Ah, I see your point and that

tellis002 · ‎09-30-2015

As some of you are probably aware, we are out of IPv4 public address's now. Well, I have a client that has a IPv4 block, but is owned by the service provider. They need to get there own IPv4 address block from ARIN, but there is none left, that leaves me to focus on IPv6. Therefore, here is the scenario.

The LAN is all IPv4, the WAN is also currently IPv4. I need to give back the IPv4 on the WAN to the provider and than get IPv6 as there are no IPv4 address's from ARIN.

The concern is the edge, which is a pair of ASA's 5515x's in Active/Standby. I would like to think I could configure the outside interfaces with the IPv6 address and than nat everything on the inside to outside (IPv4 to IPv6) using NAT46. However, it appears I am finding that this is not recommended. Below is what I was hoping would work or I could go stateful if necessary. Of course long term would be to migrate the LAN to IPv6 and avoid all IPv4, but I was hoping we could start here and move forward from there.

Any suggestions? DNS concerns as well?

ciscoasa(config)# object network inside_v4_v6
ciscoasa(config-network-object)# subnet 10.1.1.0 255.255.255.0
ciscoasa(config-network-object)# nat (inside,outside) static 2001:DB8::/96

Thanks for everything.

Seb Rupik · ‎10-01-2015

Hi there,

NAT64 is the preferred transition mechanism, as when you can't reach an external host via IPv6 you can NAT to IPv4.

What you are suggesting would require every external host you need to connect with being on IPv6. This is very unlikely!

Arguably you could tunnel your IPv6 traffic to another site which does have public IPv4 addresses (assuming you have IPv6 transit to get there) and preform the NAT64 there.

cheers,

Seb.

tellis002 · ‎10-01-2015

Ah, I see your point and that makes sense, thank you. I will have to go back to the drawing board here.

Good call.

IPv4 to IPv6 traffic flow on ASA