cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6514
Views
0
Helpful
5
Replies

ASA NAT64 (IPV6 to IPV4)

pdervaux
Level 1
Level 1

Hi everybody,

I looking a way to configure an ASA in 9.1 to permit access from the Internet in IPV6 to an internal server in IPV4.

I have already read a lot about this topic and tried several Twice NAT configuration but so far I'm not successful.

To resume:

The ASA external FW is connected to the Internet using IPV6.

Internal / DMZ interfaces are in IPV4 only.

The idea was to create as static translation from the IPV6 mapped Address to the IPV4 real address.

Traffic is always initiated from the Internet.

All suggestion are welcome.

Pascal

5 Replies 5

Have you seen the example in the documentation? If you exchange the interfaces it looks like your scenario:

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html#wp1812826

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Hi Karsten,

Thanks to following me.

The sample provided by Cisco is just the opposite situation where I am.

I my situation the client are outside and in V6. Servers are inside and in V4. Traffic is initiated from outside.

yes, but in the example the client is also on v6 and the server on v4. As I said, just different interfaces. So I assume it should work with a similar config that is just slightly changed.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

This is my problem: I can't manage to get it working

Hello Pascal,

I hate I do not have an ASA to play with this but I will do my best to do it just with a piece of paper (I know pretty lame)

IPV6 Inside network 2001:AAAA:1111:BBBB::/120

IPv4 Outside Network for the NAT 20.20.20.0/24

We want our Inside IPv6 network to be able to talk with the outside IPv4 world

For that we will need to use NAT64 but at the same time NAT the Entire IPv4 address space into an IPv6 range

IPv6 range to match the entire IPv6 range  :2001:17::/96

Outside Pool for the NAT (20.20.20.0/24)

Then create the NAT

object network IPv6_Subnet_Internal

subn 2001:AAAA:1111:BBBB::/120

object network IPv4_NAT

subnet 20.20.20.0 255.255.255.0

Object network Fake_IPv6

subnet  2001:17::/96

nat (inside,outside) source static IPv6_Subnet_Internal  IPv4_NAT destination static Fake_IPv6 any

That should do it!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco