© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Transition Mechanisms Describing NAT-PT

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Applicability NAT-PT enables communication between IPv6-only and IPv4- only nodes. IPv6 and IPv4 nodes are single-protocol nodes, and have no special software or configuration. IPv6-Only Node IPv4-Only Node Data IPv4 header IPv6 header Data IPv6 Network NAT-PT IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Basic NAT-PT Operation NAT-PT is a dual-stack router (IPv6 and IPv4). A 96-bit IPv6 prefix is configured in NAT-PT: –This prefix must be internally routed to the NAT-PT device. –Datagrams matching that prefix will be translated. –IPv4 addresses are translated into IPv6 addresses using that prefix. Site prefix: 2001:db8:ffff::/48 IPv6 Interface IPv6 Network NAT-PT IPv4 Interface NAT-PT prefix: 2001:bd8:ffff:ffff::/96 Internally routed to NAT-PT inside interface

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Operation Modes NAT-PT defines different types of operation: Static NAT-PT Dynamic NAT-PT: –DNS ALG NAPT-PT

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Static NAT-PT Operation Static NAT-PT configuration using a one-to-one mapping: IPv6 node A is mapped to IPv4 node D is mapped to 2001:bd8:ffff:ffff::a Static NAT-PT Configuration: IPv6-Only Node 2001:bd8:ffff:1:: :bd8:ffff:ffff::a NAT-PT Prefix NAT-PT IPv6 Network 2001:db8:ffff:1::1 AD IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Static NAT-PT Operation (Cont.) Static address mapping between node A and D: Node A can reach node D using destination IPv6 address 2001:bd8:ffff:ffff::a. Node D can reach node A using destination IPv4 address Src Addr Dest Addr NAT-PT Translation Src Addr 2001:bd8:ffff:1::1 Dest Addr 2001:bd8:ffff:ffff::a IPv6-Only Node NAT-PT IPv6 Network 2001:db8:ffff:1::1 AD IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Dynamic NAT-PT using a pool of IPv4 addresses: Internal IPv6 nodes are dynamically assigned an IPv4 address on outbound connections. NAT-PT IPv4 address pool: – Dynamic NAT-PT for Outbound Connections Example IPv6-Only Node NAT-PT IPv6 Network 2001:db8:ffff:1::1 AD IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v DNS-ALG for Outbound Connections NAT-PT DNS ALG is used for outbound connections NAT-PT Prefix: 2001:bd8:ffff:ffff::/96 1. NAT-PT Translation NAT-PT Translation 4. NAT-PT dynamic state table: :bd8:ffff:ffff::c0a8:1e01 Type=A Query=D A NAT-PT IPv6 Network IPv4 DNS A Type=AAAA Query=D DNS D D Type=A R= Type=AAAA R=2001:bd8:ffff:ffff::c0a8:1e01

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 Node A is allocated IPv4 address Dest Addr Dest Addr 2001:db8:ffff:ffff::c0a8:1e01 NAT-PT Translation Dynamic NAT-PT for Outbound Connections Src Addr 2001:db8:ffff:1::1 Src Addr IPv6-Only Node NAT-PT IPv6 Network 2001:db8:ffff:1::1 AD IPv4 Static NAT-PT Configuration: :db8:ffff:1::

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv4 DNS-ALG for Inbound Connections NAT-PT DNS ALG is used for inbound connections. NAT-PT Prefix: 3ffe:b00:ffff:ffff::/96 1. NAT-PT Translation NAT-PT Translation 4. NAT-PT dynamic state table: ffe:b00:ffff:1::1 Type=A Query=A A NAT-PT IPv6 Network DNS A Type=AAAA Query=A DNS D D Type=A R= Type=AAAA R=3ffe:b00:ffff:1::1 3ffe:b00:ffff:1::1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v DNS-ALG for Inbound Connections (Cont.) NAT-PT DNS ALG is used for inbound connections. IPv4 NAT-PT Prefix: 3ffe:b00:ffff:ffff::/96 1. NAT-PT Translation NAT-PT Translation 4. NAT-PT dynamic state table: ffe:b00:ffff:1::1 Type=A Query=A A NAT-PT IPv6 Network DNS A Type=AAAA Query=A DNS D D Type=A R= Type=AAAA R=3ffe:b00:ffff:1::1 3ffe:b00:ffff:1::1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Limitations NAT-PT and IPv4 share many of the same limitations, such as: Single point of failure ALG required for protocols not "NAT-friendly" No end-to-end security No DNSSEC

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Limitations (Cont.) NAT-PT and IPv4 share many of the same limitations, such as: Single point of failure ALG required for protocols not "NAT-friendly" No end-to-end security No DNSSEC

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Summary Static mapping offers a stable, one-to-one mapping between IPv6 and IPv4 nodes. Dynamic mapping allows more efficient use of IPv4 addresses: –IPv4 address temporarily assigned when needed. NAPT-PT offers most efficient use of IPv4 address, with limitations. Combined with dynamic address mapping, DNS-ALG offers the following: –It allows inbound IPv4 connections to IPv6 nodes. –IPv4 to IPv6 address mapping is used by internal IPv6 nodes.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS NAT-PT Support The current Cisco IOS NAT-PT implementation supports the following: –IP header and address translation –Support for ICMP and DNS embedded translation –Auto-aliasing of NAT-PT IPv4 pool addresses (proxy-arp) –Fragmentation –FTP ALG –DNS ALG Available now: –See Feature Navigator at

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS NAT-PT Commands [no] ipv6 nat router(config-if)# Enables NAT-PT on an interface [no] ipv6 nat prefix ::/96 router(config)# Configures global or per-interface NAT-PT prefix Prefix must be a /96 prefix

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v [no] ipv6 nat v6v4 source router(config)# Configures static address mappings [no] ipv6 nat v4v6 source Cisco IOS NAT-PT Static Mapping Commands

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Configuring dynamic address mapping: Identify the IPv6/IPv4 address to be translated. Specify the IPv4/IPv6 address pool. Define the dynamic mapping. Cisco IOS NAT-PT Dynamic Mapping

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v [no] ipv6 nat v6v4 pool prefix-length router(config)# Cisco IOS NAT-PT Commands: Specifying IPv4 Address Pool Configuring IPv6-to-IPv4 dynamic address mapping: Identify the IPv6 address to be translated. –Use access list, prefix list, or route map. Specify the IPv4 address pool.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v [no] ipv6 nat v6v4 source {list | route-map} pool router(config)# Cisco IOS NAT-PT Commands: Configuring Address Mapping Configuring IPv6-to-IPv4 dynamic address mapping: Define the dynamic mapping.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v [no] ipv6 nat v4v6 pool prefix-length router(config)# Cisco IOS NAT-PT Commands: Specifying IPv6 Address Pool Configuring IPv4-to-IPv6 dynamic address mappings: Identify the IPv4 address to be translated. –Use standard or extended access list. Specify the IPv6 address pool.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v [no] ipv6 nat v4v6 source list pool router(config)# Cisco IOS NAT-PT Commands: Configuring Dynamic Address Mapping Configuring IPv4-to-IPv6 dynamic address mapping: Define the dynamic mapping.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS NAT-PT Tuning Commands ipv6 nat translation max-entries router(config)# By default, there is no limit on number of translation entries. Default dynamic translation timeout is 24 hours. ipv6 nat translation timeout router(config)# ipv6 nat translation tcp-timeout ipv6 nat translation finrst-timeout

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Default UDP translation timeout is 5 minutes. ipv6 nat translation udp-timeout router(config)# ipv6 nat translation icmp-timeout ipv6 nat translation dns-timeout router(config)# Default DNS translation timeout is 1 minute. Cisco IOS NAT-PT Tuning Commands (Cont.)

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v show ipv6 nat translations router(config)# Displays the NAT-PT translation table clear ipv6 nat translation Clears the NAT-PT translation table show ipv6 nat statistics Displays NAT-PT statistics debug ipv6 nat [detailed] Enables debug messages Cisco IOS NAT-PT show and debug Commands

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS NAT-PT Configuration with Static Mapping IPv6 site prefix is 2001:db8:ffff::/48 NAT-PT prefix is 2001:db8:ffff:ffff::/96 Tasks: –Configure IPv6-to-IPv4 static mapping of node A –Configure IPv4-to-IPv6 static mapping of node D Static NAT-PT Configuration: :db8:ffff:ffff::a :db8:ffff:1:: NAT-PT IPv6 Network 2001:db8:ffff:1::1 AD IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v nat-pt# ipv6 unicast-routing interface Ethernet1 ip address ipv6 nat interface Ethernet0 ipv6 address 2001:db8:ffff:1::/64 eui-64 no ip address ipv6 nat ipv6 nat prefix 2001:db8:ffff:ffff::/96 ipv6 nat v4v6 source :db8:ffff:ffff::a ipv6 nat v6v4 source 2001:db8:ffff:1:: Static NAT-PT Configuration: Cisco IOS NAT-PT Static Mapping Configuration Example 2001:db8:ffff:1::1 2001:db8:ffff:ffff::a NAT-PT IPv6 Network 3ffe:b00:ffff:1::1 AD IPv4

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v IPv6 site prefix is 2001:db8:ffff::/48 NAT-PT prefix is 2001:db8:ffff:ffff::/96 Tasks: –Configure outbound dynamic mapping for all internal IPv6 nodes –Configure an IPv4 to IPv6 static mapping for DNS D –Adjust default timeout for entries to 1 hour Cisco IOS NAT-PT Configuration with Dynamic Mapping NAT-PT Configuration: 2001:db8:ffff::/ :db8:ffff:ffff:: NAT-PT IPv6 Network 2001:db8:ffff:1::1 A IPv4 E0E1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v NAT-PT Configuration: 2001:db8:ffff:1::/ :db8:ffff:ffff:1:: ipv6 unicast-routing interface Ethernet1 ip address ipv6 nat interface Ethernet0 ipv6 address 2001:db8:ffff:1::/64 eui-64 no ip address ipv6 nat ipv6 nat prefix 2001:db8:ffff:ffff::/96 ipv6 nat translation timeout 3600 ipv6 prefix-list v6-list permit 2001:db8:ffff::/48 ipv6 nat v6v4 pool v4-pool prefix-length 24 ipv6 nat v6v4 source list v6-list pool v4-pool ipv6 nat v4v6 source :db8:ffff:ffff::53 Cisco IOS NAT-PT Dynamic Mapping Configuration Example NAT-PT IPv6 Network 2001:db8:ffff:1::1 A IPv4 E0E1 DNS D

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v nat-pt# debug ipv6 nat udp src (3FFE:B00:FFFF:1::1) -> ( ), dst (3FFE:B00:FFFF:FFFF::53) -> ( ) udp src ( ) -> (3FFE:B00:FFFF:FFFF::53), dst ( ) -> (3FFE:B00:FFFF:1::1) icmp src (3FFE:B00:FFFF:1::1) -> ( ), dst (3FFE:B00:FFFF:FFFF::C685:DB19) -> ( ) icmp src ( ) -> (3FFE:B00:FFFF:FFFF::C685:DB19), dst ( ) -> (3FFE:B00:FFFF:1::1) ping Cisco IOS NAT-PT Dynamic Mapping Configuration Example (Cont.) NAT-PT IPv6 Network 3ffe:b00:ffff:1::1 A IPv4 E0E1

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Cisco IOS NAT-PT show Command nat-pt# show ipv6 nat translations Prot IPv4 source IPv6 source IPv4 destination IPv6 destination :db8:FFFF:FFFF:: :db8:FFFF:FFFF::C685:DB19 udp , :db8:FFFF:1::1, , :db8:FFFF:FFFF::53, :db8:FFFF:1:: :db8:FFFF:FFFF:: :db8:FFFF:1:: :db8:FFFF:FFFF::C685:DB :db8:FFFF:1::

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Lab 6 Lab 6: Configuring NAT-PT

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v Summary Static address mapping is useful in networks in which one internal (IPv6-only) node requires a stable IPv4 address. Dynamic address mapping allows flexible use of the available IPv4 addresses where a pool of IPv4 addresses is made available to translate sessions. NAPT-PT mode allows many IPv6 nodes to be multiplexed on a single IPv4 address. DNS-ALG is combined with dynamic address mapping to allow IPv6 and IPv4 nodes to discover the translated address of the destination node. Cisco routers can be configured to provide NAT-PT services. The configuration commands follow the standard IOS format.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v