Showing results for 
Search instead for 
Did you mean: 

An example configuration for nat64 on ASR1k


At the Fosdem conference in 2014 we used a IPv6 only network for the main wireless access.

To configure this we used as upstream link:

interface GigabitEthernet0/0/0

  description ---------- Uplink to COLT ----------------

   ip address


  ipv6 address 2001:920:0:1::5F/127

  nat64 enable

And the IPv6 only network used:

interface GigabitEthernet0/0/3.1400

  description ----------- WiFi Internet client traffic  ----------------

  ipv6 address 2001:67C:1810:F051::1/64

  ipv6 enable

  nat64 enable

While the legacy dualstack network had:

interface GigabitEthernet0/0/3.1402

  description ----------- WiFi FOSDEM-dualstack Internet client traffic  ----------------

  ip address

  ipv6 address 2001:67C:1810:F055::1/64

  ipv6 enable

  nat64 enable

To allow traffic to IPv4 only devices we use stateful nat64 with:

ipv6 access-list nat64-acl

  sequence 20 permit ipv6 any 2001:67C:1810:F050::/96

nat64 prefix stateful 2001:67C:1810:F050::/96

nat64 v4 pool nat-pool

nat64 v6v4 list nat64-acl pool nat-pool overload

This will NAT the IPv6 clients behind the network range. The DNS server will lie to you and give an artificial IP.

So while a normal DNS server like google's will give the IPv4 only:

$ host 2001:67c:1810:f050::808:808

Using domain server:

Name: 2001:67c:1810:f050::808:808

Address: 2001:67c:1810:f050::808:808#53

Aliases: has address

Our resolver lies and gives the nat64 IPv6 IP too:

host 2001:67c:1810:f056::2

Using domain server:

Name: 2001:67c:1810:f056::2

Address: 2001:67c:1810:f056::2#53

Aliases: has address has IPv6 address 2001:67c:1810:f050::5e17:1859

Notice that to reach the IPv4 we had to lie and use 2001:67c:1810:f050::808:808, and  in hex 5E 17 18 59 became 2001:67c:1810:f050::5e17:1859.

Alternatively we could also have used 2001:67c:1810:f050:: (depending on the support in the OS for this notation).

We can check that it works with:

asr1k#show nat64 mappings dynamic

Dynamic mappings configured: 1

Direction ID      ACL

   Pool                             Flags

   RG ID Mapping ID

v6v4      3       nat64-acl

   nat-pool                         0x00000001 (overload)

   0     0

asr1k#show nat64 pools

Pools configured: 1

Protocol HSL ID     Name

   Is Single Range


IPv4     3          nat-pool

   TRUE            ( - -

asr1k#show nat64 prefix stateful global

Global Stateful Prefix: is valid, 2001:67C:1810:F050::/96

IFs Using Global Prefix





asr1k#show nat64 statistics mapping dynamic

NAT64 Statistics

Dynamic Mapping Statistics


      access-list nat64-acl pool nat-pool refcount 4196

         pool nat-pool:

            start end

            total addresses 254, allocated 1 (0%)

            address exhaustion packet count 0

asr1k#show nat64 statistics global

NAT64 Statistics

Total active translations: 4062 (0 static, 4062 dynamic; 4062 extended)

Sessions found: 2632830

Sessions created: 10314

Expired translations: 6251

Global Stats:

   Packets translated (IPv4 -> IPv6)

      Stateless: 0

      Stateful: 1971206

      MAP-T: 0

   Packets translated (IPv6 -> IPv4)

      Stateless: 0

      Stateful: 671944

      MAP-T: 0

asr1k#show nat64 translations port 80 total

Total number of translations: 2008

To check connections for a certain IPv6 IP use:

asr1k#show nat64 translations v6 original 2001:67c:1810:f051:e984:cbe2:d169:8ded verbose

Proto  Original IPv4         Translated IPv4

       Translated IPv6       Original IPv6


tcp      [2001:67c:1810:f050::ad24:c48]:443     [2001:67c:1810:f051:e984:cbe2:d169:8ded]:49407

         created: 01 Feb 2014 09:06:30, last-used:   01 Feb 2014 09:07:38,

           inactivity-time:     00:03:38

         flags: syn-in

         entry-id: 0x83a976e0, use-count: 1


Attached is a censored 'show run' of the router, please note that we have ACL's on all interfaces mainly to count traffic.