- itcertnotes -: Network Address Translation - Protocol Translation (NAT-PT)

Network Address Translation – Protocol Translation (NAT-PT) is often being used in IPv4 to IPv6 migration scenarios to provide bi-directional communications between IPv4 and IPv6 hosts. A dual-stack router is required to perform NAT-PT. Additionally, NAT-PT must be enabled on both the incoming and outgoing interfaces for NAT-PT to be operational.

The concept and configuration of NAT-PT is much more difficult than traditional IPv4 NAT. The main difference between NAT-PT and traditional IPv4 NAT is that address translations must be performed both ways (Bidirectional NAT). IPv6 packets sent towards IPv4 hosts must have their source and destination IP addresses replaced with some IPv4 addresses; and vice versa.
Note: Traditional Outbound NAT is designed to handle outbound connections, in which clients of the inside local network initiate requests to outside global Internet hosts. Bidirectional NAT, 2-Way NAT, or Inbound NAT is an enhancement upon NAT to handle connections initiated from the outside network.

Cisco supports the following types of NAT-PT:

Static NAT-PT	Uses static translation rules to map 1 IPv6 address to 1 IPv4 address. Multiple static NAT-PT mappings are required when there are many IPv6-only or IPv4-only hosts that need to communicate.
Dynamic NAT-PT	Allows multiple NAT-PT mappings by allocating addresses from a pool. NAT-PT is configured with a pool of IPv6 and/or IPv4 addresses. The number of addresses available in the address pool determines the maximum number of concurrent sessions. The NAT-PT router would record all mapping of addresses in the dynamic translation table.
Port Address Translation (Overload)	Allows a single IPv4 address to be associated to multiple IPv6 hosts by multiplexing the transport layer port numbers. PAT can be performed through an interface or an address pool.
IPv4-Mapped	Allows traffic from an IPv6 network be sent to an IPv4 network without configuring IPv6 destination address mapping. A packet arriving at an interface is being checked upon a NAT-PT prefix configured with the ipv6 nat prefix ipv6-prefix v4-mapped {acl-name \| ipv6-prefix} global configuration command or interface subcommand. If the prefix matches, then an access list check is performed to determine whether the source address of the packet matches the access list or prefix list. If the prefix does not match, the packet is being dropped; if the prefix matches, source address translation is performed using the configured static IPv4 address or IPv4 address pool; while destination address translation is performed using the last 32 bits of the destination IPv6 address as the destination IPv4 address and a NAT entry will be created.

Network Setup for NAT-PT

NAT-RT is configured to perform static bi-directional mappings to translate the destination addresses in IPv6 packets sent to 2345:6789::41 to 10.10.10.41; and translate the destination addresses in IPv4 packets sent to 10.10.10.61 to 2345:6789:AAAA:AAAA::61. As a result, IPv4 packets with source / destination pair (10.10.10.41 – 10.10.10.61) will be translated to IPv6 packets with address pair (2345:6789::41 – 2345:6789:AAAA:AAAA::61); while IPv6 packets with source / destination pair (2345:6789:AAAA:AAAA::61 – 2345:6789::41) will be translated to IPv4 packets with address pair (10.10.10.61 – 10.10.10.41).

Below shows the configuration on NAT-RT to perform Static NAT-PT:

!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ip address 10.10.10.61 255.255.255.0 secondary
 ip address 10.10.10.1 255.255.255.0
 ipv6 nat
!
interface FastEthernet1/0
 no ip address
 ipv6 address 2345:6789:AAAA:AAAA::1/64
 ipv6 nat
!
ipv6 nat v4v6 source 10.10.10.41 2345:6789::41
ipv6 nat v6v4 source 2345:6789:AAAA:AAAA::61 10.10.10.61
ipv6 nat prefix 2345:6789::/96
!

The ipv6 nat v4v6 source {ipv4-inside-local ipv6-outside-global | list {acl-num | acl-name} pool pool-name} global configuration command configures IPv4 to IPv6 NAT-PT.

The ipv6 nat v6v4 source {ipv6-inside-local ipv4-outside-global | list {acl-name pool pool-name | route-map map-name pool pool-name} [overload] global configuration command configures IPv6 to IPv4 NAT-PT.

Below shows the installation of a directly connected IPv6 route to the IPv6 NAT prefix on NAT-RT:

NAT-RT#debug ipv6 routing
IPv6 routing table events debugging is on
NAT-RT#
NAT-RT#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
NAT-RT(config)#ipv6 nat prefix 2345:6789::/96
NAT-RT(config)#
00:02:34: IPv6RT0: connected, Add 2345:6789::/96 to table
00:02:34: IPv6RT0: connected, Adding next-hop :: over Null0 for 2345:6789::/96, [0/0]
NAT-RT(config)#
NAT-RT(config)#^Z
NAT-RT#
NAT-RT#sh ipv6 route connected
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
C   2345:6789::/96 [0/0]
     via ::, Null0
C   2345:6789:AAAA:AAAA::/64 [0/0]
     via ::, FastEthernet1/0
NAT-RT#

IPv6 stack classifies packets for NAT-PT via a special IPv6 NAT prefix, which represents the whole IPv4 address space (2³²) embedded within the IPv6 super-space, and always has the length of 96 bits (128 – 32 = 96). Every IPv6 packet with the destination address matching the NAT-PT prefix will be translated by NAT-PT to an IPv4 packet using the configured mapping rules. The IPv6 NAT prefix can be configured globally for all interfaces or with different NAT-PT prefixes on a per interface basis with the ipv6 nat prefix ipv6-prefix/96 global configuration command or interface subcommand (configured on an IPv6 interface). Using different NAT-PT prefixes on multiple interfaces allows a NAT-PT router to support an IPv6 network with multiple exit points to IPv4 networks.

Below shows the output of debug ip icmp privileged command on V4-PC1 when V4-PC1 issued ping to 10.10.10.61, the IPv4 address associated to 2345:6789:AAAA:AAAA::61:

V4-PC1#debug ip icmp
ICMP packet debugging is on
V4-PC1#
V4-PC1#ping 10.10.10.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.61, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 44/76/112 ms
V4-PC1#
00:03:39: ICMP: echo reply rcvd, src 10.10.10.61, dst 10.10.10.41
00:03:39: ICMP: echo reply rcvd, src 10.10.10.61, dst 10.10.10.41
00:03:39: ICMP: echo reply rcvd, src 10.10.10.61, dst 10.10.10.41
00:03:39: ICMP: echo reply rcvd, src 10.10.10.61, dst 10.10.10.41
V4-PC1#

Below shows that an IPv6 default route is required on V6-PC1 to reach 2345:6789::41; the output of the debug ipv6 icmp privileged command on V6-PC1 when V4-PC1 issued ping to 10.10.10.61, as well as V6-PC1 access to V4-PC1 using 2345:6789::41:

V6-PC1#sh ipv6 route 2345:6789::41
% Route not found
V6-PC1#
V6-PC1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
V6-PC1(config)#ipv6 route 0::/0 2345:6789:AAAA:AAAA::1
V6-PC1(config)#^Z
V6-PC1#
V6-PC1#sh ipv6 route 2345:6789::41
IPv6 Routing Table - 5 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [1/0]
     via 2345:6789:AAAA:AAAA::1
V6-PC1#
V6-PC1#debug ipv6 icmp
ICMP packet debugging is on
V6-PC1#
00:03:33: ICMPv6: Received ICMPv6 packet from FE80::204:4EFF:FE11:1111, type 134
00:03:42: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:03:42: ICMPv6: Received echo request from 2345:6789::41
00:03:42: ICMPv6: Sending echo reply to 2345:6789::41
00:03:42: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:03:42: ICMPv6: Received echo request from 2345:6789::41
00:03:42: ICMPv6: Sending echo reply to 2345:6789::41
00:03:43: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:03:43: ICMPv6: Received echo request from 2345:6789::41
00:03:43: ICMPv6: Sending echo reply to 2345:6789::41
00:03:43: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:03:43: ICMPv6: Received echo request from 2345:6789::41
00:03:43: ICMPv6: Sending echo reply to 2345:6789::41
V6-PC1#
V6-PC1#telnet 2345:6789::41
Trying 2345:6789::41 ... Open


User Access Verification

Password:
V4-PC1>

Below shows the output of the debug ipv6 nat privileged command on NAT-RT when V4-PC1 issued a ping to 10.10.10.61, the IPv4 address associated to 2345:6789:AAAA:AAAA::61:

NAT-RT#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT-RT#
00:03:38: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (10.10.10.61) -> (2345:6789:AAAA:AAAA::61)
00:03:38: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (10.10.10.61), dst (2345:6789::41) -> (10.10.10.41)
00:03:38: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (10.10.10.61) -> (2345:6789:AAAA:AAAA::61)
00:03:38: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (10.10.10.61), dst (2345:6789::41) -> (10.10.10.41)
00:03:38: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (10.10.10.61) -> (2345:6789:AAAA:AAAA::61)
00:03:38: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (10.10.10.61), dst (2345:6789::41) -> (10.10.10.41)
00:03:38: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (10.10.10.61) -> (2345:6789:AAAA:AAAA::61)
00:03:38: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (10.10.10.61), dst (2345:6789::41) -> (10.10.10.41)
NAT-RT#
NAT-RT#sh ipv6 nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.10.10.41              2345:6789::41

