Solved: Re: Static NAT64 v4v6 doesn't work on my router C2911 (15.4(3)M2)

Sergey Shulgin · ‎12-25-2017

Hello Community!
I have the folloving task: get the internal web server (IPv4 address - 192.168.1.10) to be reachable from IPv6 Internet.
I used NAT64 technology. The part of the config is:

R1
!
interface GigabitEthernet0/2.558
encapsulation dot1Q 558
standby version 2
standby 558 ipv6 2A03::4/122
standby 558 priority 120
standby 558 preempt
nat64 enable
ipv6 address 2A03::5/122
ipv6 enable
!
interface Port-channel1.10
encapsulation dot1Q 10
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
nat64 enable
redundancy rii 10
redundancy group 1 ip 192.168.1.254 exclusive
!
nat64 prefix stateful 2A03::/96
!
nat64 v4 pool POOL_v4 192.168.1.100 192.168.1.111
nat64 v4v6 static 192.168.1.10 2A03::8
nat64 v6v4 list NAT_v6 pool POOL_v4 overload

All have to be Okay. But the ping to the address 2A03::8 failed.
Here is the output from the second router (my HSRP ans Redundansy pair):

R2#sh ipv6 neighbors
IPv6 Address Age Link-layer Addr State Interface
2A03::1 127 0005.73a0.0007 STALE Gi0/2.558
2A03::4 43 0005.73a0.022e STALE Gi0/2.558
2A03::5 43 58ac.78c0.831a STALE Gi0/2.558
FE80::5AAC:79FF:FEC0:831A 43 58ac.78c0.831a STALE Gi0/2.558
FE80::863D:C7FF:FE04:A97F 127 843d.c604.a97f STALE Gi0/2.558
FE80::863D:B6FF:FEDA:5FFF 128 843d.c6da.5fff STALE Gi0/2.558
!
sh nat64 translations
Proto Original IPv4 Translated IPv4
Translated IPv6 Original IPv6
--------------------------------------------------------
--- 192.168.1.10 2A03::8
--- ---
Could somebody help me to traubleshoot this issue? I looked all the forums up, but no progress so far.. Why the router doesn't reply with neighbor descovery?
Thanks in advanced!

Harold Ritter · ‎12-27-2017

Hi Sergey,

You need to use a different prefix for natting than the one that is directly connected.

Here's the sample config I used adn that works without any issue.

hostname nat64
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface GigabitEthernet0/1
nat64 enable
ipv6 address 2001:DB8:12FF:1::1/64
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
nat64 enable
!
ip route 3.3.3.3 255.255.255.255 192.168.23.3
!
nat64 prefix stateful 2001:DB8:12FF::/96
nat64 v4 pool POOL_v4 192.168.100.1 192.168.100.2
nat64 v4v6 static 3.3.3.3 2001:DB8:12FF::303:303
nat64 v6v4 list NAT_v6 pool POOL_v4 overload
!
ipv6 access-list NAT_v6
permit ipv6 any host 2001:DB8:12FF::303:303
!
end

Make sure you have the proper routing in place both on the IPv6 and on the IPv4 side.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

View solution in original post

Harold Ritter · ‎12-25-2017

Hi Sergey,

I don't see the ACL named NAT_v6. Have you configured it? It should look something like this:

ipv6 access-list NAT_v6

permit ipv6 any host 2a03::8

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Sergey Shulgin · ‎12-26-2017

Hello Harold!

Thanks for your reply. Actually I have the ACL:

R1#sh run | sec NAT_v6
nat64 v6v4 list NAT_v6 pool POOL_v4 overload
ipv6 access-list NAT_v6
permit ipv6 any any

PS I am sorry that I created two similar cases: this one and "IPv6 NAT64 v4v6 problem (Can't publish my Web IPv4 server) via the router (C2911/15.4(3)M2)". I found it today. It was browser foult I think..

Harold Ritter · ‎12-26-2017

Hi Sergey,

Can you try with a more restrictive ACL like the one I suggested and see if it solves the problem.

ipv6 access-list NAT_v6

permit ipv6 any host 2a03::8

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Sergey Shulgin · ‎12-27-2017

Hi Harold,

Tried with more specific ACL but result is the same.

I found interesting fact. As long as I use different v6 subnet as Stateful Prefix (for example 2A02:E5C0:1::/96) and new v4v6 static - R1 starts to create NAT64 transtalion. But (and i don't know why) the ping doesn't work. Somewhere packets drop -(

And once again - thank you Harold for you time!

Harold Ritter · ‎12-27-2017

Hi Sergey,

You need to use a different prefix for natting than the one that is directly connected.

Here's the sample config I used adn that works without any issue.

hostname nat64
ip cef
ipv6 unicast-routing
ipv6 cef
!
interface GigabitEthernet0/1
nat64 enable
ipv6 address 2001:DB8:12FF:1::1/64
!
interface GigabitEthernet0/2
ip address 192.168.23.2 255.255.255.0
nat64 enable
!
ip route 3.3.3.3 255.255.255.255 192.168.23.3
!
nat64 prefix stateful 2001:DB8:12FF::/96
nat64 v4 pool POOL_v4 192.168.100.1 192.168.100.2
nat64 v4v6 static 3.3.3.3 2001:DB8:12FF::303:303
nat64 v6v4 list NAT_v6 pool POOL_v4 overload
!
ipv6 access-list NAT_v6
permit ipv6 any host 2001:DB8:12FF::303:303
!
end

Make sure you have the proper routing in place both on the IPv6 and on the IPv4 side.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

Sergey Shulgin · ‎12-28-2017

Hello Harold!

Thanks for your help, time and enthusiasm!

Now you are absolutely right -) in this case nat64 works.

It bit strange for me that I should use different subnets in both sides: v4 and v6. I would recommend Cisco to add these nuances as the limitations for NAT64.

Finally, I am happy now. I have workable solution

Harold Ritter · ‎12-28-2017

Hi Sergey,

I'm glad you have solved your issues. Time to rest and enjoy the holidays now :-)

Have a great day,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

IG · ‎04-02-2018

Hi,

Why there is a static route for 3.3.3.3, as this ip supposed to be here on the nat64 router ? also can you please paste the topology and what IP will need to pinged to test the connectivity, I understand its 3.3.3.3, but mine is not working.

Regards,

IG

IG · ‎04-02-2018

Hi,

Why there is a static route for 3.3.3.3, as this ip supposed to be here on the nat64 router ? also can you please paste the topology and what IP will need to pinged to test the connectivity, I understand its 3.3.3.3, but mine is not working.

Thanks

IG

Harold Ritter · ‎04-02-2018

The reason for the static route is that 3.3.3.3/32 is not directly connected to the NAT64 router, but rather connectected to the ipv4 only router loopback interface. The topology is as follow:

ipv6 only router <--- (2001:db8:12ff:1::/64) ---> NAT64 router <--- (192.168.23.0/24) ---> ipv4 only router (3.3.3.3 assigned to lo0)

With this topology and the configuration provided, I can ping 2001:db8:12ff::3.3.3.3 from the ipv6 only router.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

IG · ‎04-03-2018

Thanks for the reply Harold,

what about the other way around from IPV4 side, can you ping from IPV4 only host to any IPv6 IP ? thats what i am after actually.

Thanks,

IG

Harold Ritter · ‎04-03-2018

The provided config uses an IPv4 pool for the IPv6 to IPv4 translation, therefore the traffic needs to be originated from the IPv6 only router. If you wanted to ping the ipv6 only router from the ipv4 only router you would need to statically map the ipv6 address on the NAT64 router. The config would look something like this:

nat64 v6v4 static 2001:DB8:12FF:1::2 192.168.100.3

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

IG · ‎04-04-2018

Thanks Harold,

Could not give it much time to test thoroughly, but was a bit, with that static entry for IPv6 to IPv4, where with dynamic, that is not needed. i thought that was for the v4 to v6, but yes the other way around its working with that one. Thanks,

Regards,

IG