11-07-2013 05:29 AM - edited 03-01-2019 05:42 PM
Hi everybody,
I looking a way to configure an ASA in 9.1 to permit access from the Internet in IPV6 to an internal server in IPV4.
I have already read a lot about this topic and tried several Twice NAT configuration but so far I'm not successful.
To resume:
The ASA external FW is connected to the Internet using IPV6.
Internal / DMZ interfaces are in IPV4 only.
The idea was to create as static translation from the IPV6 mapped Address to the IPV4 real address.
Traffic is always initiated from the Internet.
All suggestion are welcome.
Pascal
11-07-2013 05:57 AM
Have you seen the example in the documentation? If you exchange the interfaces it looks like your scenario:
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html#wp1812826
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-07-2013 06:03 AM
Hi Karsten,
Thanks to following me.
The sample provided by Cisco is just the opposite situation where I am.
I my situation the client are outside and in V6. Servers are inside and in V4. Traffic is initiated from outside.
11-07-2013 06:09 AM
yes, but in the example the client is also on v6 and the server on v4. As I said, just different interfaces. So I assume it should work with a similar config that is just slightly changed.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
11-07-2013 06:47 AM
This is my problem: I can't manage to get it working
11-21-2013 10:11 PM
Hello Pascal,
I hate I do not have an ASA to play with this but I will do my best to do it just with a piece of paper (I know pretty lame)
IPV6 Inside network 2001:AAAA:1111:BBBB::/120
IPv4 Outside Network for the NAT 20.20.20.0/24
We want our Inside IPv6 network to be able to talk with the outside IPv4 world
For that we will need to use NAT64 but at the same time NAT the Entire IPv4 address space into an IPv6 range
IPv6 range to match the entire IPv6 range :2001:17::/96
Outside Pool for the NAT (20.20.20.0/24)
Then create the NAT
object network IPv6_Subnet_Internal
subn 2001:AAAA:1111:BBBB::/120
object network IPv4_NAT
subnet 20.20.20.0 255.255.255.0
Object network Fake_IPv6
subnet 2001:17::/96
nat (inside,outside) source static IPv6_Subnet_Internal IPv4_NAT destination static Fake_IPv6 any
That should do it!
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide