NAT64 Stateful
Load nat64.lab1.init.cfg
#IOS-XE
config replace flash:nat64.lab1.init.cfg
#IOS-XR (XR1 only)
configure
load bootflash:nat64.lab1.init.cfg
commit replace
y
R1 is an internet subscriber and XR1 is an internet server. Configure NAT64 on R6 so that R1 (IPv6-only) can reach XR1 which is IPv4-only (192.0.2.1).
Use 100.1.1.1 as the translated IPv4 address on R6
Only allow traffic sourced from 2001::/64 to be translated for NAT64
Use the prefix 64:ff96::/96 for NAT64
Answer
#R6
int GigabitEthernet2.36
nat64 enable
int GigabitEthernet2.46
nat64 enable
int GigabitEthernet2.56
nat64 enable
int GigabitEthernet2.619
nat64 enable
!
ipv6 access-list NAT64_SOURCES
permit ipv6 2001::/64 any
!
nat64 prefix stateful 64:ff96::/96
nat64 v4 pool V4POOL 100.1.1.1 100.1.1.1
nat64 v6v4 list NAT64_SOURCES pool V4POOL overload
!
ipv6 router ospf 1
redistribute staticExplanation
NAT64 is an IPv6 transition mechanism which allows an IPv6-only host to communicate with IPv4-only hosts. This allows an IPv6-only client to reach the IPv4 internet.
A well-known prefix of 64:ff9b::/96 has been allocated for NAT64. (In this lab we are asked to use 64:ff96::/96, which was an oversight initially by me, but tests your understanding of using a non-default prefix). The IPv4 address is mapped to this prefix to give the IPv6-only client a IPv6 address to use for the IPv4 host. The NAT64 device maps this IP to IPv4, and then source NATs the IPv6 client to a IPv4 address. With stateful NAT, we use a PAT (overload) to conserve IPv4 address space.
To begin, we enable nat64 on all interfaces that will participate in NAT64. This command goes on the IPv6 interfaces which will receive traffic destined to 64:ff96::/96, as well as the outgoing/incoming IPv4 interface.
#R6
int GigabitEthernet2.36
nat64 enable
int GigabitEthernet2.46
nat64 enable
int GigabitEthernet2.56
nat64 enable
int GigabitEthernet2.619
nat64 enableNext we configure the NAT rules. This is quite similar to NAT44. We use an ACL to define which sources will match the NAT rule, define the NAT64 stateful prefix, define the NAT64 IPv4 NAT pool, and then define the NAT rule. Note that the IPv4 addresses used in the pool cannot exist on the router itself.
#R6
ipv6 access-list NAT64_SOURCES
permit ipv6 2001::/64 any
!
nat64 prefix stateful 64:ff96::/96
nat64 v4 pool V4POOL 100.1.1.1 100.1.1.1
nat64 v6v4 list NAT64_SOURCES pool V4POOL overloadR6 will automatically create a NAT virtual interface (NVI). Static routes for the V4 pool (100.1.1.1/32) and the NAT64 prefix are automatically added as well, and point to the NVI:
We can now redistribute static into OSPFv3 in order to advertise 64:ff96::/96 into the IGP. This attracts the NAT64 traffic to R6.
#R6
ipv6 router ospf 1
redistribute staticVerification
Normally a DNS64 server would be used to resolve A records to AAAA-synthesized records. But in this lab we can manually map 192.0.2.1 to the NAT64 destination address as follows:
192 = c0
0 = 00
2 = 02
1 = 01
64:ff96::c000:0201
Since we are allowing all traffic that is sourced from 2001::/64, we can also ping from another host, for example R2:
We can see the stateful NAT entries on R6:
Last updated