seq=2 hlim=253 time=1.719 ms
16 bytes from 2001:179:179::1, icmp_seq=3 hlim=253 time=1.568 ms
Request timeout for icmp_seq=4
16 bytes from 2001:179:179::1, icmp_seq=5 hlim=253 time=1.579 ms
16 bytes from 2001:179:179::1, icmp_seq=6 hlim=253 time=1.617 ms
16 bytes from 2001:179:179::1, icmp_seq=7 hlim=253 time=1.599 ms
16 bytes from 2001:179:179::1, icmp_seq


And we validate on the cisco1841with a cli cmd  show user after executing a ssh -6 to this device from my  macbook.
 

  -->
ccie02#sh user

    Line       User       Host(s)              Idle       Location

*  0 con 0                idle                 00:00:00

 194 vty 0     cisco      idle                 00:00:52 5.0.0.5



  Interface    User               Mode         Idle     Peer Address


So what this means,  " If  you on a lan segment that must handle ipv4 traffic, but you don't have another interface nor want to enable a sub-vlan-interface,  you can hairpin on a dual-stacked and addressed cisco router interface."

 So for example, you have ipv6-only hosts and maybe a ipv4-only host ( i.e printer ), you want to integrated this into your existing layer2 segment and allow ipv6 machines to asssociated and use the printer for print function, with nat64 on a hairpin, you can easily conduct this without wasting any  Physical or Virtual-interfaces.

 I hope you find this posting useful, within your ipv4-2-ipv6 migrations.

 Ken Felix
Freelance Network & Security Engineer, Specialized with ipv6 migration designs and planning

 kfelix "@" hyperfeed  "dot" com
  
 



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)