IPv6 NAT-PT facilitates communication between IPv6 and IPv4 networks. In contrast to static NAT-PT, which requires a dedicated IPv4 address for each internal IPv6 address, dynamic NAT-PT and PAT offer a more efficient approach. These methods enable multiple IPv6 addresses to share a single or smaller pool of IPv4 addresses to access to the IPv4 internet.

Table of Contents

Static vs. Dynamic NAT and PAT in IPv6 NAT-PT

In the previous lesson, we discussed and demonstrated static IPv6 NAT-PT translation, highlighting how, in V6V4 translation, each internal IPv6 address requires a dedicated IPv4 address to communicate with the IPv4 internet. This approach is challenging due to the limited availability of IPv4 addresses compared to the vast IPv6 address space.

For V4V6 translation, this limitation does not apply, as a single /96 NAT-PT prefix is sufficient to assign a unique IPv6 address to each IPv4 address on the internet.

In this lesson, we will explore dynamic NAT and PAT in V6V4 translation, where multiple IPv6 addresses share a smaller pool of IPv4 addresses or even a single IPv4 address to access the IPv4 internet.

V6V4 Translation Options in IPv6 NAT-PT
V6V4 Translation Options in IPv6 NAT-PT

Dynamic NAT and PAT Configuration with IPv6 NAT-PT

This is the same topology we used in the previous lesson to demonstrate static IPv6 NAT-PT. In this lesson, I will use it to explain and demonstrate how dynamic and PAT versions of IPv6 NAT-PT work.

IPv6 NAt-PT Configuration Example
IPv6 NAt-PT Configuration Example

Dynamic NAT with IPv6 NAT-PT

For dynamic NAT-PAT, I aim to provide a specific group of IPv6 users within the subnet 2001:BEBE:0:1:100::/80 access to the IPv4 internet using only two public IPv4 addresses: 12.12.12.5 and 12.12.12.6.

Note that in this method, only a limited number of IPv6 users, equal to the number of IPv4 addresses in the pool, can simultaneously access the IPv4 internet.

I have defined this group of users within the 2001:BEBE:0:1:100::/80 subnet using an IPv6 access list named Internet_Users. Additionally, I created an IPv4 pool called POOL1, which includes the two public IPv4 addresses. Finally, V6V4 translation has been configured to translate the IPv6 addresses in the Internet_Users access list to the IPv4 addresses in POOL1. 

!!! NAT-PT
interface Ethernet0/0
 no shutdown
 ipv6 address 2001:BEBE:0:1::1/64
 ipv6 enable
 ipv6 nat
!
interface Ethernet0/1
 no shutdown
 ip address 12.12.12.1 255.255.255.0
 ipv6 enable
 ipv6 nat
!
ip route 4.2.2.4 255.255.255.255 12.12.12.2
!
!!! NAT-PT continue
ipv6 nat prefix 2001:BEBE:4:4:4:4::/96
ipv6 nat v4v6 source 4.2.2.4 2001:BEBE:4:4:4:4:402:204

########## Static NAT ##########
ipv6 nat v6v4 source 2001:BEBE:0:1::2 12.12.12.22

########## dynamic NAT ##########
ipv6 nat v6v4 pool POOL1 12.12.12.5 12.12.12.6 prefix-length 24
!
ipv6 access-list Internet_Users
 permit ipv6 2001:BEBE:0:1:100::/80 any
!
ipv6 nat v6v4 source list Internet_Users pool POOL1

To verify connectivity between the IPv6 network and an IPv4 address, I configured four new IPv6 addresses on the IPv6 client: 2001:BEBE:0:1:100::2, 2001:BEBE:0:1:100::3, 2001:BEBE:0:1:100::4, and 2001:BEBE:0:1:100::5/64. Then, I attempted to ping the IPv6 equivalent of 4.2.2.4 (configured in V4V6 translation) using all four IPv6 addresses. As expected, only the first two pings succeeded since the pool contains only two IPv4 addresses. The other two IPv6 addresses must wait until the first two addresses stop communicating with the IPv4 internet for a specific timeout period.

IPv6-Client(config-if)#do sh runn int eth0/0
Building configuration...

Current configuration : 230 bytes
!
interface Ethernet0/0
 no ip address
 ipv6 address 2001:BEBE:0:1::2/64
 ipv6 address 2001:BEBE:0:1:100::2/64
 ipv6 address 2001:BEBE:0:1:100::3/64
 ipv6 address 2001:BEBE:0:1:100::4/64
 ipv6 address 2001:BEBE:0:1:100::5/64
end

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:100::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:100::2
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/6/18 ms

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:100::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:100::3
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 4/6/14 ms

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:100::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:100::4
.....
Success rate is 0 percent (0/5)

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:100::5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:100::5
.....
Success rate is 0 percent (0/5)

You can also verify the translation using the show ipv6 nat translation command on the NAT-PT router. The output shows that IPv6 addresses 2001:BEBE:0:1:100::2 and 2001:BEBE:0:1:100::3 are translated one-to-one to the IPv4 addresses 12.12.12.5 and 12.12.12.6, respectively.

Session-specific translations are also displayed in the output. In this case, the only session shown is for ICMP, which corresponds to the ping connectivity test.