---   10.10.10.61              2345:6789:AAAA:AAAA::61
      10.10.10.41              2345:6789::41

---   10.10.10.61              2345:6789:AAAA:AAAA::61
      ---                      ---

NAT-RT#
NAT-RT#sh ipv6 nat statistics
Total active translations: 3 (2 static, 1 dynamic; 0 extended)
NAT-PT interfaces:
  FastEthernet0/0, FastEthernet1/0
Hits: 0  Misses: 0
Expired translations: 0
NAT-RT#

Another alternative configuration for NAT-RT is perform NAT-PT static mapping between (10.10.10.41 – 20.20.20.61) and (2345:6789::41 – 2345:6789:AAAA:AAAA::61).
The ip address 10.10.10.61 255.255.255.0 secondary interface subcommand on NAT-RT can be removed, and an IPv4 default route must be configured on V4-PC1.

!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ipv6 nat
!
interface FastEthernet1/0
 no ip address
 ipv6 address 2345:6789:AAAA:AAAA::1/64
 ipv6 nat
!
ipv6 nat v4v6 source 10.10.10.41 2345:6789::41
ipv6 nat v6v4 source 2345:6789:AAAA:AAAA::61 20.20.20.61
ipv6 nat prefix 2345:6789::/96
!

Below shows the output of the debug ipv6 nat privileged command when V4-PC1 issued a ping to 20.20.20.61, the IPv4 address associated to 2345:6789:AAAA:AAAA::61:

NAT-RT#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT-RT#
00:02:50: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:02:50: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (2345:6789::41) -> (10.10.10.41)
00:02:50: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:02:50: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (2345:6789::41) -> (10.10.10.41)
00:02:50: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:02:50: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (2345:6789::41) -> (10.10.10.41)
00:02:50: IPv6 NAT: icmp src (10.10.10.41) -> (2345:6789::41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:02:50: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (2345:6789::41) -> (10.10.10.41)
NAT-RT#
NAT-RT#sh ipv6 nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.10.10.41              2345:6789::41

---   20.20.20.61              2345:6789:AAAA:AAAA::61
      10.10.10.41              2345:6789::41

---   20.20.20.61              2345:6789:AAAA:AAAA::61
      ---                      ---

NAT-RT#

Below shows the output of debug ip icmp on V4-PC1 when issue a ping to 20.20.20.61, the IPv4 address associated to 2345:6789:AAAA:AAAA::61:

V4-PC1#debug ip icmp
ICMP packet debugging is on
V4-PC1#
V4-PC1#ping 20.20.20.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.61, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 56/99/160 ms
V4-PC1#
00:02:53: ICMP: echo reply rcvd, src 20.20.20.61, dst 10.10.10.41
00:02:53: ICMP: echo reply rcvd, src 20.20.20.61, dst 10.10.10.41
00:02:53: ICMP: echo reply rcvd, src 20.20.20.61, dst 10.10.10.41
00:02:54: ICMP: echo reply rcvd, src 20.20.20.61, dst 10.10.10.41
V4-PC1#

Below shows the output of debug ip icmp on V4-PC1 when issue a ping to 20.20.20.61, the IPv4 address associated to 2345:6789:AAAA:AAAA::61:

V6-PC1#debug ipv6 icmp
ICMP packet debugging is on
V6-PC1#
00:02:54: ICMPv6: Received ICMPv6 packet from FE80::204:4EFF:FE11:1111, type 135
00:02:54: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:02:54: ICMPv6: Received echo request from 2345:6789::41
00:02:54: ICMPv6: Sending echo reply to 2345:6789::41
00:02:54: ICMPv6: Received ICMPv6 packet from 2345:6789:AAAA:AAAA::1, type 136
00:02:54: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:02:54: ICMPv6: Received echo request from 2345:6789::41
00:02:54: ICMPv6: Sending echo reply to 2345:6789::41
00:02:54: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:02:54: ICMPv6: Received echo request from 2345:6789::41
00:02:54: ICMPv6: Sending echo reply to 2345:6789::41
00:02:54: ICMPv6: Received ICMPv6 packet from 2345:6789::41, type 128
00:02:54: ICMPv6: Received echo request from 2345:6789::41
00:02:54: ICMPv6: Sending echo reply to 2345:6789::41
V6-PC1#

IPv4-Mapped NAT-PT Translation

RFC 4038 – Application Aspects of IPv6 Transition and RFC 4291 – IP Version 6 Addressing Architecture define a standard called the IPv4-Mapped IPv6 address to address IPv4 packets that originated from an IPv6 network. An IPv6 host would uses the IPv6 destination address ::FFFF:A.B.C.D when it would like to send a packet to an IPv4 host whose address is A.B.C.D.

The sample configuration below configures an IPv6-IPv4 address pool (20.20.20.61 – 20.20.20.69) that represents IPv6 hosts to the IPv4 network. Note that an IPv4 is able to initiate connection to an IPv6 host only after the NAT translation entry is created after an IPv6 host has accessed an IPv4 host. Static mapping should be implemented instead in order to provide 2-way connectivity – an IPv6 host is able to initiate connection to an IPv4 host and vice versa. However, if all connections will be originated from the IPv6 network, Port Address Translation (PAT) can be implemented to map all internal IPv6 addresses into a single external IPv4 address.

IPv4-Mapped NAT-PT Configuration on NAT-RT:

!
ipv6 unicast-routing
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.255.255.0
 ipv6 nat
!
interface FastEthernet1/0
 ipv6 address 2345:6789:AAAA:AAAA::1/64
 ipv6 nat
!
ipv6 nat v6v4 source list NAT_TRAFFIC pool IPv6-IPv4
ipv6 nat v6v4 pool IPv6-IPv4 20.20.20.61 20.20.20.69 prefix-length 24
ipv6 nat prefix ::FFFF:0.0.0.0/96 v4-mapped NAT_TRAFFIC
!
!
ipv6 access-list NAT_TRAFFIC
 permit ipv6 any ::FFFF:0.0.0.0/96
!

Below shows that initially V4-PC1 was unable to initiate connections to V6-PC1 due to the NAT entry for 20.20.20.61 was not created yet until V6-PC1 initiated connections to the IPv4 network.

V4-PC1#debug ip icmp
ICMP packet debugging is on
V4-PC1#
V4-PC1#ping 20.20.20.61

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.20.20.61, timeout is 2 seconds:
.U
00:02:08: ICMP: dst (10.10.10.41) host unreachable rcv from 10.10.10.1.U
00:02:10: ICMP: dst (10.10.10.41) host unreachable rcv from 10.10.10.1.
Success rate is 0 percent (0/5)
V4-PC1#

Below shows the output of the debug ipv6 icmp and debug ip icmp on V6-PC1 and V4-PC1 when V6-PC1 initiated an ICMP ping to V4-PC1.

V6-PC1#debug ipv6 icmp
ICMP packet debugging is on
V6-PC1#
V6-PC1#ping ::FFFF:A0A:A29 | ping ::FFFF:10.10.10.41

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to ::FFFF:10.10.10.41, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 24/56/116 ms
V6-PC1#
00:03:29: ICMPv6: Sending echo request to ::FFFF:10.10.10.41
00:03:29: ICMPv6: Received ICMPv6 packet from ::FFFF:10.10.10.41, type 129
00:03:29: ICMPv6: Received echo reply from ::FFFF:10.10.10.41
00:03:29: ICMPv6: Sending echo request to ::FFFF:10.10.10.41
00:03:29: ICMPv6: Received ICMPv6 packet from ::FFFF:10.10.10.41, type 129
00:03:29: ICMPv6: Received echo reply from ::FFFF:10.10.10.41
00:03:29: ICMPv6: Sending echo request to ::FFFF:10.10.10.41
00:03:29: ICMPv6: Received ICMPv6 packet from ::FFFF:10.10.10.41, type 129
00:03:29: ICMPv6: Received echo reply from ::FFFF:10.10.10.41
00:03:30: ICMPv6: Sending echo request to ::FFFF:10.10.10.41
00:03:30: ICMPv6: Received ICMPv6 packet from ::FFFF:10.10.10.41, type 129
00:03:30: ICMPv6: Received echo reply from ::FFFF:10.10.10.41
00:03:30: ICMPv6: Sending echo request to ::FFFF:10.10.10.41
00:03:30: ICMPv6: Received ICMPv6 packet from ::FFFF:10.10.10.41, type 129
00:03:30: ICMPv6: Received echo reply from ::FFFF:10.10.10.41
V6-PC1#
======================================================================
V4-PC1#
00:03:29: ICMP: echo reply sent, src 10.10.10.41, dst 20.20.20.61
00:03:29: ICMP: echo reply sent, src 10.10.10.41, dst 20.20.20.61
00:03:29: ICMP: echo reply sent, src 10.10.10.41, dst 20.20.20.61
00:03:29: ICMP: echo reply sent, src 10.10.10.41, dst 20.20.20.61
00:03:29: ICMP: echo reply sent, src 10.10.10.41, dst 20.20.20.61
V4-PC1#

Below shows the NAT-PT processing on NAT-RT when V6-PC1 initiated an ICMP ping to V4-PC1.

NAT-RT#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT-RT#
00:03:28: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (::FFFF:10.10.10.41) -> (10.10.10.41)
00:03:28: IPv6 NAT: icmp src (10.10.10.41) -> (::FFFF:10.10.10.41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:03:28: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (::FFFF:10.10.10.41) -> (10.10.10.41)
00:03:28: IPv6 NAT: icmp src (10.10.10.41) -> (::FFFF:10.10.10.41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:03:28: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (::FFFF:10.10.10.41) -> (10.10.10.41)
00:03:28: IPv6 NAT: icmp src (10.10.10.41) -> (::FFFF:10.10.10.41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:03:28: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (::FFFF:10.10.10.41) -> (10.10.10.41)
00:03:28: IPv6 NAT: icmp src (10.10.10.41) -> (::FFFF:10.10.10.41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)
00:03:28: IPv6 NAT: icmp src (2345:6789:AAAA:AAAA::61) -> (20.20.20.61), dst (::FFFF:10.10.10.41) -> (10.10.10.41)
00:03:28: IPv6 NAT: icmp src (10.10.10.41) -> (::FFFF:10.10.10.41), dst (20.20.20.61) -> (2345:6789:AAAA:AAAA::61)NAT-RT#
NAT-RT#
NAT-RT#sh ipv6 nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.10.10.41              2345:6789::A0A:A29

58    20.20.20.61,7155         2345:6789:AAAA:AAAA::61,7155
      10.10.10.41,7155         2345:6789::A0A:A29,7155

---   20.20.20.61              2345:6789:AAAA:AAAA::61
      10.10.10.41              2345:6789::A0A:A29

---   20.20.20.61              2345:6789:AAAA:AAAA::61
      ---                      ---

NAT-RT#
NAT-RT#debug ipv6 nat detailed
IPv6 NAT-PT detailed debugging is on
NAT-RT#
00:04:28: IPv6 NAT: deleted a NAT entry after timeout
NAT-RT#

5 comments:

AnonymousMarch 16, 2011 at 2:20 AM
Excellent Step by Step with fantastic explanation of what is happening. May i ask what IOS version you were using, i only have a Cisco 1603 router and want to make sure i use the right IOS to try this out.
Yap Chin HoongMarch 16, 2011 at 6:52 AM
hi there, I have used c3620-j1s3-mz.123-26.bin for the NAT-PT router. It is an IOS version with ENTERPRISE BASIC feature set, just good enough to perform the task. You may use Dynamips/Dynagen to simulate this. Thanks. :)
AnonymousMarch 16, 2011 at 10:18 AM
Excellent, thanks a million kind sir. Appreciate the fast reply to :)

Keep up the great work
AnonymousFebruary 27, 2012 at 10:32 PM
Hi I am following your guide to learn NAT-PT. It only have one router acts as NAT-PT, the V4-PC and V6-PC is using linux server instead. Based on the 1st example, when I do a ping to 10.10.10.61, I can see the ipv6 nat transaction in NAT-RT as below.

*Feb 28 06:38:58.843: IPv6 NAT: IPv4->IPv6: src (10.10.10.41) -> (2345:6789::41
), dst (10.10.10.61) -> (2345:6789:AAAA:AAAA::61)
*Feb 28 06:38:58.843: IPv6 NAT: IPv6->IPv4: icmp src (2345:6789:AAAA:AAAA::61) -
> (10.10.10.61), dst (2345:6789::41) -> (10.10.10.41)

In the V6 Linux host, I can see this

14:18:58.034674 IP6 2345:6789::41 > 2345:6789:aaaa:aaaa::61: ICMP6, echo request, seq 5533, length 64
14:18:58.034693 IP6 2345:6789:aaaa:aaaa::61 > 2345:6789::41: ICMP6, echo reply, seq 5533, length 64

However, in V4 Linux host, I did not see any response.
[root@localhost ~]# ping 10.10.10.61
PING 10.10.10.61 (10.10.10.61) 56(84) bytes of data.

14:19:06.294135 IP 10.10.10.41 > 10.10.10.61: ICMP echo request, id 56072, seq 5603, length 64
14:19:07.294094 IP 10.10.10.41 > 10.10.10.61: ICMP echo request, id 56072, seq 5604, length 64

do u have any idea??

Thursday, February 24, 2011

Network Address Translation - Protocol Translation (NAT-PT)

5 comments: