NAT64 is a scalable and modern replacement for NAT-PT, primarily used to enable IPv6 clients to communicate with IPv4 servers. It is commonly deployed alongside DNS64 to facilitate seamless communication through domain names. In this section, we will demonstrate an example of Cisco Stateful NAT64 configuration.

NAT64/DNS64 Fundamental

DNS64 vs. DNS ALG

First, compare the performance of DNS64 (used alongside NAT64) with DNS ALG (used alongside NAT-PT).

Although they operate in completely different ways, DNS ALG translates DNS queries and responses as they pass through a NAT-PT router, whereas DNS64 functions as a DNS server that translates between A and AAAA records. However, my focus is on the scalability of these two solutions.

NAT-PT is not scalable primarily due to the DNS ALG, which operates on the router alongside NAT-PT. This tight coupling of DNS ALG with the router introduces performance bottlenecks and limits scalability.

DNS64 versus DNS ALG
DNS64 versus DNS ALG

In contrast, NAT64 uses DNS64 as a replacement for the DNS ALG. The key advantage of DNS64 is that it functions as an independent service, running separately from the router. DNS64 can be deployed on a dedicated server, making it more flexible, scalable, and reusable for other services beyond NAT64. This separation also reduces the load on the router, improving overall network performance.

NAT64 Fundamental

The translation process in NAT64 is conceptually similar to NAT-PT but is implemented in a more dynamic and efficient manner. It is highly recommended to study NAT-PT concepts before moving on to this lesson, as it provides essential foundational knowledge.

NAT64 Components
NAT64 Components

In NAT64, as with NAT-PT, we have V6V4 translation, which defines how source IPv6 addresses are translated into IPv4 addresses by the NAT64 device when traffic flows from an IPv6 network to an IPv4 network. Since a one-to-one translation between IPv6 and IPv4 addresses is not feasible due to the limited IPv4 address space, Port Address Translation (PAT) is commonly used. This allows multiple IPv6 users to share a single IPv4 address while connecting to the IPv4 network.

However, NAT64 still supports one-to-one translation for V6V4 when bidirectional communication is required—for example, when communication needs to flow both from IPv4 to IPv6 and from IPv6 to IPv4.

Similar to NAT-PT, NAT64 also includes a V4V6 translation component. In this case, each IPv4 address on the internet or within an IPv4 network can be assigned a unique equivalent IPv6 address. Since IPv6 provides a large address space, this translation occurs automatically and dynamically with appending IPv4 address at the end of NAT64 prefix.

NAT64 Stateless versus NAT64 Stateful

When configuring a NAT64 prefix, you have two options: stateless or stateful.

  1. Stateless NAT64: In this mode, for every IPv6 user a dedicated IPv4 address is required. Since it establishes a one-to-one mapping, there is no need to maintain a state to handle reverse traffic. However, this approach is generally impractical because of the limited IPv4 address space, making it challenging to accommodate all IPv6 clients, especially in large-scale deployments.

  2. Stateful NAT64: This is the more commonly used option in real-world environments. In this mode, multiple IPv6 addresses can share a small pool of IPv4 addresses. This eliminates the limitations imposed by the number of IPv4 addresses, making it suitable for practical deployment scenarios.

In this lesson only stateful version will be implemented.

stateful NAT64 Configuration Example

To better understand how NAT64 works, I have prepared a topology similar to the one we previously implemented with NAT-PT. However, since NAT64 is not supported on all IOS routers, I am using CSR1000v running version 17.1.1 to demonstrate NAT64 functionality.

Cisco Stateful NAT64 Configuration Example
Cisco Stateful NAT64 Configuration Example

In this topology, the Enterprise IPv6 prefix is 2001:BEBE::/32, and the NAT64 prefix is 2001:BEBE:4:4:4:4::/96, which is a part of the enterprise IPv6 prefix.

We have a subnet 2001:BEBE:0:1::/64 in which we want to enable communication with IPv4 addresses: 1.1.1.1, 4.2.2.4, and 8.8.8.8.

Configuration Steps

  1. NAT64 Activation:
    On both the IPv4 and IPv6 interfaces, we activate NAT64 using the nat64
    enable     command.

  2. Stateful Prefix Configuration:
    We configure a NAT64 stateful prefix in the subnet 2001:BEBE:4:4:4:4::/96, as designed in this topology.

  3. Access Control:
    We configure an IPv6 access-list to define which users are allowed to communicate with the IPv4 network.

  4. IPv4 Pool Configuration:
    We create an IPv4 pool that will be used for V6V4 translation.

  5. V6V4 Translation:
    Finally, we configure the NAT64 V6V4 translation to map the IPv6 access-list to the configured IPv4 pool. By adding the overload option at the end of the command, we enable Port Address Translation (PAT) for many-to-one translation instead of a one-to-one mapping from IPv6 to IPv4.

  6. V4V6 Translation:
    V4V6 translation is automatically handled by adding the IPv4 address to the end of the NAT64 IPv6 prefix. Unlike NAT-PT, there is no need to manually configure V4V6 translation in this scenario.

interface GigabitEthernet2
 nat64 enable
 ipv6 address 2001:BEBE:0:1::1/64
!
interface GigabitEthernet3
 ip address 12.12.12.1 255.255.255.0
 nat64 enable
!
nat64 prefix stateful 2001:BEBE:4:4:4:4::/96
!
ipv6 access-list Internet_Users
 sequence 10 permit ipv6 2001:BEBE:0:1::/64 any
!
nat64 v4 pool V4POOL 12.12.12.10 12.12.12.20
!
nat64 v6v4 list Internet_Users pool V4POOL
!
NAT64(config)#nat64 v6v4 list Internet_Users pool V4POOL ?
  overload    Overload address translations
  redundancy  Redundancy group
  <cr>        <cr>

Verify NAT64 Operation

To verify NAT64 operation, we ping from an IPv6-only client to the IPv6-equivalent addresses of 1.1.1.1, 4.2.2.4, and 8.8.8.8 to ensure that communication is successfully established.

IPv6_only#ping 2001:BEBE:4:4:4:4:0101:0101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:101:101, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms

IPv6_only#ping 2001:BEBE:4:4:4:4:0402:0204
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

IPv6_only#ping 2001:BEBE:4:4:4:4:0808:0808
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:808:808, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

We can also check the translation table using „show nat64 translations“ command.

NAT64#show nat64 translations

Proto  Original IPv4         Translated IPv4
       Translated IPv6       Original IPv6
----------------------------------------------------------------------------

illegal ---                   ---
       12.12.12.10           2001:bebe:0:1::2
icmp   8.8.8.8:2355          [2001:bebe:4:4:4:4:808:808]:2355
       12.12.12.10:2355      [2001:bebe:0:1::2]:2355
icmp   1.1.1.1:7362          [2001:bebe:4:4:4:4:101:101]:7362
       12.12.12.10:7362      [2001:bebe:0:1::2]:7362
icmp   4.2.2.4:716           [2001:bebe:4:4:4:4:402:204]:716
       12.12.12.10:716       [2001:bebe:0:1::2]:716

Total number of translations: 4

The output shows that for each session, a record is kept in the translation table to ensure proper handling of return traffic.

As you can see in the output, the IPv6 address 2001:bebe:0:1::2 is translated to 12.12.12.10, which is an address from the IPv4 address pool. The IPv6 equivalents of 1.1.1.1, 4.2.2.4, and 8.8.8.8 are created by appending these addresses to the NAT64 prefix 2001:bebe:4:4:4:4::/96.

For example, the IPv6 equivalent of 1.1.1.1 is 2001:bebe:4:4:4:4:101:101.

NAT64 static translation

When IPv6 client addresses are dynamically translated to an IPv4 address or through PAT, only the IPv6 client can initiate communication.

For an IPv4 node to initiate communication with an IPv6 node, a static entry for V6V4 translation must be added. This enables bidirectional communication.

As an example, let’s configure the IPv4 address 9.9.9.9 as the translation address for the IPv6 address 2001:bebe:0:1::9.

Additionally, we assign 2001:bebe:0:1::9 as a secondary address on the IPv6 client.

Finally, we verify the setup by pinging 9.9.9.9 from an IPv4 node.

NAT64(config)#nat64 v6v4 static 2001:bebe:0:1::9 9.9.9.9

IPv6_only(config)#int gigabitEthernet 3
IPv6_only(config-if)#ipv6 address 2001:bebe:0:1::9/64

IPv4_only(config)#do ping 9.9.9.9
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 9.9.9.9, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 6/6/7 ms
IPv4_only(config)#

NAT64#show nat64 translations

Proto  Original IPv4         Translated IPv4
       Translated IPv6       Original IPv6
----------------------------------------------------------------------------

illegal ---                   ---
       9.9.9.9               2001:bebe:0:1::9

Total number of translations: 1
Back to: IPv6 (in progress) > IPv6 Translation Technologies

Leave a Reply

Your email address will not be published. Required fields are marked *


Post comment