IPv6 transition lab with NAT64

NAT64: Stateful NAT64, defined in RFC 6146, is a stateful translation mechanism for translating IPv6 addresses to IPv4 addresses, and IPv4 addresses to IPv6 addresses. It is called stateful because it creates or modifies bindings or session state while performing translation. It supports both IPv6-initiated and IPv4-initiated communications using static or manual mappings.

DNS64: DNS64 is used together with NAT64 and works as an addition to the standard DNS server. When DNS64 is asked for an AAAA record (IPv6 address for a hostname) but finds (or receives from an upstream DNS) only an A record, it synthesizes the AAAA record from the A record. The first part of the synthesized AAAA record is a well-known or service provider assigned IPv6 prefix, which is also used with NAT64. The second part of the AAAA record is an IPv4 address of the IPv4 host that is found in the A record.

Lab topology for IPv6 NAT64
Lab topology for IPv6 NAT64

In this lab scenario we are simulating a mixed IPv6 transition approach using stateful and static NAT64.

Service provider network is a dual stack network which is capable of supporting IPv4 only, IPv6 only and dual stack customers. Service provider is connected to both IPv4 and IPv6 Internet backbones.

Customer network is an IPv6 only network except the CE to PE link. Customer owns a normal /48 public IPv6 prefix which is used in the entire enterprise and a small /24 IPv4 subnet which is kept at the edge device for reaching to legacy IPv4 Internet using NAT64.

Customer endpoints are IPv6 only (not dual stack) so endpoint reach to IPv6 Internet normally. For reaching to IPv4 Internet customer’s endpoints acquire the IPv6 equivalent synthesized address for IPv4 hosts from DNS64.

DNS64 is not simulated in this scenario, but we suppose that the DNS64 server performs like below:

Hostname IPv4 Address IPv6 equivalent Address
example.com 192.168.10.100 64:ff9b::192.168.10.100

The packet sequence for reaching to an IPv4 host from an IPv6 client is as follows:

PC-3 (2001:db8:bbbb:20:2050:79ff:fe66:6800/64) sends a query to local DNS64 server for example.com which is an IPv4 only host.

DNS64 sends (proxies) the query to an upstream IPv4 DNS server and gets the IPv4 address (192.168.10.100).

DNS64 synthesizes the IPv6 equivalent address (64:ff9b::192.168.10.100) and sends it back to client PC.

Client create the IPv6 packet like below and sends it out:

IPv6 SA: 2001:db8:bbbb:20:2050:79ff:fe66:6800
IPv6 DA: 64:ff9b::192.168.10.100

The packet reaches to CE router where it needs to be translated to IPv4 packet. It’s actually more than a source or destination translation, the IPv4 packet is generated based on the IPv6 packet.

The source IPv4 address for the new packet is picked up from a NAT pool and the destination is derived from IPV6 destination address (DNS64 has already embedded IPv4 in the IPv6 address).

IPv4 SA:192.168.20.11
IPv4 DA: 192.168.10.100

And then the packet travels to its destination in IPv4 Internet.

It’s a dynamic stateful NAT/PAT operation which means it needs to be initiated from inside network. For inside IPv6 hosts to be reachable from outside IPv4 Internet static NAT64 needs to be configured.

Configuration:

CE-2:

hostname CE-2
!
ipv6 unicast-routing
!
interface Ethernet0/0
 ip address 10.0.21.2 255.255.255.0
 nat64 enable
 ipv6 address 2001:DB8:AAAA:21::2/64
!
interface Ethernet0/1
 no ip address
 nat64 enable
 ipv6 address 2001:DB8:BBBB:20::2/64
!
ip route 0.0.0.0 0.0.0.0 10.0.21.1
ip route 192.168.20.0 255.255.255.0 Null0
!
nat64 v4 pool NPOOL-PUBLIC-1 192.168.20.10 192.168.20.100
nat64 v6v4 static 2001:DB8:BBBB:20:2050:79FF:FE66:6801 192.168.20.3
nat64 v6v4 list ACL6-PUBLIC-1 pool NPOOL-PUBLIC-1 overload
!
ipv6 route ::/0 2001:DB8:AAAA:21::1
!
ipv6 access-list ACL6-PUBLIC-1
 permit ipv6 2001:DB8:BBBB::/48 any
!

PE-1:

hostname PE-1
!
interface Loopback0
 ip address 10.0.0.1 255.255.255.255
 ipv6 address 2001:DB8:AAAA::1/128
!
interface Ethernet0/0
 ip address 10.0.21.1 255.255.255.0
 ipv6 address 2001:DB8:AAAA:21::1/64
!
interface Ethernet0/1
 ip address 192.168.10.1 255.255.255.0
!
interface Ethernet0/2
 no ip address
 ipv6 address 2001:DB8:CCCC:30::1/64
!
ip route 192.168.20.0 255.255.255.0 10.0.21.2
!
ipv6 route 2001:DB8:BBBB::/48 2001:DB8:AAAA:21::2
!

Verification:

PC-3

PC-3> ping 64:FF9B::192.168.10.100

64:FF9B::192.168.10.100 icmp6_seq=1 ttl=62 time=18.357 ms
64:FF9B::192.168.10.100 icmp6_seq=2 ttl=62 time=0.000 ms
64:FF9B::192.168.10.100 icmp6_seq=3 ttl=62 time=0.000 ms
64:FF9B::192.168.10.100 icmp6_seq=4 ttl=62 time=0.000 ms
64:FF9B::192.168.10.100 icmp6_seq=5 ttl=62 time=0.000 ms

CE-2

CE-2#show nat64 translations
Proto   Original IPv4           Translated IPv4
        Translated IPv6         Original IPv6
--------------------------------------------------------
icmp    192.168.10.100:15270            [64:FF9B::C0A8:A64]:15270
        192.168.20.10:15270             [2001:DB8:BBBB:20:2050:79FF:FE66:6800]:15270
---     ---                     ---
        192.168.20.3            2001:DB8:BBBB:20:2050:79FF:FE66:6801

Total number of translations: 2

Reference:

https://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/enterprise-ipv6-solution/white_paper_c11-676278.html

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.