IPv6 Nat64 configuration in ASA

Mohammed Ashraf Ali · ‎07-11-2013

Hi All,

I am planning to implement a ipv6 network , and i have an ASA 5510 with ios version 9.1, ILL is connected on the outside interface with ipv4 ip (124.125.111.2/30).

So my first task is to allow inside ipv6 network (2001:abc:abc::/64) to communicate to ipv4 internet.

Can any body, provide me a sample configuration for the same in ASA , i think it is called as IPv6 Nat64.

Regards,

Ashraf

sean_evershed · ‎07-11-2013

You will need to PAT the addresses given the large number of IPv6 hosts that you have.

See the following guide for details

http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/firewall/nat_objects.html

Don't forget to rate all posts that are helpful.

BRIAN SEKLECKI · ‎07-11-2013

The release notes concur:

http://www.cisco.com/en/US/docs/security/asa/asa90/release/notes/asarn90.html

My big question: Does the ASA/PIX DNS inspection agent automatically handle A record converstion to AAAA /96 mapping of records?

Will try to research. ~BAS

Update: apparently it does handle DNS mapping:

http://www.cisco.com/en/US/docs/security/asa/asa91/asdm71/firewall/nat_objects.html#wp1777972

James Leinweber · ‎07-17-2013

NAT64 is even worse for applications than NAT44, so that is probably a last resort. Typically it's only used by people who have no last mile v4 transit, e.g. at an LTE4 cellphone network head end. If you have a public IPv4 address for the outside of yout firewall, can you get an IPv6 allocation of a /48 or better with native routing from your ISP and go with classic dual-stack v4 + v6? If not, nag your ISP; it's 2013 and the IPv4 experiment is supposed to be ending.

I have native v6 and thus no incentive to do R&D on NAT64, so alas, I can't answer your original question.

-- Jim Leinweber, WI State Lab of Hygiene