Monday, 22 May 2017

CISCO - NETWORK ADDRESS TRANSLATION - PROTOCOL TRANSLATION (NAT-PT for IPv4 <=> IPv6):

FIRST KNOW WHAT IS NAT:

NAT device can translate a single "real" or public IP address into a very large number of private addresses, so a large number of computers can share that single public address. The immediate benefit of NAT is that it allows a single internet connection with a single IP address to be shared. 



Network Address Translation or NAT is a technique that allows the translation of local network addresses or the internal IP addresses (used within an organization) into globally unique IP addresses that help identify an online resource in a unique manner over the Internet.

The process is also referred to as Network Masquerading or the Native Address Translation. Network Address Translation allows multiple resources within an organization or connected to a local LAN to use a single IP address to access the Internet

The idea of Network Address Translation is very simple indeed. It essentially abstracts internal addressing from the global IP addressing used over the Internet. This abstraction allows helps the network resources to get over a shortage of the address space by mapping relatively few real IP addresses to the abundant local IP addresses created locally by the Proxy server for addressing purposes. It allows the use of different addresses over the local and global level and local sharing of IP addresses over the Internet.

An increasing usage of the Network Address Translation was a direct result of the limited address space offered by the erstwhile Internet protocols such as the IPv4 that carried the bulk of the Internet traffic. NAT became a popular mechanism to overcome the shortage of unique IP addresses for individual network resources over the Internet. The Network Address Translation protocol maps the internal addresses to the real IP addresses that are required for communication process over the Internet.


NAT OFFERS THE FOLLOWING ADVANTAGES TO THE NETWORK USERS:

The Network Address Translation process offers a simple yet effective solution to the nagging problem of limited address space offered by the contemporary network protocols such as the IPv4. The NAT process generates sufficient IP addresses to be used locally that are subsequently mapped to the real IP addresses for communications over the Internet.

A lack of complete bi-directional connectivity offered by NAT is desirable in certain situations as it restricts direct access to the LAN resources. Allocation of a static IP address makes the network resource a potential target for hackers. The presence of an intermediate Proxy server makes the situation tricky. The usage of NAT also carries certain drawbacks:

1.Network Address Translation does not allow a true end-to-end connectivity that is required by some real time applications. A number of real-time applications require the creation of a logical tunnel to exchange the data packets quickly in real-time. It requires a fast and seamless connectivity devoid of any intermediaries such as a proxy server that tends to complicate and slow down the communications process.

2.NAT creates complications in the functioning of Tunneling protocols. Any communication that is routed through a Proxy server tends to be comparatively slow and prone to disruptions. Certain critical applications offer no room for such inadequacies. Examples include telemedicine and teleconferencing. Such applications find the process of network address translation as a bottleneck in the communication network creating avoidable distortions in the end-to-end connectivity.

3.NAT acts as a redundant channel in the online communication over the Internet. The twin reasons for the widespread popularity and subsequent adoption of the network address translation process were a shortage of IPv4 address space and the security concerns. Both these issues have been fully addressed in the IPv6 protocol. As the IPv6 slowly replaces the IPv4 protocol, the network address translation process will become redundant and useless while consuming the scarce network resources for providing services that will be no longer required over the IPv6 networks.

In this way, the IPv6 protocol does away with the need to use Network Address Translation technique to make up for the address space crunch by creating local IP addresses over the LAN and mapping them to the real IP addresses used over the network.

IPv6 also offers superior security features thereby allaying the fears of allocating static IP addresses to the various network resources and throwing them open to attacks in the virtual space. The security issue is often used in the defense of the Network Address Translation process. However, the core principle of Internet is to offer an end-to-end connectivity to the different network resources.


For More Info - ; ttp://premji-schoolofcisconetworking.blogspot.com/search/label/CISCO%20-%20NAT
 
 

INTRODUCTION FOR NAT - PT:

NAT-PT stands for "Network Address Translation - Protocol Translation" it is an IPv6-IPv4 translation mechanism, which was designed (created) to allow IPv6-only devices communicate with IPv4-only devices and vice versa. 

IPv6 was developed before NAT was in general use, and so far, the assumption has always been that NAT in IPv6 is unnecessary and undesirable. But the use of NAT-PT would pretty much import the IPv4 NAT issues into the IPv6 world.

On the other hand, some people argue that the lack of NAT makes it harder to transition to IPv6 because NAT is an integral part of the way that networks are deployed. IPv6 is different from IPv4, both as a natural result of the longer addresses and because the IETF used the opportunity to redesign IP to make some improvements unrelated to the address length. Unless ISPs decide to give IPv6 users only a single address like with IPv4, there is won't be any need to use NAT for the majority of all consumers.

Is to be used with IPv4 to IPv6 migration scenarios and its purpose is to provide bi-directional connectivity between IPv4 and IPv6 domains. Cisco points out that many other transition techniques are possible, and NAT-PT (Network Address Translation – Protocol Translation) should not be used when other, more “native” options exist, such as having dual stack hosts communicate directly through dual stack routers. Another example provided of when NAT-PT is not needed is when two islands of IPv6 want to communicate over an IPv4-only backbone. We know that many different tunnels exist for this purpose.

NAT-PT runs on the device between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks. It’s resides at the boundary between an IPv6 and IPv4 network. Users in the IPv6 and IPv4 networks can communicate without changing their configurations.
CISCO NAT - PT FOR IP4 vs IPV6 BY: PREMAKUMAR THEVATHASAN.
NAT-PT (Network Address Translation - Protocol Translation) is a standards track IETF RFC (RFC 2766) describing an IPv6/IPv4 translator. Each NAT-PT device retains a pool of globally routable IPv4 addresses which are used to assign to IPv6 nodes on a dynamic basis as sessions are initiated across the IPv6/IPv4 boundary.
  
 NAT-PT retains state via the IPv4 to IPv6 address mappings and which are retained for the duration of each session. NAT-PT can be extended to NAPT-PT (Network Address Port Translation - Protocol Translation). NAPT-PT takes the address translation a stage further by enabling the translation of port numbers as well. This makes it possible to re-use one IPv4 pool address and map this one IPv4 address to many IPv6 hosts.

The basic NAT-PT translation device may additionally contain ALG's (Application Level Gateways). ALG's are necessary where IP addresses are embedded within the payload of an IP packet. For normal packet translation, NAT-PT would not look within the payload for IP addresses. For some applications where IP addresses may be embedded within the payload, an ALG is necessary to look inside the payload and translate those IP addresses. ALG's are necessary to support applications such as DNS and FTP - ALG behaviour for these two applications is described within NAT-PT. A DNS-ALG is an essential part of NAT-PT as it is this that sets up the IPv4 address mapping for the IPv6 host when a session is initiated from the IPv4 network

 SESSION INITIATED BY AN IPV6 HOST:


THE NAT-PT IMPLEMENTATION PROCESS FOR A SESSION INITIATED BY AN IPV6 HOST IS AS FOLLOWS:
  •         A packet from an IPv6 host to an IPv4 host reaches the NAT-PT device. The NAT-PT device translates the source IPv6 address of the packet into an IPv4 address according to the static or dynamic IPv6-to-IPv4 mapping.
  •         The NAT-PT device translates the IPv6 destination address of the packet into an IPv4 address according to the IPv6-to-IPv4 mapping, if configured, at the IPv4 network side. Without any mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is translated into an IPv4 address. Otherwise, the translation fails.
  •         After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses, the NAT-PT device forwards the packet to the IPv4 host. Meanwhile, the IPv6-to-IPv4 address mappings are stored in the NAT-PT device.
  •         After a packet from the IPv4 host to the IPv6 host arrives at the NAT-PT device, the device swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host.

 SESSION INITIATED BY AN IPV4 HOST:


THE NAT-PT IMPLEMENTATION PROCESS FOR A SESSION INITIATED BY AN IPV4 HOST IS AS FOLLOWS:


* A packet from an IPv4 host to an IPv6 host reaches the NAT-PT device. The NAT-PT device translates the source IPv4 address of the packet into an IPv6 address according to the static or dynamic IPv4-to-IPv6 mapping. 


* The NAT-PT device translates the destination IPv4 address of the packet into an IPv6 address according to the IPv6-to-IPv4 mapping on the IPv6 network side.


* After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses, the NAT-PT device forwards the packet to the IPv6 host. Meanwhile, the IPv4-to-IPv6 address mappings are stored in the NAT-PT device. 


* After a packet from the IPv6 host to the IPv4 host arrives at the NAT-PT device, the device swaps the source and destination IPv6 addresses according to the stored mappings and forwards the packet to the IPv4 host.

TO USE COMBINATION 1 OR COMBINATION 3, YOU NEED TO CONFIGURE A NAT-PT ADDRESS POOL FIRST.

A Nat-Pt Address Pool Is A Group Of Contiguous Ipv4 Addresses And Is Used To Translate An Ipv6 Address Into An Ipv4 Address Dynamically. When An Ipv6 Packet Is Sent From An Ipv6 Network To An Ipv4 Network, If The Combination 1 Or 3 Is Set, The Nat-Pt Device Will Select An Ipv4 Address From The Nat-Pt Address Pool As The Source Ipv4 Address Of The Ipv6 Packet.

CURRENTLY, CISCO NAT-PT CAN BE IMPLEMENTED IN FOUR WAYS:  
  • NAT
  • NAT
  • PORT ADDRESS TRANSLATION (PAT) A.K.A. OVERLOAD
  • IPV4-MAPPED OPERATION

1. STATIC NAT-PT OPERATION:


STATIC NAT-PT USES STATIC TRANSLATION RULES TO MAP ONE IPV6 ADDRESS TO ONE IPV4 ADDRESS. IPv6 network nodes communicate with IPv4 network nodes using an IPv6 mapping of the IPv4 address configured on the NAT-PT router.

If you have multiple IPv6-only or IPv4-only hosts that need to communicate, you may need to configure many static NAT-PT mappings. Static NAT-PT is useful when applications or servers require access to a stable IPv4 address, such as accessing an external IPv4 DNS server.

 2. DYNAMIC NAT-PT OPERATION:


DYNAMIC NAT-PT ALLOWS MULTIPLE NAT-PT MAPPINGS BY ALLOCATING ADDRESSES FROM A POOL. NAT-PT is configured with a pool of IPv6 and/or IPv4 addresses. At the start of a NAT-PT session a temporary address is dynamically allocated from the pool. The number of addresses available in the address pool determines the maximum number of concurrent sessions. The NAT-PT device records each mapping between addresses in a dynamic state table.

DYNAMIC NAT-PT TRANSLATION OPERATION REQUIRES AT LEAST ONE STATIC MAPPING FOR THE IPV4 DNS server. After the IPv6 to IPv4 connection is established, the reply packets going from IPv4 to IPv6 take advantage of the previously established dynamic mapping to translate back from IPv4 to IPv6. If the connection is initiated by an IPv4-only host, then the explanation is reversed.

A DYNAMIC IPV6-TO-IPV4 MAPPING MEANS that if the source IPv6 address matches a specified IPv6 ACL or matches a specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4 address of a specified interface.

          
Combination 1: Combination of an IPv6 ACL with an address pool
If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified address pool.
       
Combination 2: Combination of an IPv6 ACL with an interface address

If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified interface.

 Combination 3: Combination of a NAT-PT prefix with an address pool
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address of the specified address pool.

   Combination 4: Combination of a NAT-PT prefix with an interface address
If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address of the specified interface.

