ipv6 nat-pt transition « ccie, the beginning!

Ipv6 NAT-PT Transition

Filed under: IP Services,IPv6 — cciethebeginning @ 6:09 pmTags: IPv6, NAT-PT 4 Votes

NAT-PT method allow IPv6 ONLY nodes to communicate with IPv4 ONLY nodes or vice versa, a sort of gateway forIPv4/IPv6 networks, so dual stack is needed ONLY the NAT-PT device.

This Transition method can be a good solution when IPv6 will be the predominant connectivity type with a need toconnect to specific IPv4 nodes in their way to die out.

Depending on your needs you can use NAT-PT in four different ways (similar to NAT for IPv4):

- Static NAT-PT.

- Dynamic NAT-PT.

- PAT overload.

- IPv4-mapped.

Also an example of NAT-PT with ALG (Application Layer Gateway) is provided.

In this lab, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mapped NAT-prefix)

Figure 1 illustrate the Lab topology used to test each of the previously mentioned NAT-PT methods.

Figure 1 Topology:

Ipv6 NAT-PT Transition « CCIE, the beginning! http://cciethebeginning.wordpress.com/2009/07/27/ipv6-nat-pt-transition/

1 of 26 12/02/2012 18:11

So if you have an internal IPv6-only network, and you want to communicate with the outside world (IPv4-ONLY), allhosts will see the outside world as IPv6; also the outside world will have no idea about what is happening inside (figure2,3).

Both networks route their traffic to the Border router (NAT gateway) supporting dual-stack, where translation from IPv6to IPv4 and IPv4 to IPv6 will be performed.

Figure 2: The network as seen from IPv4 side.

Figure 3: The network as seen from IPv6 side


2 of 26 12/02/2012 18:11

The key concept in Translation is how the IPv6 site will see IPv4 nodes, and how IPv4 site will see IPv6 nodes (figure2 &3)

STATIC NAT-PT

Table 1 :v6v4 Address translation

v6v4

IPv6 network

IPv6IPv6 nodes as seen by IPv4 network IPv4

2001:a:b:c::1/64 ====> will be seen as 192.168.40.1



So any traffic originated from 2001:a:b:c::will trigger v6v4 operations. (figure4)

The prefix 2001:a:b:c:: represent IPv6 address scheme inside IPv6 site.


v4v6IPv4 node IPv4 nodes as seen by IPv6 network

IPv6 network

IPv6

192.168.40.200 ====> will be seen as 2001::c0a8:28c8/96

c0a8:28c8 Is the representation of IPv4 address in Hexadecimal.

The prefix 2001::/96

is called NAT-PT prefix and represent IPv6 address prefix reserved for IPv4 nodes from the IPv4 site as seen from theIPv6 site, it could be part of the IPv6 site address scheme or a different prefix allocated from the ISP for the subject in


3 of 26 12/02/2012 18:11

matter.

Any IPv4 node will be represented inside IPv6 site as <NAT-PT-prefix>::<IPv4-in-hex>

So any traffic destined to an IPv6 address with <NAT-PT-prefix> will trigger v4v6 operations. (figure4)

As mentioned earlier, IPv6 site is communicating with specific IPv4 nodes from IPv4 site (except for IPv4-mappedNAT-prefix).

Figure 4: v6v4 & v4v6 operations

Static NAT-PT:

!! This is the IPv6 side interface

interface FastEthernet0/0

no ip address

ipv6 address 2001:A:B:C::4/64

!! Enable IPv6 NAT

ipv6 nat

!

!! This is the IPv4 side interface


ip address 192.168.40.199 255.255.255.0


4 of 26 12/02/2012 18:11

!! Enable IPv6 NAT

ipv6 nat

!

!

!! any IPv6 packet with destination 2001::c0a8:28c8 will be translated to anIPv4 destination !!192.168.40.200

ipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8

!! any IPv6 packet with IPv6 source address 2001:a:b:c:X with X=1,2,3 will betranslated to an IPv4 source address 192.168.40.X with X=1,2,3 respectively.

ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1



!! Enable IPv6 unicast routing

ipv6 unicast-routing

!!! IPv6 prefix 2001::/96 is allocated to represent IPv4 addresses in IPv6 formatand will be inspected by NAT-PT otherwise dropped

ipv6 nat prefix 2001::/96

connectivity check:

Routerv6_1#ping 2001::C0A8:28C8 repeat 3

Type escape sequence to abort.

Sending 3, 100-byte ICMP Echos to 2001::C0A8:28C8, timeout is 2 seconds:

!!!

Success rate is 100 percent (3/3), round-trip min/avg/max = 72/80/88 ms

Routerv6_1#




!!!


Routerv6_2#



5 of 26 12/02/2012 18:11



!!!


Routerv6_3#

Each traffic from each IPv6 host is translated according to the configured static NAT-PT

NAT-PT#

*Mar 1 04:18:57.446: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.1), dst(2001::C0A8:28C8) -> (192.168.40.200)

*Mar 1 04:18:57.502: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst(192.168.40.1) -> (2001:A:B:C::1)





NAT-PT#

NAT-PT(config)#







NAT-PT(config)#

NAT-PT(config)#



6 of 26 12/02/2012 18:11






NAT-PT(config)#

NAT-PT#sh ipv6 nat translations

Prot IPv4 source IPv6 source

IPv4 destination IPv6 destination

— — —

192.168.40.200 2001::C0A8:28C8

— 192.168.40.1 2001:A:B:C::1

192.168.40.200 2001::C0A8:28C8

— 192.168.40.1 2001:A:B:C::1

— —

NAT-PT#

DYNAMIC NAT-PT

With Dynamic translation a specific IPv6 prefix will be translated to a pool of IPv4 address as the source address; and thedestination is translated to the static v4v6 entry.


v6v4

IPv6 network


Any 2001:a:b:c::/64 node (3 nodes in our case) ====> will be represented by

192.168.40.1

192.168.40.2

192.168.40.3

Any traffic originated from 2001:a:b:c::/64will trigger v6v4 operations.

Because there is 3 IPv6 nodes and 3 IPv4 addresses a one-to-one translation will occur


v4v6 IPv4 node IPv4 nodes as seen by IPv6 networkIPv6 network


7 of 26 12/02/2012 18:11

IPv6



no ip address


ipv6 nat

!


ip address 192.168.40.199 255.255.255.0

ipv6 nat

!

!! Enable IPv6 unicast routing

ipv6 unicast-routing

!


ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool

ipv6 nat v6v4 pool ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24


!

ipv6 access-list list_to-ipv4

permit ipv6 2001:A:B:C::/64 any

Connectivity check:

NAT-PT(config)#do sh ipv6 nat trans



— — —

192.168.40.200 2001::C0A8:28C8

— 192.168.40.1 2001:A:B:C::1

192.168.40.200 2001::C0A8:28C8

— 192.168.40.1 2001:A:B:C::1

— —

— 192.168.40.2 2001:A:B:C::2


8 of 26 12/02/2012 18:11

192.168.40.200 2001::C0A8:28C8

— 192.168.40.2 2001:A:B:C::2

— —

— 192.168.40.3 2001:A:B:C::3

192.168.40.200 2001::C0A8:28C8

— 192.168.40.3 2001:A:B:C::3

— —

NAT-PT(config)#

NAT-PT(config)#do sh ipv6 nat stat

Total active translations: 7 (-5 static, 12 dynamic; 0 extended)

NAT-PT interfaces:

FastEthernet0/0, FastEthernet1/0, NVI0

Hits: 0 Misses: 0

Expired translations: 0

NAT-PT(config)#

debug:

NAT-PT(config)#







NAT-PT(config)#

NAT-PT(config)#

NAT-PT(config)#


*Mar 1 04:44:29.230: IPv6 NAT: src (192.168.40.200) -> (2001::C0A8:28C8), dst


9 of 26 12/02/2012 18:11

(192.168.40.2) -> (2001:A:B:C::2)





NAT-PT(config)#

NAT-PT(config)#

NAT-PT(config)#







NAT-PT(config)#

PAT NAT-PT


v6v4

IPv6 network


Any 2001:a:b:c::/64 node (3 nodes in our case) ====> will be represented by 192.168.40.199

Any traffic originated from 2001:a:b:c::/64will trigger v6v4 operations. and will be translated to the unique IPv4 outbound interface


v4v6IPv4 node IPv4 nodes as seen by IPv6 network

IPv6 network

IPv6



10 of 26 12/02/2012 18:11

We’re still communicating to IPv4 node 192.168.40.200 represented by 2001::c0a8:28c8/96

By the way, IOS will not allow you to disable configured commands if their corresponding translations are still active, soyou have to clear all translation entries before making any changes in the configuration.

NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool

NAT-PT(config)#$ ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24

%Pool ipv4_pool in use, cannot destroy

NAT-PT(config)#

*Mar 1 04:56:14.094: %Dynamic mapping in use, cannot remove

NAT-PT(config)#do clear ipv6 nat trans *

NAT-PT(config)#

NAT-PT(config)#no ipv6 nat v6v4 source list list_to-ipv4 pool ipv4_pool

NAT-PT(config)#no ipv4_pool 192.168.40.1 192.168.40.3 prefix-length 24

NAT-PT(config)#


no ip address


ipv6 nat

!


ip address 192.168.40.199 255.255.255.0

ipv6 nat


ipv6 nat v6v4 source list list_to-ipv4 interface overload


!



NAT-PT(config)#do sh ipv6 nat translation



— — —

192.168.40.200 2001::C0A8:28C8


11 of 26 12/02/2012 18:11

icmp 192.168.40.199,7704 2001:A:B:C::1,7704

192.168.40.200,7704 2001::C0A8:28C8,7704

icmp 192.168.40.199,7126 2001:A:B:C::2,7126

192.168.40.200,7126 2001::C0A8:28C8,7126

icmp 192.168.40.199,9979 2001:A:B:C::3,9979

192.168.40.200,9979 2001::C0A8:28C8,9979

NAT-PT(config)#

NAT-PT(config)#do sh ipv6 nat stat

Total active translations: 4 (-5 static, 9 dynamic; 3 extended)

NAT-PT interfaces:

FastEthernet0/0, FastEthernet1/0, NVI0

Hits: 0 Misses: 0

Expired translations: 0

NAT-PT(config)#

NAT-PT(config)#







NAT-PT(config)#

NAT-PT(config)#






12 of 26 12/02/2012 18:11



NAT-PT(config)#

NAT-PT(config)#







NAT-PT(config)#

DNS embedded data (ALG)

Let’s keep previously configured PAT and see how NAT-PT handle application layer data like IPv6 addresses embedded inthe DNS traffic.

We a need static translation to access the specific IPv4 node (DNS server).

Name lookup is enabled and DNS IPv6 address configured.

NAT-PT:

ipv6 nat v4v6 source 192.168.40.1042001::C0A8:2858

!

ip domain lookup

ip domain name nouri.com

ip name-server 2001::C0A8:2858

On Clients:

ip domain lookup

ip domain name nouri.com

ip name-server 2001::C0A8:2858


13 of 26 12/02/2012 18:11

The following shows successful connectivity with the DNS server:

Routerv6_1#ping 2001::C0A8:2858 repeat 1


Sending 1, 100-byte ICMP Echos to 2001::C0A8:2858, timeout is 2 seconds:

!


Routerv6_1#

NAT-PT(config)#

*Mar 1 05:37:46.478: IPv6 NAT: icmp src (2001:A:B:C::1) -> (192.168.40.199), dst(2001::C0A8:2858) -> (192.168.40.104)

*Mar 1 05:37:46.586: IPv6 NAT: src (192.168.40.104) -> (2001::C0A8:2858), dst(192.168.40.199) -> (2001:A:B:C::1)

NAT-PT(config)#

Routerv6_1#ping Routerv4_1.nouri.com

Translating “Routerv4_1.nouri.com”…domain server (2001::C0A8:2858) [OK]





!!!!!


Routerv6_1#

Debug:

The NAT device:

receive a DNS request packet with IPv6 source (2001:A:B:C::1) and IPv6 destination (2001::C0A8:2858).

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:2858) -> IPv4 dst (192.168.40.104)

send DNS request AAA to IPv4 DNS server with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.104)

receive DNS response with IPv4 src (192.168.40.104) + IPv4 dst. (192.168.40.199) + embedded response to AAA IPv4(192.168.40.200)


14 of 26 12/02/2012 18:11

translate embedded response IPv4 (192.168.40.200) -> IPv6 (2001::C0A8:28C8)

translate back the IPv4 src (192.168.40.104)-> IPv6 src (2001::C0A8:2858)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

send DNS response with IPv6 src (2001::C0A8:2858) + IPv6 dst. (2001:A:B:C::1) + embedded response to AAA IPv6(2001::C0A8:28C8)

Internal IPv6 node:

send ping with IPv6 src (2001:A:B:C::1) + IPv6 dst (2001::C0A8:28C8)

The NAT device:

translate the IPv6 src (2001:A:B:C::1) -> IPv4 src (192.168.40.199)

translate the IPv6 dst (2001::C0A8:28C8) -> IPv4 dst (192.168.40.200)

send ping with IPv4 src (192.168.40.199) + IPv4 dst (192.168.40.200)

receive ping reply with IPv4 src (192.168.40.200) + IPv4 dst. (192.168.40.199)

translate back the IPv4 src (192.168.40.200) -> IPv6 src (2001::C0A8:28C8)

translate back the IPv4 dst (192.168.40.199) -> IPv6 dst (2001:A:B:C::1)

send ping reply with IPv6 src (2001::C0A8:28C8) + IPv6 dst. (2001:A:B:C::1)

NAT-PT(config)#

*Mar 1 05:46:33.854: IPv6 NAT: udp src (2001:A:B:C::1) -> (192.168.40.199), dst(2001::C0A8:2858) -> (192.168.40.104)

*Mar 1 05:46:33.994: IPv6 NAT: udp src (192.168.40.104) -> (2001::C0A8:2858),dst (192.168.40.199) -> (2001:A:B:C::1)











15 of 26 12/02/2012 18:11






NAT-PT(config)#

IPv4 MAPPED

So far, we have been dealing with specific IPv4 hosts inside IPv4 network, but what if we just want to make connectionsto any IPv4 hosts (ex: to Internet)?

In this case the mapping of destination addresses should be automatic, that is the role of IPv4 mapped:


no ip address


ipv6 nat

!


ip address 192.168.40.199 255.255.255.0

ipv6 nat

!

! DNS still need Translation

ipv6 nat v4v6 source 192.168.40.104 2001::C0A8:2858

! PAT Translation is the appropriate configuration for this case

ipv6 nat v6v4 source list list_to-ipv4 interface FastEthernet1/0 overload

ipv6 nat prefix 2001::/96 v4-mapped WHAT_to_IPv4

!

!

!



!


16 of 26 12/02/2012 18:11

Share this:

Like this: 2 bloggers like this post.

ipv6 access-list WHAT_to_IPv4

permit ipv6 any 2001::/96

CONCLUSION

IPv6 NAT-PT as with IPv4 NAT represent a single point of failure in the network and cannot support end-to-end security.

Don’t forget that the primary goal is to build a native IPv6 connectivity, so as transition mechanisms it is recommended touse 6to4 tunneling and ONLY as a last resort NAT-PT

Comments (23)

This is a GR8T!! post. I keep wondering why NAT-PT isn’t the premier transition technique. Thanks a lot for this. Iwill soak it in and incorporate it in my own teaching.

Comment by Mukom Akong T. — March 8, 2010 @ 7:27 am | Reply

1.

Hi Mukom,Well, 6to4 tunneling and NAT-PT are in the first place temporary transition techniques, so the final goal is to deployfull IPv6 globally routed networks.With 6to4 tunneling which means encapsulation of IPv6 into IPv4 traffic we still have a chance to preserve theoriginal traffic inside the tunnel (routing, security, multicast…); but NAT-PT is a complete transition of protocolsbetween IPv4 and IPv6 which inherit all the general problematic and issues related to NAT (split routing,restrictions with IPSec, difficulties with multicasting, multi-homing and high availability schemes…).Thank you for your comment and sorry for the delay

Comment by cciethebeginning — March 12, 2010 @ 5:53 pm | Reply

2.

[...] , i´ve started my excursions, while the Internet Engeniering Task Force wants to avoid another NAT dilema inipv6 ( NAT66 ) , the SAM working group creating an “multicast overlay” and the [...]

Pingback by T.A.Z. or a Cacophony of Communication | macbroadcast.org — March 14, 2010 @ 9:23 pm | Reply

3.

This is useful.but it is not working when i applied on Cisco1841.

Comment by joby — June 30, 2010 @ 6:53 am | Reply

Hi Joby,

Nothing will work or not by itself, “you” will make it work p-)

4.


17 of 26 12/02/2012 18:11

Here is a general brief description of a one-to-one translation :—Let’s suppose IPv4-only host1 wants to communicate with IPv6-only host20)- Enable unicast-routingipv6 unicast-routing

1)- enable NAT-PTEnable IPv6 NAT on interface facing IPv6 network :ipv6 nat

Enable IPv6 NAT on interface facing IPv6 network :ipv6 nat

2)- NAT-PT configuration:ipv6 nat v4v6 sourceipv6 nat v6v4 source

3)- A special prefix is reserved for IPv4 hosts that will be accesses from IPv6 site:ipv6 nat prefix

4) Debuggingenable “debug ipv6 nat” (IPv6 end host) an “debug ip nat” (IPv4 end host)observe what is happeningGood work.

Comment by cciethebeginning — June 30, 2010 @ 5:52 pm | Reply

First of all thank you for this excellent tutorial. It really helped me a lot.However I too have a problem with Cisco’s 1812 series router acting as the nat device. This is my topology:r1 r2 r3

I’m trying to ping r1 from r3. Now the translations are occuring both ways and r1 is sending echo replies back, butthe packets never reach r3. They do get to r2 though.I did everything per your instrustions and even got some outside help on the matter (and they confirmed my configas being correct), but I’m trully stumped now. Have you got any ideas?

CheersUrban

5.


18 of 26 12/02/2012 18:11

Comment by Urban — September 2, 2010 @ 8:26 am | Reply

Hi Urban,It looks like a routing issue, here is a couple of check :

A) Before deploying NAT-PT :- Enable IPv6 unicast routing on IPv6 devices, even if the topology doesn’t require it.- Verify if both R1 and R3 have a route to each other (default or static) through R2,- Verify if you can ping both R1 and R3 from R2.

B) After configuring translation:- Check NAT translation table.- Enable debug & check whether translations are done correctly

If translation is done correctly and R2 routing is correctly pointing to both R1 and R3, it should be OK.Just in case please post :- translation commands.- a couple of lines of debug.- routing table on R2.

AJN

Comment by cciethebeginning — September 2, 2010 @ 8:15 pm | Reply

Thanks for the quick reply.

Everything you stated in point A is as it’s suppose to be and work just fine. I’m running RIPng on theIPv6 part of the network.As for point B, the translations are done correctly as both the debug ipv6 nat & show ipv6 nat transcommands prove this.Yesterday a ccie college of mine checked my configuration and was stunned that it didn’t work.Hopefully I’ll get another router to play with soon enough and see if there is a problem with the 18xxseries when it comes to nat-pt.

But anyway:-translation commands:ipv6 nat v4v6 source 172.25.5.73 2000::AC19:549ipv6 nat v6v4 source 2001:AAAA:BBBB:1::2 172.25.5.79ipv6 nat prefix 2000::/96

-debug ipv6 nat*Sep 3 12:29:59.947: IPv6 NAT: IPv6->IPv4: icmp src (2001:AAAA:BBBB:1::2) -> (172.25.5.79), dst(2000::AC19:549) -> (172.25.5.73)*Sep 3 12:29:59.951: IPv6 NAT: IPv4->IPv6: src (172.25.5.73) -> (2000::AC19:549), dst(172.25.5.79) -> (2001:AAAA:BBBB:1::2)

-routing table on R2:IPv6

C 2000::/96 [0/0]via NVI0, directly connectedC 2001:AAAA:BBBB:1::/64 [0/0]via FastEthernet1, directly connectedL 2001:AAAA:BBBB:1::1/128 [0/0]via FastEthernet1, receiveL FF00::/8 [0/0]


19 of 26 12/02/2012 18:11

via Null0, receive

IP

172.25.0.0/24 is subnetted, 1 subnetsC 172.25.5.0 is directly connected, FastEthernet0S* 0.0.0.0/0 [1/0] via 172.25.5.73

Thank you for your helpUrban

Comment by Urban — September 3, 2010 @ 12:32 pm

Follow up. The configuration worked on another series router, so it seems there is a problem with the 18xx series.

Comment by Urban — September 3, 2010 @ 1:04 pm | Reply

6.

porfin encontre lo que querie les agradesco de antemano en ningun lugar he podido encontrar esta informacion

Comment by witman — October 29, 2010 @ 4:28 am | Reply

7.

I tried to get this working but can’t for some reason.I’m on the static nat portion.I’ve configured everything exactly as shown, with static routes to the nat-pt router on the other routers

I’ve turned on icmp debugging on all routers, and ipv6 nat debugging on the nat-pt router. In fact, I at one point haddetailed nat pt debugging turned on, but I kept getting “IPv6 NAT: Found prefix” like once a second and didn’tknow what that meant but so I turned it off, but worth noting. Let me know if it tells you anything.

Leaving the ICMP debugging on also didn’t seem to do much because when pinging 2001::C0A8:28C8 from therouter with the IPv6 address of 2001:A:B:C::1, I didnt see any acknowledgement messages on the nat-pt router,which, as a I said before, is where I’ve assigned a static ipv6 route of EVERYTHING to go to. However, since I’mnot getting ANY messages of any kind, its almost as if those pings aren’t getting to the nat-pt router.

HELP!!!! I’m pulling my hair out over what – on the surface – appears to be a simple issue that I just can’tovercome.

Comment by mierdin — February 4, 2011 @ 5:13 pm | Reply

Nevermind – I stupidly failed to turn on ipv6 unicast-routing.

Comment by mierdin — February 4, 2011 @ 6:33 pm | Reply

8.

there is a mistake in here “ will be seen as 2001::c018:28c8/96″>”

168 is 1010 1000 ==> hex : a8 ; not 18 .

Comment by Mehdi — March 21, 2011 @ 11:38 am | Reply

9.


20 of 26 12/02/2012 18:11

Corrected. Thank you Mehdi, appreciate it.


You’re Welcome , please i’am wondering how to create the static routes ? because we don’t have a next hop in ipv6, same thing for ipv4 ? should we create them with the new v4v6/v6v4 adresses ?my topologie is : pc1-R1-PC2

Thank you

Mehdi

Comment by Mehdi — March 22, 2011 @ 2:01 pm | Reply

The concept is the same, nevertheless, beware of some particularities :

- Enable IPv6 unicast routing first. Without it you can have back-to-back connectivity because it useslink-local addresses, but you will experience issues with non-directly configured devices.

- With PTP (Point-to-Point links) Ethernet or serial, it will be enough to mention the outgoing interface,because there is only one next-hop.You also use the next-hop and the outgoing interface will be resolved using a recursive lookup

- With a multi-access links with multiple next-hops reachable, the better is to use a fully specifiedroute (next-hop + outgoing interface) because ND (Network Discovery Protocol) doesn’t perform proxyresolution as with IPv4 proxy-ARP.

Comment by cciethebeginning — March 25, 2011 @ 12:49 am | Reply

10.

thanks for the great post! I’ve reproduced this in my lab (with gns, with 1800 series and even with 2500 series) but Istill have issues and I am not able to figure out why.My configuration has same ip address and nat… Here some details:

R2#sh run | in natipv6 natipv6 natipv6 nat v4v6 source 192.168.40.200 2001::C0A8:28C8ipv6 nat v6v4 source 2001:A:B:C::1 192.168.40.1ipv6 nat prefix 2001::/96

R1#sii6FastEthernet0/0 [up/up]FE80::12001:A:B:C::1

R3#siiInterface IP-Address OK? Method Status ProtocolFastEthernet0/1 192.168.40.200 YES manual up up

R1#show ipv6 route

S 2001::/96 [1/0]via FastEthernet0/0, directly connected

ok.. If I do a ping from R3 to R1 I can see the correct nat translation in R2:

11.


21 of 26 12/02/2012 18:11

*Mar 30 16:05:01.043: IPv6 NAT: Found prefix 2001::/96*Mar 30 16:05:01.043: IPv6 NAT: IPv4->IPv6:src (192.168.40.200 -> 2001::C0A8:28C8)dst (0.0.0.0 -> ::)ref_count = 1, usecount = 0, flags = 513,rt_flags = 0, more_flags = 0

*Mar 30 16:05:01.043: IPv6 NAT: IPv4->IPv6:src (0.0.0.0 -> ::)dst (192.168.40.1 -> 2001:A:B:C::1)ref_count = 1, usecount = 0, flags = 257,rt_flags = 0, more_flags = 0

and I can see the traffic is sent to R1:

R2:

*Mar 30 16:05:06.047: IPV6: source FE80::2 (local)*Mar 30 16:05:06.047: dest 2001:A:B:C::1 (FastEthernet0/0)*Mar 30 16:05:06.047: traffic class 224, flow 0×0, len 72+0, prot 58, hops 255, originating*Mar 30 16:05:06.047: IPv6-Fwd: Sending on FastEthernet0/0*Mar 30 16:05:06.047: IPV6: source 2001:A:B:C::1 (FastEthernet0/0)*Mar 30 16:05:06.047: dest FE80::2 (FastEthernet0/0)*Mar 30 16:05:06.047: traffic class 224, flow 0×0, len 64+14, prot 58, hops 255, forward to ulp

then R1 replies:

*Mar 30 15:45:48.065: dest 2001::C0A8:28C8 (FastEthernet0/0)*Mar 30 15:45:48.065: traffic class 0, flow 0×0, len 120+0, prot 58, hops 64, originating*Mar 30 15:45:48.065: IPv6-Fwd: Encapsulation postponed, performing resolution*Mar 30 15:45:48.069: IPV6: source 2001:A:B:C::1 (local)*Mar 30 15:45:48.069: dest FF02::1:FFA8:28C8 (FastEthernet0/0)*Mar 30 15:45:48.069: traffic class 224, flow 0×0, len 72+0, prot 58, hops 255, originating*Mar 30 15:45:48.069: IPv6-Fwd: Sending on FastEthernet0/0

but I don’ see the traffic going back to R2..

thanks if someone can read and help on this.

Comment by Oliver — March 30, 2011 @ 3:59 pm | Reply

Hi Oliver,Did you enable IPv6 unicast routing “ipv6 unicast-routing” on both R1 and R2?


Hi cciethebeginning .. thanks for your reply.

I did it.. yes.. btw I’ve tried the configuration again on 3 routers on gns3 and it worked.. then I’ve triedagain on 3 real routers from scratch and still the problem persists.. I’ve seen doing a ping from ipv4 toipv6 some really strange addresses (while doing a debug ipv6 pack detail on the NAT-PT router).. I willpost them here tomorrow for reference..Weird problem..

Comment by Oliver — March 31, 2011 @ 9:14 pm

[...] hosts by translating IPv6 addresses into IPv4 addresses and vice versa. There’s a writeup here that shows its12.


22 of 26 12/02/2012 18:11

Notify me of follow-up comments via email.

Notify me of new posts via email.

Post Comment

intended operation. It’s NAT-PT that allows our IPv6-addressed victims to [...]

Pingback by SLAAC Attack – 0day Windows Network Interception Configuration Vulnerability | InfoSec Resources— April 4, 2011 @ 2:44 pm | Reply

Erstklassige Angelegenheit. Ich fuer meinen Teil finde es absoluter Wahnsinn, was ihr alles auf die Beine stellt.Macht weiter so.

Comment by krankenversicherung privat — September 24, 2011 @ 9:06 am | Reply

13.

[...] 1- http://cciethebeginning.wordpress.com/2009/07/27/ipv6-nat-pt-transition/ [...]

Pingback by Network Address Translation – Protocol Translation Issues/Workarounds (NAT-PT) | routersysco —December 11, 2011 @ 12:48 am | Reply

14.

[...] 1- http://cciethebeginning.wordpress.com/2009/07/27/ipv6-nat-pt-transition/ [...]

Pingback by NAT-PT Network Address Translation Issues | routersysco — December 22, 2011 @ 3:44 am | Reply

15.

RSS feed for comments on this post. TrackBack URI

Leave a Reply


23 of 26 12/02/2012 18:11

DHCPv6 fake attackStateful DHCPv6 Prefix delegation (Rapid-commit) [4/4]Stateful DHCPv6 Relay (Rapid-commit) [3/4]Stateless DHCPv6 + SLAAC [2/4]IOS DHCPv6 deployment schemes

6to4 802.1q ACL Auto-RP BGP attribute BSR CBAC CGMP DHCPv6 DMVPN eBGP EIGRP Frame Relay

GLBP GRE HSRP iBGP IGMP IPSec Load Balancing mGRE NBMA

NHRP normal-commit OSPF Path selection PIM PIM-Sparse mode Policing QoS rapid-commit

redistribution relay Rendez-vous Point RP shared path Source path Tree troubleshooting VRRP

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 74 other followers

RegisterLog inEntries RSSComments RSSWordPress.com

About

July 2009

M T W T F S S

« Feb Nov »

1 2 3 4 5


24 of 26 12/02/2012 18:11

M T W T F S S

« Feb Nov »

6 7 8 9 10 11 12

13 14 15 16 17 18 19

20 21 22 23 24 25 26

27 28 29 30 31

January 2012December 2011October 2011September 2011July 2011April 2011February 2011November 2010July 2010June 2010March 2010January 2010November 2009July 2009February 2009January 2009December 2008November 2008October 2008September 2008August 2008July 2008June 2008May 2008April 2008March 2008

13,560spam comments


25 of 26 12/02/2012 18:11

Theme: Rubric. Blog at WordPress.com.


26 of 26 12/02/2012 18:11

ipv6 nat-pt transition « ccie, the beginning!

Documents