Cisco NAT64 Static Configuration

(Rene Molenaar) #5

It’s probably the IOS version and/or platform.

0 Likes

(kam a) #6

Hi Rene, correction:

R2(config)#interface GigabitEthernet 2

your diagram shows FastEhternet interfaces but in the configuration you are saying GigabitEthernet.

0 Likes

(Stuart G) #7

There is very limited support for NAT64 on cisco devices. As far as I can tell it is limited to Cisco IOS XE Release 3.5S or better.
So you certainly can’t run this on GNS3.

I think that NAT64 is not actually very useful outside of a LAB. In practice you need DNS entries for both the real and mapped addresses which is more of a pain than running dual stack.

Stuart.

0 Likes

(Lazaros Agapides) #8

Hello Aujla3

You are correct! I will let Rene know.

Thanks!

Laz

0 Likes

(Lazaros Agapides) #9

Hello Stuart

For the most part you are correct that NAT64 has a limited usage in real world applications. However, there are cases where it is necessary. Also, it is supported by Cisco IOS-XE 15.1(3)S4 as well as Cisco ASA 9.1 and later.

Running two protocols in parallel always requires more management overhead, and if it can be avoided at all, it is good to do so. Unfortunately, it’s not always possible.

I hope this has been helpful!

Laz

1 Like

(mrdecisive J) #10

“Now we can configure the actual translation rules. We will use a fake IPv4 address that R1 can use as its destination and a fake IPv6 address that R3 can use as its destination.”

Does this fake ipv4 address have to be pingable or on the same subnet ? Also I’ve configured the nat64 prefix to a custom prefix; however the translator is only activating if I use 64:ff9b::8.8.8.8. I’m using a CSR1000v as my NAT64 translator and I’m getting translations; however I’m not getting any return traffic. I’m using a http proxy to access the Internet. All in a vcenter environment

0 Likes

(Rene Molenaar) #11

Hi @mrdecisive,

It shouldn’t be pingable, it’s an address that is not in use and probably be on the same subnet. You also have to use the 64:ff9b::/96 prefix.

Rene

0 Likes

(Deepak G) #12

Hi Rene,

Will i be able to ping from R1 to 2001:DB8:2323:2323::3 and from R3 to 192.168.12.1.

We have a scenario wherein when the client is in IPv4 it needs to talk to IPv6 server, the original IP address and not the fake IPv4 address and vice versa

0 Likes

(Rene Molenaar) #13

Hi Deepak,

You can make it work by only by using “fake” addresses like I did here. IPv4 and IPv6 are not compatible so an IPv4 host has no idea what an IPv6 address is and an IPv6 host doesn’t know what an IPv4 address is.

It’s like talking Chinese to an English speaker or vice versa :smile:

Rene

0 Likes

(Chris N) #14

Could you also configure this the other way around?

nat64 v6v4 static 2001:DB8:2323:2323::3 192.168.12.3

Change to:

nat64 v4v6 static 192.168.12.3 2001:DB8:2323:2323::3

0 Likes

(Lazaros Agapides) #15

Hello Chris

Yes, such a configuration would work, assuming you want to translate the other way around.

I hope this has been helpful

Laz

0 Likes

(Trust_the P) #16

Hello Laz,
but in that case, the IPv6 address will be the fake one and IPv4 be the real one. correct?

0 Likes

(Lazaros Agapides) #17

Hello sales2161

Well, it all depends on your point of view. :stuck_out_tongue:

When we talk about NAT in IPv4, we traditionally talk about “real” and “fake”, public and private, routeable and non-routable addresses because we are translating for the purpose of conserving addresses. So there is a meaning to these terms. However, NAT in a more general sense is a translation from one IP address range to another, regardless of whether the addresses are private, public, routable or not. You could translate from 10.10.10.0/24 to 172.16.0.0/24 for example. In such a case, which is fake and which is real? It depends on your point of view.

When we apply this to NAT64, what we are doing is translating between address spaces of two different protocols. Which is real or which is fake depends on the application, on which side of the NAT64 router is facing the Internet and which is not (maybe neither is facing the Internet).

