Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IPv6 NAT64 - Dynamic Overload Mapping (PAT) Configuration Example

 

 

Introduction

This document discuss with an example how to configure dynamic overload mapping in NAT64.  The configuration is same as in the dynamic mapping except that in PAT, multiple IPv6 addresses are mapped to single IPv4 addresses. In other words NAT64 Dynamic overload mapping provides N:1 mapping of IPv6 addresses to IPv4 address.

 

Requirements

 

  • Understanding of IPv6 Addressing Scheme
  • Understanding NAT64

     

Background

 

This network set up has routers R1,R2 and R3 connected via Fast Ethernet interface. Loopback addresses are configured in routers R1 and R3 in order to generate networks.The router R1 is IPv4 router communicates with ASR using RIP.Router R3 is IPv6 router uses RIPv6 to communicate with ASR.The network address translations happen in ASR router by mapping specific translations to specific ports for a given IPv4 address.

 

Note: All configurations are tested in a lab environment on Cisco 2800 Routers operating on Cisco IOS 15.0 and ASR operating on Cisco IOS-XE 15.1(3)S4version.

 

Topology Diagram

 

dynamicnat64netdiag.jpeg

 

Summary Steps

 

NAT64 Interface Configuration

  1. ipv6 address <Specify an IPv6 address>
  2. nat64 enable
  3. exit

 

NAT64 Dynamic Overload Mapping Configuration

  1. enable
  2. configure terminal
  3. ipv6 access-list <access-list-name>
  4. permit ipv6 <ipv6-address >any
  5. exit
  6. nat64 prefix stateful <prefix>

Note: The above command enables the router to translate the source IP address to IPv6 by using the  Stateful NAT64 prefix

   7. nat64 v4 pool <pool-name> <start-ip-address end-ip-address>

   8. nat64 v6v4 list <access-list-name> pool <pool-name> overload

   9. exit

 

Configuration

 

Please see attached files for configuration of routers R1, R2 and R3.

 

 

IPv4 Router
ASR RouterIPv6 Router

!
version 15.0
!
hostname IPv4_Router
!
ip cef
!
!
ip multicast-routing

!
!
interface Loopback10
ip address 15.1.1.10 255.255.255.0
!
!
interface Loopback20
ip address 25.1.1.10 255.255.255.0
!
!
interface Loopback30
ip address 35.1.1.10 255.255.255.0
!
!
interface FastEthernet0/1
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
!
router rip
version 2
network 15.0.0.0
network 20.0.0.0
network 25.0.0.0
network 35.0.0.0
!
ip route 27.1.1.0 255.255.255.0 20.20.20.1
!
!
end

!
version 15.1
!
hostname ASR_Router
!
!
ipv6 unicast-routing
!
!
interface GigabitEthernet0/0/0
ipv6 address 4001::1/96
ipv6 rip RIPv6 enable
nat64 enable
cdp enable
!
!
interface GigabitEthernet0/0/1
ip address 20.20.20.1 255.255.255.0
load-interval 30
negotiation auto
nat64 enable
cdp enable
!
!
router rip
network 20.0.0.0
!
ipv6 router rip RIPv6
!
!
!
ipv6 access-list ACLv6
permit ipv6 4001::/96 any
!
!
nat64 prefix stateful 2001::/96
nat64 v4 pool pool1 27.1.1.10 27.1.1.10
nat64 v6v4 list ACLv6 pool pool1 overload
!
end

!
version 15.0
!
hostname IPv6_Router
!
!
ipv6 unicast-routing
ipv6 cef
!
!
interface Loopback10
no ip address
ipv6 address 4001::10/128
ipv6 rip RIPv6 enable
!
!
interface Loopback20
no ip address
ipv6 address 4001::20/128
ipv6 rip RIPv6 enable
!
!
interface Loopback30
no ip address
ipv6 address 4001::30/128
ipv6 rip RIPv6 enable
!
!
interface GigabitEthernet0/1
ip address 10.10.10.2 255.255.255.0
duplex auto
speed auto
ipv6 address 4001::2/96
ipv6 rip RIPv6 enable
!
!
ipv6 route 2001::/96 4001::1
ipv6 router rip RIPv6
!
!
!

end

 

 

Verify Commands

 

If you look at the configuration above, it is much similar to the Dynamic Mapping Configuration where the only difference is adding the keyword Overload to the NAT64 configuration statement.

 

In our case, the IPv6 router can reach all the IPv4 addresses (Loopback address configured) by using single IPv4 address which is 27.1.1.10 configured in NAT64 address pool.

 

Similarly You can ping from multiple IPv6 addresses (using the source as Loopback address) to the IPv4 side. All the IPv6 addresses will be mapped to single IPv4. In both the cases, specific address is mapped to specific ports. This can be verified with help of ping and debug commands

 

Verifying Connectivity Using Ping Command

 

Enable debug commands on both IPv4 and IPv6 routers and verify connectivity using ping command

 

In router R3

 

Ping router R1(IPv4 Router) interface fa0/1 and loopback addresses from router R3 (IPv6 router) by converting to their respective HEX format.

 

IPv6_Router#ping 2001::1414:1402 (HEX format Fa0/1 IPv4 address 20.20.20.2)

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1414:1402, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


IPv6_Router#ping 2001::f01:10a (HEX format Lo 10 IPv4 address 15.1.1.10)

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::F01:10A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


IPv6_Router#ping 2001::1901:10a(HEX format Lo 20 IPv4 address 25.1.1.10)

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1901:10A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms


IPv6_Router#ping 2001::2301:10a(HEX format Lo 30 IPv4 address 35.1.1.10)

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::2301:10A, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms

 

 

The debug ip icmp  command output on IPv4 router is shown below:

 

IPv4_Router#debug ip icmp
ICMP packet debugging is on
IPv4_Router#
*Dec 20 10:17:16.818: ICMP: echo reply sent, src 20.20.20.2, dst 27.1.1.10, topology BASE, dscp 0 topoid 0

*Dec 20 10:17:28.218: ICMP: echo reply sent, src 15.1.1.10, dst 27.1.1.10, topology BASE, dscp 0 topoid 0

*Dec 20 10:17:40.958: ICMP: echo reply sent, src 25.1.1.10, dst 27.1.1.10, topology BASE, dscp 0 topoid 0

*Dec 20 10:17:50.086: ICMP: echo reply sent, src 35.1.1.10, dst 27.1.1.10, topology BASE, dscp 0 topoid 0

<Output omitted>

 

From the above output you can see that all the ping replies are directed to single IPv4 address 27.1.1.10 configured in NAT64 address pool

 

The show nat64 translation command displays the address translations happened in detail.

 

ASR_Router#show nat64 translation

 

Proto  Original IPv4         Translated IPv4
       Translated IPv6       Original IPv6
----------------------------------------------------------------------------

 

icmp   35.1.1.10:4           [2001::2301:10a]:6575
       27.1.1.10:4           [4001::2]:6575
icmp   20.20.20.2:1          [2001::1414:1402]:9615
       27.1.1.10:1           [4001::2]:9615
icmp   25.1.1.10:3           [2001::1901:10a]:4815
       27.1.1.10:3           [4001::2]:4815
icmp   15.1.1.10:2           [2001::f01:10a]:6797
       27.1.1.10:2           [4001::2]:6797

 

Total number of translations: 4

 

The above output shows that the different address are mapped to different port and replied are sent to single IPv4 address which is 27.1.1.10

 

Similarly you can ping the IPv4 side from the configured IPv6 loopback addresses by using the command ping <IPv6 address> source <Interface address> and verify the translation on the ASR router with the command show nat64 translation

 

IPv6_Router#ping 2001::1414:1402 source lo 10

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1414:1402, timeout is 2 seconds:
Packet sent with a source address of 4001::10
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/4 ms
IPv6_Router#ping 2001::1414:1402 source lo 20

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1414:1402, timeout is 2 seconds:
Packet sent with a source address of 4001::20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/0/0 ms
IPv6_Router#ping 2001::1414:1402 source lo 30

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1414:1402, timeout is 2 seconds:
Packet sent with a source address of 4001::30
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
IPv6_Router#ping 2001::1414:1402 source g0/1

 

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::1414:1402, timeout is 2 seconds:
Packet sent with a source address of 4001::2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

 

 

ASR_Router#show nat64 translation

 

Proto  Original IPv4         Translated IPv4
       Translated IPv6       Original IPv6
----------------------------------------------------------------------------

 

icmp   20.20.20.2:2          [2001::1414:1402]:6454
       27.1.1.10:2           [4001::20]:6454
icmp   20.20.20.2:4          [2001::1414:1402]:2719
       27.1.1.10:4           [4001::2]:2719
icmp   20.20.20.2:1          [2001::1414:1402]:2001
       27.1.1.10:1           [4001::10]:2001
icmp   20.20.20.2:3          [2001::1414:1402]:3353
       27.1.1.10:3           [4001::30]:3353

 

Total number of translations: 4

 

The above output shows that the different IPv6 loopback  addresses are translated to single IPv4 address 27.1.1.10 by mapping them in to different ports.

 

Some useful show commands that can be used to see NAT64 translations in ASR router

 

Show nat64 mappings static

 

This command display the information about the Network Address Translation 64 (NAT64) dynamic mappings, use this command.

 

ASR_Router#show nat64 mappings dynamic

Dynamic mappings configured: 1

Direction ACL
   Pool                             Flags

v6v4      ACLv6
   pool1                            0x00000001 (overload)

Show nat64 adjacency ipv6

 

This command displays the information about the Network Address Translation 64 (NAT64) managed adjacencies.

 

ASR_Router#show nat64 adjacency ipv6


Adjacency Counts

   Stateless Prefix Adjacencies: 0
   Stateless Prefix Adjacency Ref Count: 0
   v4v6 Stateless Prefix Adjacencies: 0
   v4v6 Stateless Prefix Adjacency Ref Count: 0
   v6v4 Stateless Prefix Adjacencies: 0
   v6v4 Stateless Prefix Adjacency Ref Count: 0
   Stateful Prefix Adjacencies: 1
   Stateful Prefix Adjacency Ref Count: 1
   IPv6 Well-Known Prefix Adjacencies: 1
   IPv6 Well-Known Prefix Adjacency Ref Count: 1
   IPv6 Static Mapping Adjacencies: 0
   IPv6 Static Mapping Adjacency Ref Count: 0
   IPv4 Static Mapping Adjacencies: 0
   IPv4 Static Mapping Adjacency Ref Count: 0
   IPv4 Pool Adjacencies: 1
   IPv4 Pool Adjacency Ref Count: 1
   IPv4 Route Adjacencies: 0

Adjacencies

   Stateful Prefix: ::100.0.0.1
   IPv6 Well-Known Prefix: ::100.0.0.2
   IPv6 Stateful Mask: ::100.0.0.0
   IPv4 Pool: 100.0.0.2
   IPv4 Stateful Mask: 100.0.0.0

 

Show nat64 prefix stateful

 

Using this command, you can check the information about Network Address Translation 64 (NAT64) stateful prefixes. Global prefixes, nat64 configured intrerfaces and prefix static-routes will be displayed.

 

ASR_Router#show nat64 prefix stateful global (Displays the global prefixes)

 

Global Stateful Prefix: is valid, 2001::/96

 

IFs Using Global Prefix

 

   Gi0/0/0
   Gi0/0/1


ASR_Router#show nat64 prefix stateful interfaces (Displays the nat64 enabled interfaces)
Stateful Prefixes

Interface
   NAT64 Enabled Global Prefix

 

GigabitEthernet0/0/0
   TRUE          TRUE   2001::/96
GigabitEthernet0/0/1
   TRUE          TRUE   2001::/96


ASR_Router#show nat64 prefix stateful static-routes (Displays the static-routes)
Stateful Prefixes


NAT64 Prefix
   Static Route Ref-Count

 

2001::/96
   1

 

Show nat64 statistics

 

To display Network Address Translation 64 (NAT64) packet count statistics use this command

 

ASR_Router#show nat64 statistics
NAT64 Statistics

Total active translations: 1 (0 static, 1 dynamic; 1 extended)
Sessions found: 251
Sessions created: 29
Expired translations: 26
Global Stats:
   Packets translated (IPv4 -> IPv6)
      Stateless: 0
      Stateful: 135
   Packets translated (IPv6 -> IPv4)
      Stateless: 0
      Stateful: 140

Interface Statistics
   GigabitEthernet0/0/0 (IPv4 configured, IPv6 configured):
      Packets translated (IPv4 -> IPv6)
         Stateless: 0
         Stateful: 0
      Packets translated (IPv6 -> IPv4)
         Stateless: 0
         Stateful: 140
      Packets dropped: 0
   GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):
      Packets translated (IPv4 -> IPv6)
         Stateless: 0
         Stateful: 135
      Packets translated (IPv6 -> IPv4)
         Stateless: 0
         Stateful: 0
      Packets dropped: 5
Dynamic Mapping Statistics
   v6v4
      access-list ACLv6 pool pool1 refcount 1
         pool pool1:
            start 27.1.1.10 end 27.1.1.10
            total addresses 1, allocated 1 (100%)
            address exhaustion packet count 0
Limit Statistics

References

 

Routing Information Protocol
Comments
New Member

Hi Sivagami,

Is  there any hardware or software limitation for the router who is doing  the translation job? So according to your design, the router R2 is an  ASR, do we have to have specific hardware like ASR?

Please reply because I am starting to set this up in the along with the 'overload' scenario.

-Thanks,

Deepak A.

Hi Deepak,

You are right! The NAT64 feature is implemented from IOS XE 3.2S release onwards.

Hope this helps

Thanks

Sivagami.N