10-23-2013 04:52 PM - edited 03-01-2019 05:42 PM
My objective is to perfect my knowledge (basic to intermediate at this point) of IPv6 by creating a 100% IPv6 LAN.
That's the Windows component - and I have a decent grasp on that.
But here's the hitch...
My ISP does not yet offer IPv6. Moreover, my test lab is at "home" so I probably could not obtain an IPv6 addr for a residential account anyway.
I have a ASA 5505 running 9.1 (just updated this week).
*
I want to create some sort of IPv6 to IPv4 NAT or PAT so my IPv6 LAN can communicate with the Internet.
*
Sure! I could just leave IPv4 on and I'd be set. But remember, I want to see if I can make everything (Active Directory, DNS, DHCP) work in an IPv6 only network.
Is there any guide or perhaps a blog on how this can be achieved? Could someone explain in a nutshell?
I've glanced at this...
http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html
But I'm not 100% sure which case applies to mine.
Some other details:
- I'll be using ULA (Unique Local Addresses) since my ISP cannot assign me a Global Unicast addr.
- My external IP would be dynamically assigned by my ISP.
- I managed to configure IPv4 NAT - so I know THAT does work.
10-24-2013 02:10 AM
Hi David,
You'll need to create a ipv6ip tunnel; the best place being between your ASA and router. This can either be server or an inexpensive Cisco 1841 (for example) peering with a tunnel broker such as Hurricane Electric.
Run OSPF between the router and you ASA. If using a linux server to for your tunnel, then you'll need to configure something like quagga to run the OSPF process.
This will give you a IPv6 lab environment.
If some of your kit then needs to connect to IPv4 external hosts then you will need to configure NAT64. If you chose the linux server option above, using tayga seems to be the popular option currently.
I wrote a blog post about the first step on my blog (shameless plug! ):
http://config-if.blogspot.co.uk/2013/08/ipv6-tunnel.html
cheers,
Seb.
10-27-2013 01:54 PM
For nat64 you can also use the csr1000v - though the unlicensed version is limited to 2.5mbps throughput - but could be enough for experiments.
Sent from Cisco Technical Support iPhone App
11-04-2013 05:37 PM
Seb, Andrew,
Thank you so much for your responses and please excuse my late response to them.
Seb,
I looked at your blog. I think my scenario is a little different and you touched on that in the second part of your response above.
I *only* need to connect to external IPv4 hosts. I do not need to tunnel to another IPv6 site.
The IPv6 to IPv4 is the only objective I am pursuing at this point.
Andrew,
I do not believe I have an appropriate host machine for the csr1000v. Looks like the hardware requirements are high and you have to have VMware ESXi 5.x. I only have VMware Workstation (ver 9).
http://www.networkworld.com/reviews/2013/022513-cisco-virtual-router-test-266658.html
***
Is there any way to configure NAT64 on a single ASA 5505?
11-21-2013 10:11 PM
Hello David,
I hate I do not have an ASA to play with this but I will do my best to do it just with a piece of paper (I know pretty lame)
IPV6 Inside network 2001:AAAA:1111:BBBB::/120
IPv4 Outside Network for the NAT 20.20.20.0/24
We want our Inside IPv6 network to be able to talk with the outside IPv4 world
For that we will need to use NAT64 but at the same time NAT the Entire IPv4 address space into an IPv6 range
IPv6 range to match the entire IPv6 range :2001:17::/96
Outside Pool for the NAT (20.20.20.0/24)
Then create the NAT
object network IPv6_Subnet_Internal
subn 2001:AAAA:1111:BBBB::/120
object network IPv4_NAT
subnet 20.20.20.0 255.255.255.0
Object network Fake_IPv6
subnet 2001:17::/96
nat (inside,outside) source static IPv6_Subnet_Internal IPv4_NAT destination static Fake_IPv6 any
That should do it!
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
11-15-2013 02:36 PM
You do not want NAT for the job. You want a tunnelbroker, who will provide a tunnel to a pure IPv6 network.
You can get free accesss to the IPv6 internet using one of three popular Tunnel Brokers:
www.tunnelbroker.net
www.sixxs.net
www.go6.net
You can get a /48 prefix or /56 from them and use global addresses.
If you want to keep using ULA, you can employ NPTv6 (aka NAT66).
And take some time and demand that your ISP offer IPv6!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide