on 02-09-2012 12:31 PM - edited on 03-25-2019 02:26 PM by ciscomoderator
I heard few customers complain that it's difficult to understand NAT64 document http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_stateless_nat64_xe.html
, especially it's lack of a network diagram to show the corresponding interface and whereabouts of the IPv4 and IPv6 address.
This posting is intended to provide a working example along with detail illustration of network diagram.
Network Diagram
Click the image to enlarge
The goal is for IPv4 router R1 to communicate with IPv6 subnet host by R2's F0/1 interface. Since R1 is IPv4 only device, it does not understand IPv6 address, it need an IPv4 address to communicate to. In this case, the IPv4 subnet we choose is 192.1.1.0/24. And nat64 prefix define the stateless NAT64 prefix to be added to the IPv4 hosts to translate the IPv4 address into an IPv6 address. Please refer to this link for Ipv4-Translatable IPv6 address format. http://www.cisco.com/en/US/docs/ios/ios_xe/ipaddr/configuration/guide/iad_stateless_nat64_xe.html#wp1070936
Address Translation Between IPv4 and IPv6:
Destination Translation:
Upon receiving IPv4 packet destination to 192.1.1.1, NAT64 translate the destination IPv4 address into IPv6 address 2001:DB9:0:1::C001:101. Here, C0010101 is the hexadecimal format of 192.1.1.1. 2001:DB9:0:1::/96 is the pre-defined nat64 prefix from "neat64 prefix stateless" command.
Source Translation:
NAT64 also translate source IPv4 address 192.168.5.2 into IPv6 address 2001:DB9:0:1::C0A8:502. Again, C0A80502 is hexadecimal format of 192.168.5.2.
IPv6 to IPv4 Translation:
Upon receiving return IPv6 Traffic, NAT64 translate source IPv6 address 2001:DB9:0:1::C001:101 back into IPv4 192.1.1.1 and destination IPv6 address 2001:DB9:0:1::C0A8:501 back into IPv4 address 192.168.5.2.
Connectivity Test:
R1#ping 192.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
R2#debug ipv6 icmp
ICMP packet debugging is on
R2#
*Feb 17 22:25:49.842: ICMPv6: Received echo request from 2001:DB9:0:1::C0A8:502
*Feb 17 22:25:49.842: ICMPv6: Sending echo reply to 2001:DB9:0:1::C0A8:502
*Feb 17 22:25:49.842: ICMPv6: Received echo request from 2001:DB9:0:1::C0A8:502
*Feb 17 22:25:49.842: ICMPv6: Sending echo reply to 2001:DB9:0:1::C0A8:502
*Feb 17 22:25:49.842: ICMPv6: Received echo request from 2001:DB9:0:1::C0A8:502
*Feb 17 22:25:49.846: ICMPv6: Sending echo reply to 2001:DB9:0:1::C0A8:502
Other Relevant Output:
ASR1k#sh ipv6 route
IPv6 Routing Table - default - 5 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:FF::/96 [0/0]
via GigabitEthernet0/0/1, directly connected
L 2001:FF::1/128 [0/0]
via GigabitEthernet0/0/1, receive
S 2001:DB9:0:1::/96 [1/0]
via ::42, NVI0
O 2001:DB9:0:1::C001:100/120 [110/2]
via FE80::20F:35FF:FE2C:9AD9, GigabitEthernet0/0/1
L FF00::/8 [0/0]
via Null0, receive
R2#sh ipv6 route
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C 2001:FF::/96 [0/0]
via ::, FastEthernet0/0
L 2001:FF::2/128 [0/0]
via ::, FastEthernet0/0
C 2001:DB9:0:1::C001:100/120 [0/0]
via ::, FastEthernet0/1
L 2001:DB9:0:1::C001:101/128 [0/0]
via ::, FastEthernet0/1
S 2001:DB9:0:1::C0A8:502/128 [1/0]
via 2001:FF::1
L FE80::/10 [0/0]
via ::, Null0
L FF00::/8 [0/0]
via ::, Null0
Still I wonder how you do a NAT64 overload with stateless NAT64 (btw NAT64 statefull is working flawless). I configure to following;
NAT64 router: IOS-XR
(Cisco IOS Software, IOS-XE Software (PPC_LINUX_IOSD-IPBASEK9-M), Version 15.2(4)S, RELEASE SOFTWARE (fc4)
ipv6 unicast-routing
interface GigabitEthernet0/0/0
description IPV6 network side
no ip address
negotiation auto
nat64 enable
ipv6 address 2001:888:1F31:2271::90/64
ipv6 enable
ipv6 ospf 1 area 0
!
interface GigabitEthernet0/0/1
description IPV4 network side
ip address 192.168.71.90 255.255.255.0
negotiation auto
nat64 enable
router ospf 1
router-id 192.168.71.255
redistribute static subnets
network 192.168.71.0 0.0.0.255 area 0
!
ipv6 router ospf 1
redistribute static
!
nat64 prefix stateless 2001:888:1F31:FFFF::/96
nat64 route 192.168.72.0/24 GigabitEthernet0/0/0
IPV4-router#sh ip route ospf
O E2 192.168.72.0/24 [110/20] via 192.168.71.90, 01:06:53, Vlan2
IPV6-router#sh ipv6 route ospf
OE2 2001:888:1F31:FFFF::/96 [110/20]
via FE80::215:62FF:FE7E:E619, Vlan70
NAT64-router# sh ip route
S 192.168.72.0/24 [1/0] via 0.0.0.3, NVI0
NAT64-router# sh ipv6 route
S 2001:888:1F31:FFFF::/96 [1/0] via ::42, NVI0
O 2001:888:1F31:2272::1/128 [110/2]
via FE80::215:62FF:FE7E:E618, GigabitEthernet0/0/0
NVI0 is up, line protocol is up
Hardware is NVI
MTU 9216 bytes, BW 56 Kbit/sec, DLY 5000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation UNKNOWN, loopback not set
Keepalive not set
Last input never, output never, output hang never
Last clearing of "show interface" counters 00:00:10
Input queue: 0/375/0/0 (size/max/drops/flushes); Total output drops: 0
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
8 packets input, 1054 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 packets output, 0 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
NAT64#sh run int nvi0
Building configuration...
Current configuration : 5 bytes
end
ping from ipv6 to Internnet:
Sending 5, 100-byte ICMP Echos to 2001:888:1F31:FFFF::C0A8:4800, timeout is 2 seconds:
Packet sent with a source address of 2001:888:1F31:2272::1
@@@@@
NAT64#sh nat translations
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
----------------------------------------------------------------------------
Total number of translations: 0
NAT64#sh nat st
NAT64#sh nat statistics
NAT64 Statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Sessions found: 0
Sessions created: 0
Expired translations: 0
Global Stats:
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 0
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 0
Interface Statistics
GigabitEthernet0/0/0 (IPv4 not configured, IPv6 configured):
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 0
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 0
Packets dropped: 9
GigabitEthernet0/0/1 (IPv4 configured, IPv6 not configured):
Packets translated (IPv4 -> IPv6)
Stateless: 0
Stateful: 0
Packets translated (IPv6 -> IPv4)
Stateless: 0
Stateful: 0
Packets dropped: 0
Dynamic Mapping Statistics
v6v4
Limit Statistics
SO I can see the dropped packets from IPv6 towards a Internet based IP address or local based IP address?
Thanks in advance,,
Michel
You mean to aggregate many IPv6 users into a single IPv4 addres? If so, stateful NAT64 is required.
Hi Yi Wu,
"You mean to aggregate many IPv6 users into a single IPv4 addres?" That's correct and it is working with statefull NAT64, but is it also supported with stateless NAT64?
xie xie ni,
Kind regards,
Michel
Hi Michel,
See this white paper, http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6553/white_paper_c11-676277.html
It's not possible to aggregate many IPv6 addresses into a single IPv4 address with stateless NAT64. As stateless NAT64 requires the algorithmic binding between IPv6 address and IPv4 address, it's one to one mapping.
Thanks,
William Wu
Hello from seven years later.....
this is the best article even clear than the NAT official pages which the last edit is OCT 2018..
I was totally confused with the link I attached, but your example is good to tell the important fact,
nat64 prefix will translate both side inside local to inside global (classic cisco NAT terminology)
but I still not sure any difference between stateful "NAT64" and "ipv6 nat" ...
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: