Solved: Re: IPv4 to IPv6 NAT Hide/Dynamic

ataylor · ‎05-24-2019

Has anybody configures dynamic/hide IPv4 to IPv6?

I have a requirement for IPv4 only hosts to connect to IPv6 Internet sites, I originally tried to lab NAT-PT with DNS ALG.

<IPv4 only host> --- <Cisco Router with NAT-PT> ---- IPv6 Internet

NAT-PT
DNS is ALG configured
IPv6 NAT service for DNS

IPv4 NAT works fine

IPv6 from the router works fine

From an IPv4 Linux host, the IPv4 NAT isn't working.

Lab config:

Inside interface:

interface GigabitEthernet0/1

ip address 10.0.0.5 255.255.255.252

ip nat inside

ip nat enable

ip virtual-reassembly in

duplex full

speed auto

media-type rj45

ipv6 nat

!

Outside Interface:

interface GigabitEthernet0/2

ip address dhcp

ip nat outside

ip nat enable

ip virtual-reassembly in

duplex full

speed auto

media-type rj45

ipv6 address <IPv6 address>/64

ipv6 enable

ipv6 nat
!

ipv6 route ::/0 <IPv6 G/W>

ipv6 nat v4v6 source list 75 pool v6pool

ipv6 nat v4v6 pool v6pool <IPv6 start address> <IPv6 end address> prefix-length 64

ipv6 nat v6v4 source<IPv6 address> <External IPv4 address>

ipv6 nat prefix<IPv6 address>/96

This is a stop gap for an immediate requirement until we can get a proper Dual-Stack design and implementation in place.

Any advice would be greatly appreciated.

Harold Ritter · ‎05-28-2019

Understood. Just warning you about how bad NAT-PT is.

Anyhow, you need to configure a V4 pool and a dynamic v6v4 translation for the NAT-PT to modify the DNS response going back to the V4 station.

ipv6 nat v6v4 source list <access-list> pool v4pool
ipv6 nat v6v4 pool v4pool ≤begin address≥ ≤end address≥ prefix-length <prfix-length>

Additionally, do not forget to disable ip cef and ipv6 cef, as NAT-PT does not even work in CEF.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎05-24-2019

Given that NAT-PT has been deprecated by the IETF (RFC4966) and that there is very little IPv6 only sites, what is the requirements to run NAT-PT. Given the performance and all the isuuses of NAT-PT, I would strongly recommend against it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

ataylor · ‎05-28-2019

Harold,

Fully agree with you, it's for an unusual telco regulatory requirement in the middle east, and to be fair more of a 'tick in the box exercise'.

I was only looking at this as a very tactical option to provide more time to plan out a dual-stack deployment, however, everything is pointing to scrapping this and going dual-stack day 1.

I then became curious as to why the config wasn't working, more for my own curiosity but guess some things aren't worth spending too much time on.

Many thanks and all the best,

Andy

Harold Ritter · ‎05-28-2019

Understood. Just warning you about how bad NAT-PT is.

Anyhow, you need to configure a V4 pool and a dynamic v6v4 translation for the NAT-PT to modify the DNS response going back to the V4 station.

ipv6 nat v6v4 source list <access-list> pool v4pool
ipv6 nat v6v4 pool v4pool ≤begin address≥ ≤end address≥ prefix-length <prfix-length>

Additionally, do not forget to disable ip cef and ipv6 cef, as NAT-PT does not even work in CEF.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

ataylor · ‎05-29-2019

Harold,

Many thanks again, it's safe to say we won't be using NAT-PT.

Really appreciate the input.

Many thanks,

Andy