NAT-PT is part of IPv6 transition technologies that enable communication between IPv4 and IPv6 networks. While deprecated and replaced by NAT64 and DNS64, understanding NAT-PT remains important. In this lesson, I will implement a NAT-PT configuration example using static NAT-PT, with dynamic and PAT versions covered in the following lessons. We will then explore NAT64 and DNS64, which address NAT-PT’s limitations and offer more efficient solutions for IPv4-IPv6 communication.
Table of Contents
NAT-PT Fundamental
One of the key applications of IPv6 migration is enabling communication between IPv4 and IPv6 domains. This is particularly relevant for mobile operators who have already migrated to a native IPv6-only network but still need to communicate with IPv4 services over the internet. Such communication is made possible through IPv6 transition solutions.
NAT-PT with NAT-ALG is the old ipv6 transition solution and NAT64/DNS64 is the moder new one. In this section we will concentrate on static NAT-PT solution.
When a source IPv6 client wants to communicate with a destination IPv4 address, both the source and destination addresses must be IPv6. The source address is already IPv6, and the destination IPv6 address is derived from a specific NAT-PT IPv6 /96 prefix, which is configured by the administrator.
V4V6 Translation:
For every IPv4 address we wish to communicate with, a dedicated IPv6 address is reserved from the NAT-PT IPv6 /96 prefix, either manually by the administrator or through a predefined mapping process.
V6V4 Translation:
When traffic is forwarded through NAT-PT, the source IPv6 address is translated to an IPv4 address using one of the static, dynamic, or PAT methods configured by the administrator, known as V6V4. In this section static NAT will be implemented. The destination IPv6 address is then translated to the destination IPv4 address based on the mapping already configured in the V4V6 translation.
Static NAT-PT Configuration Example
To better understand how static NAT-PT works, I have prepared and configured the following topology.
We have an IPv6 subnet (similar to a native IPv6-only mobile operator) whose clients need to access the IPv4 internet.
In this example, the IPv4 destination is 4.2.2.4. The enterprise IPv6 prefix is 2001:BEBE::/32, and 2001:BEBE:0:1::/64 is a sample subnet from this prefix assigned to the local network. The enterprise IPv4 prefix is 12.12.12.0/24, with 12.12.12.1 and 12.12.12.2 assigned to the gateway’s WAN interface, which connects to the ISP.
A dedicated /96 prefix, 2001:BEBE:4:4:4:4::/96, from the enterprise IPv6 range is reserved for the NAT-PT process and it is called NAT-PT IPv6 Prefix. For every IPv4 address on the internet, we can easily assign an equivalent IPv6 address from this prefix.
To enable NAT-PT, we need to configure two types of translation:
V6V4 Translation: This specifies how IPv6 addresses from the local subnet are translated to IPv4 addresses using static NAT, dynamic NAT, or PAT—similar to traditional IPv4 NAT.
V4V6 Translation: This maps each IPv4 address on the internet to an equivalent IPv6 address within the dedicated NAT-PT /96 prefix.
!!! IPv6-Client interface Ethernet0/0 no shutdown ipv6 address 2001:BEBE:0:1::2/64 ! ipv6 route ::/0 2001:BEBE:0:1::1
!!! IPv4-Server interface Ethernet0/0 no shutdown ip address 12.12.12.2 255.255.255.0 ! interface Loopback0 ip address 4.2.2.4 255.255.255.255 ! ip route 0.0.0.0 0.0.0.0 12.12.12.1
!!! NAT-PT interface Ethernet0/0 no shutdown ipv6 address 2001:BEBE:0:1::1/64 ipv6 enable ipv6 nat ! interface Ethernet0/1 no shutdown ip address 12.12.12.1 255.255.255.0 ipv6 enable ipv6 nat ! ip route 4.2.2.4 255.255.255.255 12.12.12.2 ! ipv6 nat prefix 2001:BEBE:4:4:4:4::/96 ipv6 nat v4v6 source 4.2.2.4 2001:BEBE:4:4:4:4:402:204 ipv6 nat v6v4 source 2001:BEBE:0:1::2 12.12.12.22
This configuration ensures seamless communication between the IPv6-only subnet and the IPv4 internet.
Verify Static NAT-PT Process
To verify connectivity, we first enable IPv6 NAT debugging on the NAT-PT device using the command debug
ipv6 nat. Next, we initiate a ping from the IPv6 client to the IPv6-equivalent address of 4.2.2.4, which is 2001:BEBE:4:4:4:4::0402:0204.
As expected, the ping is successful, confirming connectivity. Below is the output of the debugging process, illustrating the translation and traffic flow.
NAT-PT#debug ipv6 nat IPv6 NAT-PT debugging is on NAT-PT#
IPv6-Client#ping 2001:bebe:4:4:4:4::0402:0204 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:BEBE:4:4:4:4:402:204, timeout is 2 seconds: .!!!! Success rate is 80 percent (4/5), round-trip min/avg/max = 4/4/4 ms IPv6-Client#
*Jan 4 11:44:20.335: IPv6 NAT: IPv6->IPv4: icmp src (2001:BEBE:0:1::2) -> (12.12.12.22), dst (2001:BEBE:4:4:4:4:402:204) -> (4.2.2.4) *Jan 4 11:44:22.346: IPv6 NAT: IPv6->IPv4: icmp src (2001:BEBE:0:1::2) -> (12.12.12.22), dst (2001:BEBE:4:4:4:4:402:204) -> (4.2.2.4) *Jan 4 11:44:22.346: IPv6 NAT: IPv4->IPv6: icmp src (4.2.2.4) -> (2001:BEBE:4:4:4:4:402:204), dst (12.12.12.22) -> (2001:BEBE:0:1::2) *Jan 4 11:44:22.351: IPv6 NAT: IPv6->IPv4: icmp src (2001:BEBE:0:1::2) -> (12.12.12.22), dst (2001:BEBE:4:4:4:4:402:204) -> (4.2.2.4) *Jan 4 11:44:22.351: IPv6 NAT: IPv4->IPv6: icmp src (4.2.2.4) -> (2001:BEBE:4:4:4:4:402:204), dst (12.12.12.22) -> (2001:BEBE:0:1::2) *Jan 4 11:44:22.356: IPv6 NAT: IPv6->IPv4: icmp src (2001:BEBE:0:1::2) -> (12.12.12.22), dst (2001:BEBE:4:4:4:4:402:204) -> (4.2.2.4) *Jan 4 11:44:22.356: IPv6 NAT: IPv4->IPv6: icmp src (4.2.2.4) -> (2001:BEBE:4:4:4:4:402:204), dst (12.12.12.22) -> (2001:BEBE:0:1::2) *Jan 4 11:44:22.361: IPv6 NAT: IPv6->IPv4: icmp src (2001:BEBE:0:1::2) -> (12.12.12.22), dst (2001:BEBE:4:4:4:4:402:204) -> (4.2.2.4) *Jan 4 11:44:22.362: IPv6 NAT: IPv4->IPv6: icmp src (4.2.2.4) -> (2001:BEBE:4:4:4:4:402:204), dst (12.12.12.22) -> (2001:BEBE:0:1::2)