Solved: NAT64 Stateful Configuration Not Working

JustinCase00639 · ‎05-26-2020

I cannot seem to get a basic NAT64 configuration working on a Cisco 4321. The config has been reset; and only the following changes:

ipv6 unicast-routing
!
interface Loopback0
 ip address 8.8.8.8 255.255.255.255
!
interface GigabitEthernet0/0/0
 description IPv6
 ipv6 address AB:CD:EF:CAFE::1/64
 ipv6 enable
 nat64 enable
!
interface GigabitEthernet0/0/1
 description IPv4
 ip address X.Y.Z.128 255.255.255.254
 nat64 enable
!
ipv6 access-list ENABLED_NAT64
 permit ipv6 any any
!
nat64 prefix stateful AB:CD:EF:64::/96
nat64 v4 pool POOL X.Y.Z.130 X.Y.Z.191
nat64 v6v4 list ENABLED_NAT64 pool POOL
!

Based on the documentation the above should be all that's needed. So we do a simple ping test to validate NAT64 translations:

Router#ping AB:CD:EF:64::8.8.8.8
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to AB:CD:EF:64::808:808, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Router#

No observed translations. We conclude that the NAT64 process either did not [1] see the packets or [2] translate them.

Router#show nat64 translations

Proto  Original IPv4         Translated IPv4
       Translated IPv6       Original IPv6
----------------------------------------------------------------------------

Total number of translations: 0

Router#

The NAT64 prefix is setup..

Router#show nat64 prefix stateful global

Global Stateful Prefix: is valid, AA:BB:CC:64::/96

IFs Using Global Prefix

   Gi0/0/0
   Gi0/0/1

Router#

The next hop is the NAT Virtual Interface. So this appears to be a NAT64 issue, not a routing issue.

Router#show ipv6 cef AA:BB:CC:64::8.8.8.8
AA:BB:CC:64::/96
  nexthop ::100.0.0.1 NVI0
Router#

Not sure what's going on. Turned on some debugging to get a pointer in the right direction.

Router#debug ip icmp
ICMP packet debugging is on
Router#debug ipv6 icmp
  ICMPv6 Packet debugging is on
Router#debug nat64 all
NAT64 debugging is on
Router#
Router#ping AA:BB:CC:64::8.8.8.8 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to AA:BB:CC:64::808:808, timeout is 2 seconds:

*May 27 04:17:35.873: ICMPv6: Sent echo request, src=AA:BB:CC:CAFE::1, Dst=AA:BB:CC:64::808:808.
*May 27 04:17:37.872: ICMPv6: Sent echo request, src=AA:BB:CC:CAFE::1, Dst=AA:BB:CC:64::808:808.
Success rate is 0 percent (0/2)
Router#

I'm at a loss. The router appears to be routing packets to the NVI, however, it's like the NVI does not see them (or at very least never attempts to translate).

Also, I had NAT64 working a while back during testing. I'm revisiting it now and I can't seem to get to that same point. Something simple must be missing, but I can't identify it.

This is done with a Cisco 4321 running 15.5(3)S6.

Harold Ritter · ‎05-27-2020

Your configuration looks good. The issue is that the ping won't work if you are pinging from the router itself. For NAT to work the traffic needs to ingress the nat64 interfaces. You could attach a device to the Gi0/0/0 and ping from it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎05-27-2020

Your configuration looks good. The issue is that the ping won't work if you are pinging from the router itself. For NAT to work the traffic needs to ingress the nat64 interfaces. You could attach a device to the Gi0/0/0 and ping from it.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México