 3. PORT ADDRESS TRANSLATION OR OVERLOAD:


PORT ADDRESS TRANSLATION (PAT), ALSO KNOWN AS OVERLOAD, ALLOWS A SINGLE IPV4 ADDRESS TO BE USED AMONG MULTIPLE SESSIONS BY MULTIPLEXING ON THE PORT NUMBER TO ASSOCIATE SEVERAL IPV6 USERS WITH A SINGLE IPV4 ADDRESS. PAT can be accomplished through a specific interface or through a pool of addresses.

 4. IPV4-MAPPED OPERATION:


Customers can also send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping. A packet arriving at an interface is checked to discover if it has a NAT-PT prefix that was configured with the ipv6 nat prefix v4-mapped command. If the prefix matches, then an access-list check is performed to discover if the source address matches the access list or prefix list. If the prefix does not match, the packet is dropped.

If the prefix matches, source address translation is performed. If a rule has been configured for the source address translation, the last 32 bits of the destination IPv6 address is used as the IPv4 destination and a flow entry is created.

With an IPv4-mapping configuration on the router, when the DNS ALG IPv4 address is converted to an IPv6 address, the IPv6 address is processed and the DNS packets from IPv4 network get their ALGs translated into the IPv6 network.

CONFIGURING BASIC IPV6 TO IPV4 CONNECTIVITY FOR NAT-PT FOR IPV6:

Perform this task to configure basic IPv6 to IPv4 connectivity for NAT-PT, which consists of configuring the NAT-PT prefix globally, and enable NAT-PT on an interface. For NAT-PT to be operational, NAT-PT must be enabled on both the incoming and outgoing interfaces.

NAT-PT PREFIX:

An IPv6 prefix with a prefix length of 96 must be specified for NAT-PT to use. The IPv6 prefix can be a unique local unicast prefix, a subnet of your allocated IPv6 prefix, or even an extra prefix obtained from your Internet service provider (ISP). The NAT-PT prefix is used to match a destination address of an IPv6 packet. If the match is successful, NAT-PT will use the configured address mapping rules to translate the IPv6 packet to an IPv4 packet. The NAT-PT prefix can be configured globally or with different IPv6 prefixes on individual interfaces. Using a different NAT-PT prefix on several interfaces allows the NAT-PT router to support an IPv6 network with multiple exit points to IPv4 networks.

SUMMARY STEPS

1. enable 
2. configure terminal 
3. ipv6 nat prefix ipv6-prefix/prefix-length 
4. interface type number
5. ipv6 address ipv6-prefix {/prefix-length | link-local}
6. ipv6 nat 
7. exit 
8. interface type number
9. ip address ip-address mask [secondary]
10. ipv6 nat 

DETAILED STEPS


Command or Action
Purpose
Step 1 
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2 
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 
ipv6 nat prefix ipv6-prefix/prefix-length
Example:
Router# ipv6 nat prefix 2001:0db8::/96
Assigns an IPv6 prefix as a global NAT-PT prefix.
Matching destination prefixes in IPv6 packets are translated by NAT-PT.
The only prefix length supported is 96.
Step 4 
interface type number
Example:
Router(config)# interface ethernet 3/1
Specifies an interface type and number, and places the router in interface configuration mode.
Step 5 
ipv6 address ipv6-address {/prefix-length | link-local}
Example:
Router(config-if)# ipv6 address 2001:0db8:yyyy:1::9/64
Specifies an IPv6 address assigned to the interface and enables IPv6 processing on the interface.
Step 6 
ipv6 nat
Example:
Router(config-if)# ipv6 nat
Enables NAT-PT on the interface.
Step 7 
exit
Example:
Router(config-if)# exit
Exits interface configuration mode, and returns the router to global configuration mode.
Step 8 
interface type number
Example:
Router(config)# interface ethernet 3/3
Specifies an interface type and number, and places the router in interface configuration mode.
Step 9 
ip address ip-address mask [secondary]
Example:
Router(config-if)# ip address 192.168.30.9 255.255.255.0
Specifies an IP address and mask assigned to the interface and enables IP processing on the interface.
Step 10 
ipv6 nat
Example:
Router(config-if)# ipv6 nat
Enables NAT-PT on the interface.

CONFIGURING IPV4-MAPPED NAT-PT :

The following task describes how to enable customers to send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping. This task shows the ipv6 nat prefix v4-mapped command configured on a specified interface, but the command could alternatively be configured globally:

SUMMARY STEPS

1. enable
2. configure terminal
3. interface type number
4. ipv6 nat prefix ipv6-prefix v4-mapped {access-list-name | ipv6-prefix}

DETAILED STEPS


Command or Action
Purpose
Step 1 
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2 
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 
interface type number
Example:
Router(config)# interface ethernet 3/1
Specifies an interface type and number, and places the router in interface configuration mode.
Step 4 
ipv6 nat prefix ipv6-prefix v4-mapped {access-list-name |ipv6-prefix}
Example:
Router(config-if)# ipv6 nat prefix 2001::/96 v4-mapped v4mapacl
Enables customers to send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping.

CONFIGURING MAPPINGS FOR IPV6 HOSTS ACCESSING IPV4 HOSTS:

Perform this task to configure static or dynamic IPv6 to IPv4 address mappings. The dynamic address mappings include assigning a pool of IPv4 addresses and using an access list, prefix list, or route map to define which packets are to be translated.

SUMMARY STEPS

1. enable 
2. configure terminal 
3. ipv6 nat v6v4 source ipv6-address ipv4-addressoripv6 nat v6v4 source {list access-list-name | route-map map-namepool name 
4. ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length 
5. ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout tcp-timeout finrst-timeout icmp-timeout} {seconds never}
6. ipv6 access-list access-list-name
7. permit protocol {source-ipv6-prefix/prefix-length any host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length any host destination-ipv6-address}
8. exit 
9. show ipv6 nat translations [icmp tcp udp] [verbose]
10. show ipv6 nat statistics 

DETAILED STEPS


Command or Action
Purpose
Step 1 
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2 
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 
ipv6 nat v6v4 source ipv6-address ipv4-address
or
ipv6 nat v6v4 source {list access-list-name | route-map map-namepool name
Example:
Router(config)# ipv6 nat v6v4 source 2001:0db8:yyyy:1::1 10.21.8.10
or
Example:
Router(config)# ipv6 nat v6v4 source list pt-list1 pool v4pool
Enables a static IPv6 to IPv4 address mapping using NAT-PT.
or
Enables a dynamic IPv6 to IPv4 address mapping using NAT-PT.
Use the list or route-map keyword to specify a prefix list, access list, or a route map to define which packets are translated.
Use the pool keyword to specify the name of a pool of addresses, created by the ipv6 nat v6v4 pool command, to be used in dynamic NAT-PT address mapping.
Step 4 
ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-lengthprefix-length
Example:
Router(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
Specifies a pool of IPv4 addresses to be used by NAT-PT for dynamic address mapping.
Step 5 
ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout tcp-timeout finrst-timeout icmp-timeout} {seconds never}
Example:
Router(config)# ipv6 nat translation udp-timeout 600
(Optional) Specifies the time after which NAT-PT translations time out.
Step 6 
ipv6 access-list access-list-name
Example:
Router(config)# ipv6 access-list pt-list1
(Optional) Defines an IPv6 access list and enters IPv6 access list configuration mode. The router prompt changes to Router(config-ipv6-acl)#.
The access-list name argument specifies the name of the IPv6 access control list (ACL). IPv6 ACL names cannot contain a space or quotation mark, or begin with a numeral.
Step 7 
permit protocol {source-ipv6-prefix/prefix-length any hostsource-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length any host destination-ipv6-address}
Example:
Router(config-ipv6-acl)# permit ipv6 2001:0db8:bbbb:1::/64 any
(Optional) Specifies permit conditions for an IPv6 ACL.
The protocol argument specifies the name or number of an Internet protocol. It can be one of the keywords ahp,espicmpipv6pcpsctptcp, or udp, or an integer in the range from 0 to 255 representing an IPv6 protocol number.
The source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments specify the source and destination IPv6 network or class of networks about which to set permit conditions. These arguments must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
The any keyword is an abbreviation for the IPv6 prefix ::/0.
The host source-ipv6-address keyword and argument combination specifies the source IPv6 host address about which to set permit conditions. The source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
Only the arguments and keywords relevant to this task are specified here. Refer to the permit command in the IPv6 for Cisco IOS Command Reference document for information on supported arguments and keywords.
Step 8 
exit
Example:
Router(config-if)# exit
Exits access list configuration mode, and returns the router to global configuration mode. Enter the exit command twice to return to privileged EXEC mode.
Step 9 
show ipv6 nat translations [icmp tcp udp] [verbose]
Example:
Router# show ipv6 nat translations verbose
(Optional) Displays active NAT-PT translations.
Use the optional icmptcp, and udp keywords to display detailed information about the NAT-PT translation events for the specified protocol.
Use the optional verbose keyword to display more detailed information about the active translations.
Step 10 
show ipv6 nat statistics
Example:
Router# show ipv6 nat statistics
(Optional) Displays NAT-PT statistics.