So if we use the conventions of the terminology, then yes, you are correct, the IPv6 address will be fake and the IPv4 will be real. But looking at it in a broader sense, it just becomes a translation in the opposite direction.

I hope this has been helpful!

Laz

1 Like

(Regis jean T) #18

which router model are you using to configure the nat64 on the ipv6 interface.
I used a 7200 and a 2691 in gns 3 and I am not able to get this done

R2(config-if)#int f1/0
R2(config-if)#nat64 enable
               ^
% Invalid input detected at '^' marker.

R2(config-if)#
0 Likes

(Cecil B) #19

Hello Laz,
I was able to lab everything up and get this working. I tried a different fake ip address and i see the transalation taking place.

Router#show nat64 translations
Proto   Original IPv4           Translated IPv4
        Translated IPv6         Original IPv6
--------------------------------------------------------
---     ---                     ---
        192.168.12.35           2001:DB8:2323:2323::3

Total number of translations: 1

But i am still not clear on what is allowing me to ping a fake ip address that is defined in the statement.

#nat64 v6v4 static 2001:DB8:2323:2323::3 192.168.12.35

Can you clear this up.

Thanks.

0 Likes

(Lazaros Agapides) #20

Hello Cecil

If you’re pinging 192.168.12.35 from R1, then you will get a response due to the NAT64 translation taking place, as described in the lesson itself. If you’re pinging 2001:DB8:2323:2323::3 from R1, you shouldn’t get a response since R1 has no IPv6 routing enabled. Even if it did, it wouldn’t know what to do with such a destination address since no such destination is found within its IPv6 routing table.

I hope this has been helpful!

Laz

0 Likes

(Andy C) #21

Hi Rene,

Nice and clear explanation certainly for newbie like me for IPv6. I ran the similar lab as for practise, and I ran into some troubles which want to check with you.

  1. in the guide, you have this line:

nat64 v6v4 static 2001:DB8:2323:2323::3 192.168.12.3

The IP: 192.168.12.3, is this the actual IPv4-only host IP, or this is an translation IP which you made for NAT64? in your diagram, if i have a IPv4 only PC behind R1, and IPv6 only PC behind R3. how would that translation is going to be looks like? I see you declear a stateful prefix in the configure, but also configure as static mapping, is this kind of stateless or?

Thank you, and look forward to hear from you.

Andy

0 Likes

(Andy C) #22

My configure is like this (assume routing all done).

for your R2:

nat64 prefix stateful 3001::/96
nat64 v6v4 static 2001:DB8:2323:2323::3 192.168.100.1

for your R1, i have a PC behind a router, run IPv4 only. The PC IP: 192.168.0.100

interface GigabitEthernet0/0/0/1
 description "IPv4 only host"
 ipv4 address 192.168.0.1 255.255.255.0

for your R3, i have a PC behind a router, run IPv6 only, the PC IP: 2407:400:3:4::1

interface GigabitEthernet0/0/0/1
 description "facing to ipv6 only host"
 ipv6 address 2407:400:3:4::/64

so in this case, if I want to ping from IPv6 only host to IPv4, what would be the IP should i use, and from v4 to v6? I am bit confuse of that translation IP in the static mapping part.

thank you.

Andy

0 Likes

(Lazaros Agapides) #23

Hello Andy

The IPv4 address in this configuration is the translated IP address. In other words, from the point of view of R1 and all of the IPv4 world, the IP address 192.18.12.3 will be used to gain access to R3. This IP address exists only within R2, but from R1’s perspective, it is the IP address that corresponds to the intended destination host which is R3. R3 has no knowledge of this IPv4 address.

In your case, you are adding routing between the PC subnets on each router and the NATed subnets. Because of this, you will not be able to create a static mapping to correspond to a PC that exists in another subnet, and not in a directly connected subnet. As a result, won’t be able to successfully communicate between the PCs because the NAT64 operation must take place between two directly connected networks. If you want to reach the PC which, from the point of view of the other PC, is behind a NAT64 router and behind a second router as well, you will be required to perform regular NAT on R1 and R3 as well. This becomes more complex and would not generally be implemented.

I hope this has been helpful!

Laz

0 Likes

(Andy C) #24

Hi Laz,
Thank you for the explanation. that is really useful.

Andy

1 Like