NAT-PT and TCP problem

josephrwaterhouse · ‎07-20-2005

I have 2 IPv4 subnets which are connected to each other via an IPv6 network. For several reasons I don't want to go into here it's better for me to use NAT-PT at the two v4/v6 boundaries instead of creating a v4 tunnel over v6 network.

The result is that I can ping from one v4 host to another v4 host across the v6 network. I can also run UDP/IPv4 traffic across the v6 network, but not with TCP. Does anyone have any suggestion?

Thank you

Georg Pauwen · ‎07-20-2005

Hello Joseph,

can you post the configuration of the router where you have NAT-PT configured ?

Regards,

GP

josephrwaterhouse · ‎07-21-2005

Hi GP,

The router config I currently have is just for a simple test. I use static mapping for only two v4/v6 pairs. The v4 addresses are the actual addresses of the v4 hosts, while the v6 addresses are bogus and used only to get packets from one side to the other side of the v6 network.

Router 1:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxx

!

boot-start-marker

boot system flash:c3725-ik9s-mz.123-5.bin

boot-end-marker

!

enable password xxxx

!

no aaa new-model

!

resource policy

!

clock timezone EST -5

ip subnet-zero

interface FastEthernet0/0

ip address 10.10.16.100 255.255.255.0

duplex auto

speed auto

ipv6 address 2001:411:1:3:1::/64

ipv6 enable

ipv6 nat

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

ipv6 address 2001:411:1:2:2::/64

ipv6 enable

ipv6 nat

!

ip classless

!

ipv6 route 2001:411:1:4::/64 2001:411:1:3:2::

ipv6 route 2001:411::/32 2001:411:1:2:1::

ipv6 nat translation timeout never

ipv6 nat v4v6 source 10.10.16.101 2001:411:1:2:2:1:0:1

ipv6 nat v4v6 source 10.10.26.101 2001:411:2:2:2:1:0:1

ipv6 nat v6v4 source 2001:411:1:2:2:1:0:1 10.10.16.101

ipv6 nat v6v4 source 2001:411:2:2:2:1:0:1 10.10.26.101

ipv6 nat prefix 2001:411:1:2:2:1::/96

!

control-plane

!

line con 0

transport output all

stopbits 1

line aux 0

transport output all

stopbits 1

line vty 0 4

password xxxxxx

login

transport input all

transport output all

!

end

Router 2

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname xxxxxxx

!

boot-start-marker

boot-end-marker

!

enable password xxxxx

!

no aaa new-model

!

resource policy

!

memory-size iomem 15

ip subnet-zero

ip cef

!

no ip dhcp use vrf connected

!

no ip domain lookup

no ip ips deny-action ips-interface

!

ipv6 unicast-routing

interface FastEthernet0/0

ip address 10.10.26.100 255.255.255.0

duplex auto

speed auto

ipv6 address 2001:411:2:3:1::/64

ipv6 nat

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

ipv6 address 2001:411:2:2:2::/64

ipv6 nat

!

ip classless

!

no ip http server

no ip http secure-server

!

ipv6 route 2001:411:2:4::/64 2001:411:2:3:2::

ipv6 route 2001:411::/32 2001:411:2:2:1::

ipv6 nat translation timeout never

ipv6 nat v4v6 source 10.10.16.101 2001:411:1:2:2:1:0:1

ipv6 nat v4v6 source 10.10.26.101 2001:411:2:2:2:1:0:1

ipv6 nat v6v4 source 2001:411:1:2:2:1:0:1 10.10.16.101

ipv6 nat v6v4 source 2001:411:2:2:2:1:0:1 10.10.26.101

ipv6 nat prefix 2001:411:2:2:2:1::/96

!

control-plane

!

line con 0

transport output all

line aux 0

transport output all

line vty 0 4

password xxxxxx

login

transport input all

transport output all

!

end

Georg Pauwen · ‎07-21-2005

Hello Joseph,

when you do a ´show ipv6 nat translations´do you see any TCP translations at all ?

Looking at your configs, I did not see the ´ipv6 unicast-routing´ comand on your Router 1, I assume that command has been configured ?

Regards,

GP

josephrwaterhouse · ‎07-22-2005

Hi GP,

Yes I have ipv6 unicast routing on router 1. I must have deleted it by mistake when posting the config file here.

I saw IP translation, yes. The packets went through initially but very soon they stopped. One curious thing: I got the TCP connection, albeit very slow, when sending TCP traffic from Router 1 to Router 2, but when I sent traffic from Router 2 to Router 1, the TCP connections didn't go through. The configs on both routers are identical. The only difference I can detect is the memory size in Router 2 is much smaller than in Router 1. I know it's unlikely that this is the problem but I'm just searching for my way in the dark. What do you think?

Thanks,

Joe