WHAT TO DO NEXT:

IF YOU DO NOT REQUIRE ANY IPV4 TO IPV6 MAPPINGS, PROCEED TO THE "VERIFYING NAT-PT CONFIGURATION AND OPERATION" TASK.

CONFIGURING MAPPINGS FOR IPV4 HOSTS ACCESSING IPV6 HOSTS:

Perform this optional task to configure static or dynamic IPv4 to IPv6 address mappings. The dynamic address mappings include assigning a pool of IPv6 addresses and using an access list, prefix list, or route map to define which packets are to be translated.

SUMMARY STEPS

1. enable 
2. configure terminal 
3. ipv6 nat v4v6 source ipv4-address ipv6-addressoripv6 nat v4v6 source list {access-list-number namepool name 
4. ipv6 nat v4v6 pool name start-ipv6 end-ipv6 prefix-length prefix-length 
5. access-list {access-list-name number} {deny | permit} [source source-wildcard] [log]

DETAILED STEPS


Command or Action
Purpose
Step 1 
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2 
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 
ipv6 nat v4v6 source ipv6-address ipv4-address
or
ipv6 nat v4v6 source list {access-list-number | namepool name
Example:
Router(config)# ipv6 nat v4v6 source 10.21.8.11 2001:0db8:yyyy::2
or
Router(config)# ipv6 nat v4v6 source list 1 pool v6pool
Enables a static IPv4 to IPv6 address mapping using NAT-PT.
or
Enables a dynamic IPv4 to IPv6 address mapping using NAT-PT.
Use the list keyword to specify an access list to define which packets are translated.
Use the pool keyword to specify the name of a pool of addresses, created by the ipv6 nat v4v6 poolcommand, to be used in dynamic NAT-PT address mapping.
Step 4 
ipv6 nat v4v6 pool name start-ipv6 end-ipv6 prefix-length prefix-length
Example:
Router(config)# ipv6 nat v4v6 pool v6pool 2001:0db8:yyyy::1 2001:0db8:yyyy::2 prefix-length 128
Specifies a pool of IPv6 addresses to be used by NAT-PT for dynamic address mapping.
Step 5 
access-list {access-list-name number} {deny permit} [source source-wildcard] [log]
Example:
Router(config)# access-list 1 permit 192.168.30.0 0.0.0.255
Specifies an entry in a standard IPv4 access list.

CONFIGURING PAT FOR IPV6 TO IPV4 ADDRESS MAPPINGS:

Perform this task to configure PAT for IPv6 to IPv4 address mappings. Multiple IPv6 addresses are mapped to a single IPv4 address or to a pool of IPv4 addresses and using an access list, prefix list, or route map to define which packets are to be translated.

SUMMARY STEPS

1. enable 
2. configure terminal 
3. ipv6 nat v6v4 source {list access-list-name | route-map map-namepool name overload 
or
ipv6 nat v6v4 source {list access-list-name | route-map map-nameinterface interface name overload 
4. ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-length prefix-length 
5. ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout tcp-timeout finrst-timeout icmp-timeout} {seconds never}
6. ipv6 access-list access-list-name
7. permit protocol {source-ipv6-prefix/prefix-length any host source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length any host destination-ipv6-address}

DETAILED STEPS


Command or Action
Purpose
Step 1 
enable
Example:
Router> enable
Enables privileged EXEC mode.
Enter your password if prompted.
Step 2 
configure terminal
Example:
Router# configure terminal
Enters global configuration mode.
Step 3 
ipv6 nat v6v4 source {list access-list-name | route-map map-name} pool name overload
or
ipv6 nat v6v4 source {list access-list-name | route-map map-nameinterface interface name overload
Example:
Router(config)# ipv6 nat v6v4 source 2001:0db8:yyyy:1::1 10.21.8.10
or
Example:
Router(config)# ipv6 nat v6v4 source list pt-list1 pool v4pool overload
Enables a dynamic IPv6 to IPv4 address overload mapping using a pool address.
or
Enables a dynamic IPv6 to IPv4 address overload mapping using an interface address.
Use the list or route-map keyword to specify a prefix list, access list, or a route map to define which packets are translated.
Use the pool keyword to specify the name of a pool of addresses, created by the ipv6 nat v6v4 pool command, to be used in dynamic NAT-PT address mapping.
Use the interface keyword to specify the interface address to be used for overload.
Step 4 
ipv6 nat v6v4 pool name start-ipv4 end-ipv4 prefix-lengthprefix-length
Example:
Router(config)# ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
Specifies a pool of IPv4 addresses to be used by NAT-PT for dynamic address mapping.
Step 5 
ipv6 nat translation [max-entries number] {timeout | udp-timeout | dns-timeout tcp-timeout finrst-timeout icmp-timeout} {seconds never}
Example:
Router(config)# ipv6 nat translation udp-timeout 600
(Optional) Specifies the time after which NAT-PT translations time out.
Step 6 
ipv6 access-list access-list-name
Example:
Router(config)# ipv6 access-list pt-list1
(Optional) Defines an IPv6 access list and enters IPv6 access list configuration mode. The router prompt changes to Router(config-ipv6-acl)#.
The access-list name argument specifies the name of the IPv6 access control list (ACL). IPv6 ACL names cannot contain a space or quotation mark, or begin with a numeral.
Step 7 
permit protocol {source-ipv6-prefix/prefix-length any hostsource-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length any host destination-ipv6-address}
Example:
Router(config-ipv6-acl)# permit ipv6 2001:0db8:bbbb:1::/64 any
(Optional) Specifies permit conditions for an IPv6 ACL.
The protocol argument specifies the name or number of an Internet protocol. It can be one of the keywords ahpesp,icmpipv6pcpsctptcp, or udp, or an integer in the range from 0 to 255 representing an IPv6 protocol number.
The source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments specify the source and destination IPv6 network or class of networks about which to set permit conditions. These arguments must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
The any keyword is an abbreviation for the IPv6 prefix ::/0.
The host source-ipv6-address keyword and argument combination specifies the source IPv6 host address about which to set permit conditions. The source-ipv6-address argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
Only the arguments and keywords relevant to this task are specified here. Refer to the permit command in theCisco IOS IPv6 Command Reference for information on supported arguments and keywords.

WHAT TO DO NEXT:

If you do not require any IPv6-to-IPv4 or IPv4-to-IPv6 mappings, proceed to the "Verifying NAT-PT Configuration and Operation" task.

Verifying NAT-PT Configuration and Operation
Perform this task to display information to verify the configuration and operation of NAT-PT.

SUMMARY STEPS

1. clear ipv6 nat translation * 
2. enable 
3. debug ipv6 nat [detailed port]

DETAILED STEPS


Command or Action
Purpose
Step 1 
clear ipv6 nat translation *
Example:
Router> clear ipv6 nat translation *
(Optional) Clears dynamic NAT-PT translations from the dynamic translation state table.
Use the * keyword to clear all dynamic NAT-PT translations.
Note Static translation configuration is not affected by this command.
Step 2 
enable
Example:
Router> enable
Enables higher privilege levels, such as privileged EXEC mode.
Enter your password if prompted.
Step 3 
debug ipv6 nat [detailed port]
Example:
Router# debug ipv6 nat detail
Displays debugging messages for NAT-PT translation events.

STATIC NAT-PT CONFIGURATION: EXAMPLE:

The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures two static NAT-PT mappings. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
 
interface Ethernet3/1 
 ipv6 address 2001:0db8:3002::9/64 
 ipv6 enable 
 ipv6 nat 
! 
interface Ethernet3/3 
 ip address 192.168.30.9 255.255.255.0 
 ipv6 nat 
! 
ipv6 nat v4v6 source 192.168.30.1 2001:0db8:0::2 
ipv6 nat v6v4 source 2001:0db8:bbbb:1::1 10.21.8.10 
ipv6 nat prefix 2001:0db8:0::/96

ENABLING TRAFFIC TO BE SENT FROM AN IPV6 NETWORK TO AN IPV4 NETWORK WITHOUT USING IPV6 DESTINATION ADDRESS MAPPING: EXAMPLE:

In the following example, the access list permits any IPv6 source address with the prefix 2001::/96 to go to the destination with a 2000::/96 prefix. The destination is then translated to the last 32 bit of its IPv6 address; for example: source address = 2001::1, destination address = 2000::192.168.1.1. The destination then becomes 192.168.1.1 in the IPv4 network:
ipv6 nat prefix 2000::/96 v4-mapped v4map_acl
 
ipv6 access-list v4map_acl
 permit ipv6 2001::/96 2000::/96

DYNAMIC NAT-PT CONFIGURATION FOR IPV6 HOSTS ACCESSING IPV4 HOSTS: EXAMPLE:

The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT mapping is also configured to map IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named v4pool. 

The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. The User Datagram Protocol (UDP) translation entries are configured to time out after 10 minutes. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
 
interface Ethernet3/1 
 ipv6 address 2001:0db8:bbbb:1::9/64 
 ipv6 enable 
 ipv6 nat 
! 
interface Ethernet3/3 
 ip address 192.168.30.9 255.255.255.0 
 ipv6 nat 
! 
ipv6 nat v4v6 source 192.168.30.1 2001:0db8:0::2 
ipv6 nat v6v4 source list pt-list1 pool v4pool 
ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24 
ipv6 nat translation udp-timeout 600
ipv6 nat prefix 2001:0db8:1::/96 
! 
ipv6 access-list pt-list1 
 permit ipv6 2001:0db8:bbbb:1::/64 any

DYNAMIC NAT-PT CONFIGURATION FOR IPV4 HOSTS ACCESSING IPV6 HOSTS EXAMPLE:

The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT mapping is also configured to map IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
 
interface Ethernet3/1 
 ipv6 address 2001:0db8:bbbb:1::9/64 
 ipv6 enable 
 ipv6 nat 
! 
interface Ethernet3/3 
 ip address 192.168.30.9 255.255.255.0 
 ipv6 nat 
! 
ipv6 nat v4v6 source list 72 pool v6pool 
ipv6 nat v4v6 pool v6pool 2001:0db8:0::1 2001:0db8:0::2 prefix-length 128 
ipv6 nat v6v4 source 2001:0db8:bbbb:1::1 10.21.8.0 
ipv6 nat prefix 2001:0db8:0::/96 
! 
access-list 72 permit 192.168.30.0 0.0.0.255

No comments:

PAN-OS Supported ciphers

Following is a list of supported ciphers for PAN-OS 7.1 and later: SSLv3 Ciphers Supported (No change from PAN-OS 7.0) Non-FIPS mod...