NAT64 and NAT46 in cisco ASA firewall

amit5-singh · ‎08-04-2025

I have a Cisco FPR3100 firewall configured in ASA mode. Outside interface IP is 202.100.100.1/28 and 2607:f8b0:4006:809::2003/122. Inside interface IP is 10.0.10.3/26. Server connected to internal interface IP is 10.0.10.4. Currently Server is communicating to internet using IPv4 natting. Need to configure NAT64 and NAT46 for server to communicate to internet on IPv6 but cannot give IPv6 to server. I have searched internet and cisco community for solutions but didnt get any suitable solution.

Could anyone suggest a suitable solution for this problem?

Enes Simnica · ‎08-04-2025

hello G. will use bulletpoints because i want to add some important configs that are usually used for ur scenario, Alright man, for ur FPR3100 in ASA mode, u can implement NAT64/NAT46 without assigning IPv6 to the server using static NAT mappings. and the configs for this aare:

First configure NAT46 (IPv4 to IPv6 translation for outbound traffic):

object network SERVER_IPV4
 host 10.0.10.4
 nat (inside,outside) static 2607:f8b0:4006:809::2004

after that u need to configure NAT64 (IPv6 to IPv4 translation for inbound traffic):

object network SERVER_IPV6
 host 2607:f8b0:4006:809::2004
 nat (outside,inside) static 10.0.10.4

AND FOR SURE HERE U HAVE THE ACLs that U NEED 1000000%%%%% BUT FEEL FREE TO ADJUST THEM AS PER U NEEDS...!

access-list OUTSIDE-IN extended permit tcp any host 2607:f8b0:4006:809::2004
access-list INSIDE-OUT extended permit tcp host 10.0.10.4 any
access-group OUTSIDE-IN in interface outside
access-group INSIDE-OUT out interface inside

AND for the end u have this reference link; https://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/217208-understanding-nat64-and-its-configuratio.html

hope it wasnt that loong and have fun!

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

amit5-singh · ‎08-04-2025

I first created both the objects with their respective IP addresses. Then I run the command

object network SERVER_IPV4
host 10.0.10.4
nat (inside,outside) static SERVER_IPv6

as nat command doesn't accept IP address but object name. But got error "ERROR: Mapped IPv6 prefix length must be less than or equal to 96"

This solution isn't working.

Enes Simnica · ‎08-04-2025

Ah, I see the issue!!! the error occurs because NAT64 requires specific IPv6 prefix handling.,,, lets fix that G:

for nat46 both for ipv4 and 6:

object network SERVER_IPV4  
 host 10.0.10.4  
 nat (inside,outside) static 2607:f8b0:4006:809::2004

for nat64 again for bout v4 and 6:

object network NAT64_POOL  
 range 2607:f8b0:4006:809::2000 2607:f8b0:4006:809::200F  

object network SERVER_IPV4  
 host 10.0.10.4  
 nat (inside,outside) static NAT64_POOL

let me know if this works, also WOULD LOVE TO HAVE remote control on ur device ahahahha, would be easier...

-Enes

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

amit5-singh · ‎08-04-2025

object network SERVER_IPV4
host 10.0.10.4
nat (inside,outside) static NAT64_POOL

giving error "ERROR: IPv6 range object should only be used for NAT66 commands"

MHM Cisco World · ‎08-04-2025

ERROR: Mapped IPv6 prefix length must be less than or equal to 96 <<- can I see object network ipv6 you use and get this error

MHM

MHM Cisco World · ‎08-04-2025

still waiting

MHM

MHM Cisco World · ‎08-04-2025

Outside is dual stack

Use IPv4 of outside for NAT.

Why not?

MHM

amit5-singh · ‎08-04-2025

IPv4 natting is working but we need outside access on IPv6 also due to some ISP network requirement whereas on inside server application doesn't support IPv6. Due to this predicament we are looking for solution on firewall. Can you help?

Harold Ritter · ‎08-04-2025

Hi @amit5-singh ,

Can you please explain what it is precisely that you need to do?

There are some restrictions explained by RFC6144. One of them is the ipv4 network to ipv6 internet (RFC6144, section 2.4), which was possible in the past via NAT-PT. NAT-PT has been deprecated in 2007 via RFC4966, as it was a very cumbersome solution.

On the other hand, if you only want to make your server reachable on the IPv6 Internet, the ASA will definitely do the job.

https://www.rfc-editor.org/rfc/rfc6144.txt

https://www.rfc-editor.org/rfc/rfc4966.txt

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

amit5-singh · ‎08-05-2025

Hi @Harold Ritter, requirement is demonstrated in this image. Can you help in suggesting correct config for ASA firewall?

MHM Cisco World · ‎08-06-2025

hostname(config)# object network Server
hostname(config-network-object)# host <IPv4>
hostname(config-network-object)# nat (outside,inside) static 2607:f8b0:4006:809::2004/128 net-to-net dns <<-

hope @Harold Ritter check 2607:f8b0:4006:809::2004/128 if it correct or not

https://www.cisco.com/c/en/us/td/docs/security/asa/asa918/configuration/firewall/asa-918-firewall-config/nat-reference.html <<- ASA 9.18
/96 limitation only for dynamic NAT I think
also @Harold Ritter can check doc I share

thanks to all

MHM

Harold Ritter · ‎08-06-2025

Hi @amit5-singh ,

Thanks for the additional information.

If the requirement is to allow the IPv6 Internet to reach you server then it is completely feasible.

I am not an ASA expert though, an I am not sure you can statically configure a 1 to 1 mapping of the 2607:f8b0:4006:809::2004 to 10.0.10.4. But you can certainly achieve NAT64 from the IPv6 Internet to your IPv4 only server in the following way:

object network ipv4-pool
range 10.0.11.1 10.0.11.254 (this is the pool that will be used to translate the source IPv6 addresses to IPv4. You can use other ranges)
object network subnet6
subnet 2607:f8b0:4006:809::/96

nat (Outside,Inside) source dynamic any pat-pool ipv4-pool destination static subnet6 any

In this scenario, external users would use 2607:f8b0:4006:809::10.0.10.4 (or 2607:f8b0:4006:809::0a00:0a04) to reach your server.

Regards,
Harold Ritter, CCIE #4168 (EI, SP)