NAT-PT#show ipv6 nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      4.2.2.4                  2001:BEBE:4:4:4:4:402:204

---   12.12.12.22              2001:BEBE:0:1::2
      ---                      ---

icmp  12.12.12.5,8274          2001:BEBE:0:1:100::2,8274
      4.2.2.4,8274             2001:BEBE:4:4:4:4:402:204,8274

---   12.12.12.5               2001:BEBE:0:1:100::2
      ---                      ---

icmp  12.12.12.6,7766          2001:BEBE:0:1:100::3,7766
      4.2.2.4,7766             2001:BEBE:4:4:4:4:402:204,7766

---   12.12.12.6               2001:BEBE:0:1:100::3
      ---                      ---

PAT Configuration with IPv6 NAT-PT

For the next demonstration, we will translate multiple local IPv6 addresses to a single public IPv4 address, allowing all IPv6 users to simultaneously access the IPv4 internet.

We will configure a new group of IPv6 users within the subnet 2001:BEBE:0:1:200::/80 and define an IPv6 access list named Internet_Users_2 for this group. Then, using V6V4 translation, we will map all IPv6 addresses in this subnet to the public IPv4 address configured on the outside interface of the NAT-PT device.

!!! NAT-PT
interface Ethernet0/0
 no shutdown
 ipv6 address 2001:BEBE:0:1::1/64
 ipv6 enable
 ipv6 nat
!
interface Ethernet0/1
 no shutdown
 ip address 12.12.12.1 255.255.255.0
 ipv6 enable
 ipv6 nat
!
ip route 4.2.2.4 255.255.255.255 12.12.12.2
!
!!! NAT-PT continue
ipv6 nat prefix 2001:BEBE:4:4:4:4::/96
ipv6 nat v4v6 source 4.2.2.4 2001:BEBE:4:4:4:4:402:204

########## Static NAT ##########
ipv6 nat v6v4 source 2001:BEBE:0:1::2 12.12.12.22

########## dynamic NAT ##########
ipv6 nat v6v4 pool POOL1 12.12.12.5 12.12.12.6 prefix-length 24
!
ipv6 access-list Internet_Users
 permit ipv6 2001:BEBE:0:1:100::/80 any
!
ipv6 nat v6v4 source list Internet_Users pool POOL1

########## PAT ##########
ipv6 access-list Internet_Users_2
 permit ipv6 2001:BEBE:0:1:200::/80 any
!
ipv6 nat v6v4 source list Internet_Users_2 interface eth0/1 overload

With this solution, all IPv6 users in the group will have simultaneous access to the IPv4 internet. To verify this, I configured four new IPv6 addresses on the IPv6 client: 2001:BEBE:0:1:200::2, 2001:BEBE:0:1:200::3, 2001:BEBE:0:1:200::4, and 2001:BEBE:0:1:200::5/64.
I then tested connectivity by pinging the IPv6 equivalent of 4.2.2.4 (configured in V4V6 translation) from all four clients. As expected, the ping was successful for all four IPv6 users. 

interface Ethernet0/0
 no ip address
 ipv6 address 2001:BEBE:0:1::2/64
 ipv6 address 2001:BEBE:0:1:100::2/64
 ipv6 address 2001:BEBE:0:1:100::3/64
 ipv6 address 2001:BEBE:0:1:100::4/64
 ipv6 address 2001:BEBE:0:1:100::5/64
 ipv6 address 2001:BEBE:0:1:200::2/64
 ipv6 address 2001:BEBE:0:1:200::3/64
 ipv6 address 2001:BEBE:0:1:200::4/64
 ipv6 address 2001:BEBE:0:1:200::5/64

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:200::2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:200::2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/6/17 ms

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:200::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:200::3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/9 ms

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:200::4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:200::4
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/5/17 ms

IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 source 2001:BEBE:0:1:200::5
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
Packet sent with a source address of 2001:BEBE:0:1:200::5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/9 ms

Using the show ipv6 nat translation command on the NAT-PT device, we can observe the results. Unlike dynamic NAT, PAT does not use a one-to-one translation. Instead, translation occurs on a per-session basis, which enables all IPv6 users to access the IPv4 internet simultaneously.

In the output, you will see four translations corresponding to ICMP sessions, representing the ping traffic from the four different IPv6 addresses.

NAT-PT#show ipv6 nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      4.2.2.4                  2001:BEBE:4:4:4:4:402:204

---   12.12.12.22              2001:BEBE:0:1::2
      ---                      ---

---   12.12.12.5               2001:BEBE:0:1:100::2
      ---                      ---

---   12.12.12.6               2001:BEBE:0:1:100::3
      ---                      ---

icmp  12.12.12.1,4351          2001:BEBE:0:1:200::2,4351
      4.2.2.4,4351             2001:BEBE:4:4:4:4:402:204,4351

icmp  12.12.12.1,78            2001:BEBE:0:1:200::3,78
      4.2.2.4,78               2001:BEBE:4:4:4:4:402:204,78

icmp  12.12.12.1,1441          2001:BEBE:0:1:200::4,1441
      4.2.2.4,1441             2001:BEBE:4:4:4:4:402:204,1441

icmp  12.12.12.1,8368          2001:BEBE:0:1:200::5,8368
      4.2.2.4,8368             2001:BEBE:4:4:4:4:402:204,8368
Back to: IPv6 (in progress) > IPv6 Translation Technologies

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment