Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

An example configuration for nat64 on ASR1k

At the Fosdem conference in 2014 we used a IPv6 only network for the main wireless access.

To configure this we used as upstream link:

interface GigabitEthernet0/0/0

  description ---------- Uplink to COLT ----------------

   ip address 213.246.232.54 255.255.255.252

  ...

  ipv6 address 2001:920:0:1::5F/127

  nat64 enable

And the IPv6 only network used:

interface GigabitEthernet0/0/3.1400

  description ----------- WiFi Internet client traffic  ----------------

  ipv6 address 2001:67C:1810:F051::1/64

  ipv6 enable

  nat64 enable

While the legacy dualstack network had:

interface GigabitEthernet0/0/3.1402

  description ----------- WiFi FOSDEM-dualstack Internet client traffic  ----------------

  ip address 151.216.63.254 255.255.240.0

  ipv6 address 2001:67C:1810:F055::1/64

  ipv6 enable

  nat64 enable

To allow traffic to IPv4 only devices we use stateful nat64 with:

ipv6 access-list nat64-acl

  sequence 20 permit ipv6 any 2001:67C:1810:F050::/96

nat64 prefix stateful 2001:67C:1810:F050::/96

nat64 v4 pool nat-pool 151.216.42.1 151.216.42.254

nat64 v6v4 list nat64-acl pool nat-pool overload

This will NAT the IPv6 clients behind the 151.216.42.0/24 network range. The DNS server will lie to you and give an artificial IP.

So while a normal DNS server like google's 8.8.8.8 will give the IPv4 only:

$ host ipv4.imset.org 2001:67c:1810:f050::808:808

Using domain server:

Name: 2001:67c:1810:f050::808:808

Address: 2001:67c:1810:f050::808:808#53

Aliases:

ipv4.imset.org has address 94.23.24.89

Our resolver lies and gives the nat64 IPv6 IP too:

host ipv4.imset.org 2001:67c:1810:f056::2

Using domain server:

Name: 2001:67c:1810:f056::2

Address: 2001:67c:1810:f056::2#53

Aliases:

ipv4.imset.org has address 94.23.24.89

ipv4.imset.org has IPv6 address 2001:67c:1810:f050::5e17:1859

Notice that to reach the IPv4 8.8.8.8 we had to lie and use 2001:67c:1810:f050::808:808, and 94.23.24.89  in hex 5E 17 18 59 became 2001:67c:1810:f050::5e17:1859.

Alternatively we could also have used 2001:67c:1810:f050::8.8.8.8 (depending on the support in the OS for this notation).

We can check that it works with:

asr1k#show nat64 mappings dynamic

Dynamic mappings configured: 1

Direction ID      ACL

   Pool                             Flags

   RG ID Mapping ID

v6v4      3       nat64-acl

   nat-pool                         0x00000001 (overload)

   0     0

asr1k#show nat64 pools

Pools configured: 1

Protocol HSL ID     Name

   Is Single Range

   Ranges

IPv4     3          nat-pool

   TRUE            (151.216.42.1 - 151.216.42.254)

   151.216.42.1 - 151.216.42.254

asr1k#show nat64 prefix stateful global

Global Stateful Prefix: is valid, 2001:67C:1810:F050::/96

IFs Using Global Prefix

   Gi0/0/0

   Gi0/0/3.1400

   Gi0/0/3.1402

   Gi0/0/3.1401

asr1k#show nat64 statistics mapping dynamic

NAT64 Statistics

Dynamic Mapping Statistics

   v6v4

      access-list nat64-acl pool nat-pool refcount 4196

         pool nat-pool:

            start 151.216.42.1 end 151.216.42.254

            total addresses 254, allocated 1 (0%)

            address exhaustion packet count 0

asr1k#show nat64 statistics global

NAT64 Statistics

Total active translations: 4062 (0 static, 4062 dynamic; 4062 extended)

Sessions found: 2632830

Sessions created: 10314

Expired translations: 6251

Global Stats:

   Packets translated (IPv4 -> IPv6)

      Stateless: 0

      Stateful: 1971206

      MAP-T: 0

   Packets translated (IPv6 -> IPv4)

      Stateless: 0

      Stateful: 671944

      MAP-T: 0

asr1k#show nat64 translations port 80 total

Total number of translations: 2008

To check connections for a certain IPv6 IP use:

asr1k#show nat64 translations v6 original 2001:67c:1810:f051:e984:cbe2:d169:8ded verbose

Proto  Original IPv4         Translated IPv4

       Translated IPv6       Original IPv6

----------------------------------------------------------------------------

tcp    173.36.12.72:443      [2001:67c:1810:f050::ad24:c48]:443

       151.216.42.1:4801     [2001:67c:1810:f051:e984:cbe2:d169:8ded]:49407

         created: 01 Feb 2014 09:06:30, last-used:   01 Feb 2014 09:07:38,

           inactivity-time:     00:03:38

         flags: syn-in

         entry-id: 0x83a976e0, use-count: 1

...

Attached is a censored 'show run' of the router, please note that we have ACL's on all interfaces mainly to count traffic.

Version history
Revision #:
1 of 1
Last update:
‎02-01-2014 12:50 AM
Updated by:
 
Attachments