cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4145
Views
0
Helpful
5
Replies

IPv6 NAT - pointing me in the right direction

DavidMach
Level 1
Level 1

My objective is to perfect my knowledge (basic to intermediate at this point) of IPv6 by creating a 100% IPv6 LAN.

That's the Windows component - and I have a decent grasp on that.

But here's the hitch...

My ISP does not yet offer IPv6. Moreover, my test lab is at "home" so I probably could not obtain an IPv6 addr for a residential account anyway.

I have a ASA 5505 running 9.1 (just updated this week).

*

I want to create some sort of IPv6 to IPv4 NAT or PAT so my IPv6 LAN can communicate with the Internet.

*

Sure! I could just leave IPv4 on and I'd be set. But remember, I want to see if I can make everything (Active Directory, DNS, DHCP) work in an IPv6 only network.

Is there any guide or perhaps a blog on how this can be achieved? Could someone explain in a nutshell?

I've glanced at this...

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html

But I'm not 100% sure which case applies to mine.

Some other details:

- I'll be using ULA (Unique Local Addresses) since my ISP cannot assign me a Global Unicast addr.

- My external IP would be dynamically assigned by my ISP.

- I managed to configure IPv4 NAT - so I know THAT does work.

5 Replies 5

Seb Rupik
VIP Alumni
VIP Alumni

Hi David,

You'll need to create a ipv6ip tunnel; the best place being between your ASA and router. This can either be server or an inexpensive Cisco 1841 (for example) peering with a tunnel broker such as Hurricane Electric.

Run OSPF between the router and you ASA. If using a linux server to for your tunnel, then you'll need to configure something like quagga to run the OSPF process.

This will give you a IPv6 lab environment.

If some of your kit then needs to connect to IPv4 external hosts then you will need to configure NAT64. If you chose the linux server option above, using tayga seems to be the popular option currently.

I wrote a blog post about the first step on my blog (shameless plug! ):

http://config-if.blogspot.co.uk/2013/08/ipv6-tunnel.html

cheers,

Seb.

Andrew Yourtchenko
Cisco Employee
Cisco Employee

For nat64 you can also use the csr1000v - though the unlicensed version is limited to 2.5mbps throughput - but could be enough for experiments.

Sent from Cisco Technical Support iPhone App

Seb, Andrew,

Thank you so much for your responses and please excuse my late response to them.

Seb,

I looked at your blog. I think my scenario is a little different and you touched on that in the second part of your response above.

I *only* need to connect to external IPv4 hosts. I do not need to tunnel to another IPv6 site.

The IPv6 to IPv4 is the only objective I am pursuing at this point.

Andrew,

I do not believe I have an appropriate host machine for the csr1000v. Looks like the hardware requirements are high and you have to have VMware ESXi 5.x. I only have VMware Workstation (ver 9).

http://www.networkworld.com/reviews/2013/022513-cisco-virtual-router-test-266658.html

***

Is there any way to configure NAT64 on a single ASA 5505?

Hello David,

I hate I do not have an ASA to play with this but I will do my best to do it just with a piece of paper (I know pretty lame)

IPV6 Inside network 2001:AAAA:1111:BBBB::/120

IPv4 Outside Network for the NAT 20.20.20.0/24

We want our Inside IPv6 network to be able to talk with the outside IPv4 world

For that we will need to use NAT64 but at the same time NAT the Entire IPv4 address space into an IPv6 range

IPv6 range to match the entire IPv6 range  :2001:17::/96

Outside Pool for the NAT (20.20.20.0/24)

Then create the NAT

object network IPv6_Subnet_Internal

subn 2001:AAAA:1111:BBBB::/120

object network IPv4_NAT

subnet 20.20.20.0 255.255.255.0

Object network Fake_IPv6

subnet  2001:17::/96

nat (inside,outside) source static IPv6_Subnet_Internal  IPv4_NAT destination static Fake_IPv6 any

That should do it!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Phillip Remaker
Cisco Employee
Cisco Employee

You do not want NAT for the job.  You want a tunnelbroker, who will provide a tunnel to a pure IPv6 network.

You can get free accesss to the IPv6 internet using one of three popular Tunnel Brokers:

www.tunnelbroker.net

www.sixxs.net

www.go6.net

You can get a /48 prefix or /56 from them and use global addresses.

If you want to keep using ULA, you can employ NPTv6 (aka NAT66).

And take some time and demand that your ISP offer IPv6! 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco