Unfortunately all traffic in must come through site1 so I’m left with either 64 or 66 nat and I’d actually prefer 64 in this particular case…

Hi @JaseJK ,

> all traffic in must come through site1

Do you you mean all IPv6 traffic in or just all traffic in to a specific server? If the former, why not just advertising the IPv6 space only from Site1 then? 

Regards,

All traffic in to a specific server.

The main challenges with this are that site2 is handled by a different ISP with different ipv6 network hence I can't announce it on site1.

To further complicate things, the ipv6 address of the server is hard coded,meaning an ipv6 address is used instead of dns name, to about 600 pdas/industrial pcs.

Where an ip address is used instead of dns name is under investigation but it might take up to 6 months, luckily that's not my problem.

The reason I'd prefer to use 6to4 nat on this is that the the inside network in site2 is under my control and once site2 is fully integrated to the company we intend to manage the whole network,internal and external, ourselves, but until then I need to find a workaround to the problem. 6to4 natting means I can keep the inside network of site2 as it is once the merger is fully completed, which also takes a while and TPTB what it working now.

Hi @JaseJK ,

Are all the sites advertising the same IPv6 prefix to the Internet? What is the size of that prefix? You could potentially advertise a more specific prefix covering the address of that server from site 1, which would relieve you from doing NAT at all for IPv6.

Regards,

All sites but site2.

Site2 is actually site6 I just called it site2 for simplicity when I started the topic.

We have a /48 ipv6 which is routed through site1 to sites 2-5.

Site6 is a new addition and is handled by a different ISP that all the other sites use , with a totally different ipv6/64 address space.

Then plan is at a later date to add it to our /48, giving it it's own /64 from our ipv6 pool but for now, I need to find a way to nat ipv6 traffic to it through site1.

The server in question was moved to site6 2 months ago (what I called site2 in my previous posts) as it serves a huge number of local clients on site6, but the problem became apparent when clients outside the internal network needed to do a software update and the software update server which used to be in site1 was moved to site6. As the clients have the site1 ipv6 ip address in them not the dns name, they can't connect and can't update their software. Until this is resolved in about 6 months due to the clients being scatters around the country, I need to find a way to make the clients that use the site1 ipv6 address connect to the server in site6. For ipv4 I placed a workaround that I posted in my 1st post which works, but for ipv6 I need a similar solution and can't figure out a way to do it.

Hi @JaseJK ,

Just to confirm, the server will have and IPv4 address, it will reside on the inside of the Cisco ASA and it needs to be reachable on the outside via IPv6, is that correct? Or is it the other way around?

Regards,

Exactly, except Site1 and Site6 are connected via L2L tunnel, not MPLS.

To clarify, clients from internet are trying to connect to aaaa:bbbb:cccc:dddd:1::40 which I need to nat via the L2L tunnel to 172.16.0.40.

Hi @JaseJK ,

I think you'd be better off doing nat66, because I don't think nat46 will allow you to map the external ipv6 address to an internal ipv4 address. As far as I can see it will only allow mapped ipv4 addresses (ie. aaaa:bbbb:cccc:dddd:1::172.16.0.40 for instance).

Regards,

I tried doing that but the config I tried didn't work. How would I go about doing that ?

Site6 ipv6 address space is reachable by the same L2L tunnel from site1 to site6.

Thank you Harold,

as usual I was overthinking things with the nat

I ended up with

nat (outside,outside) source static Inside_server Outside_server

as the traffic has to flow through the L2L tunnel as with ipv4 it needed to be outside,outside not inside,outside, at least in my case.

Could you please clarify (as I'm feeling quite stupid for overthinking things :)) what do you mean moving the Outside_server to site6 ?

site6 has a 1111:2222:3333:4444::/64 prefix, if I moved aaaa:bbbb:cccc:dddd:1::40 there it wouldn't be able to communicate with ipv6 with anyone ?

aaaa:bbbb:cccc:dddd:1::/64 is used in site1 with lots of hosts as is 1111:2222:3333:4444::/64 in site6.

Maybe I'm overthinking this one also ...

But many thanks, was not seeing the forest for the trees...