- Configuring NAT for IP Address Conservation
- Using Application-Level Gateways with NAT
- NAT Box-to-Box High-Availability Support
- Stateless Network Address Translation 64
- Stateful Network Address Translation 64
- Mapping of Address and Port Using Translation
- Mapping of Address and Port Using Encapsulation
- Integrating NAT with MPLS VPNs
- Configuring Hosted NAT Traversal for Session Border Controller
- User Defined Source Port Ranges for PAT
- FPG Endpoint Agnostic Port Allocation
- NAT Optimized SIP Media Path Without SDP
- NAT Optimized SIP Media Path with SDP
- Monitoring and Maintaining NAT
- NAT-PT for IPv6
- NAT TCP SIP ALG Support
- NAT Routemaps Outside-to-Inside Support
IP Addressing: NAT Configuration Guide, Cisco IOS Release 15M&T
- Updated:
- August 4, 2017
Chapter: NAT-PT for IPv6
- Finding Feature Information
- Prerequisites for NAT-PT for IPv6
- Restrictions for NAT-PT for IPv6
- Information for NAT-PT for IPv6
- How to Configure NAT-PT for IPv6
- Configuring Basic IPv6 to IPv4 Connectivity for NAT-PT for IPv6
- Configuring IPv4-Mapped NAT-PT
- Configuring Mappings for IPv6 Hosts Accessing IPv4 Hosts
- Configuring Mappings for IPv4 Hosts Accessing IPv6 Hosts
- Configuring PAT for IPv6 to IPv4 Address Mappings
- Verifying NAT-PT Configuration and Operation
- Configuration Examples for NAT-PT for IPv6
- Example: Static NAT-PT Configuration
- Example: Configuring IPv4-Mapped NAT-PT
- Example: Dynamic NAT-PT Configuration for IPv6 Hosts Accessing IPv4 Hosts
- Example: Dynamic NAT-PT Configuration for IPv4 Hosts Accessing IPv6 Hosts
- Example: Displaying Dynamic NAT-PT Translations
- Example: Displaying Active NAT-PT Translations
- Example: Displaying Information About NAT-PT Statistics
- Additional References
- Feature Information for NAT-PT for IPv6
NAT-PT for IPv6
NAT—PT is an IPv6-to-IPv4 translation mechanism, as defined in RFC 2765 and RFC 2766, that allows IPv6-only devices to communicate with IPv4-only devices and vice versa.
This modules describes Network Address Translation (NAT)—Protocol Translation (PT) and explains how to configure the feature.
- Finding Feature Information
- Prerequisites for NAT-PT for IPv6
- Restrictions for NAT-PT for IPv6
- Information for NAT-PT for IPv6
- How to Configure NAT-PT for IPv6
- Configuration Examples for NAT-PT for IPv6
- Additional References
- Feature Information for NAT-PT for IPv6
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Prerequisites for NAT-PT for IPv6
Before implementing the NAT-PT for IPv6 feature, you must configure IPv4 and IPv6 on device interfaces that need to communicate between IPv4-only and IPv6-only networks.
Restrictions for NAT-PT for IPv6
-
Network Address Translation (NAT)-Protocol Translation (PT) is not supported with Cisco Express Forwarding.
NAT-PT supports only Domain Naming System (DNS), File Transfer Protocol (FTP), and Internet Control Message Protocol (ICMP) application-layer gateways (ALGs).
NAT-PT does not provide end-to-end security to networks. The device on which NAT-PT is configured can be a single point of failure in the network.
Bridge-group virtual interfaces (BVIs) in IPv6 are not supported with NAT-PT and wireless interfaces Dot11Radio.
Information for NAT-PT for IPv6
NAT-PT Overview
Network Address Translation (NAT)-Port Translation (PT) for Cisco software based on RFC 2766 and RFC 2765 is a migration tool that helps customers transition their IPv4 networks to IPv6 networks. Using a protocol translator between IPv6 and IPv4 allows direct communication between hosts that use different network protocols. You can use static, dynamic, port address translation, IPv4-mapped definitions for NAT-PT operation.
The figure below shows that NAT-PT runs on a device that is configured between an IPv6 network and an IPv4 network that helps connect an IPv6-only node with an IPv4-only node.
NAT-PT allows direct communication between IPv6-only networks and IPv4-only networks. Dual-stack networks (networks that have IPv4 and IPv6) can have some IPv6-only hosts configured to take advantage of the IPv6 autoconfiguration, global addressing, and simpler management features, and these hosts can use NAT-PT to communicate with existing IPv4-only networks in the same organization.
One of the benefits of NAT-PT is that no changes are required to existing hosts if NAT-PT is configured, because all NAT-PT configurations are performed at the NAT-PT device. Stable IPv4 networks can introduce an IPv6 network and use NAT-PT to communicate between these networks without disrupting the network. For a seamless transition, you can use FTP between IPv4 and IPv6 hosts.
When you configure IPv6, packet fragmentation is enabled by default, to allow IPv4 and IPv6 networks to resolve fragmentation problems. Without the ability to resolve fragmentation, connectivity can be intermittent when fragmented packets are dropped or not interpreted correctly.
We do not recommend the use of NAT-PT to communicate between a dual-stack host and an IPv6-only or IPv4-only host. We do not recommend the use of NAT-PT in a scenario in which an IPv6-only network tries to communicate with another IPv6-only network via an IPv4 backbone or vice versa, because NAT-PT requires a double translation. You can use tunneling techniques for communication in these scenarios.
You can configure one the following operations for NAT-PT, but not all four.
Static NAT-PT Operation
Static NAT-PT uses static translation rules to map an IPv6 address to an IPv4 address. IPv6 network nodes communicate with IPv4 network nodes using an IPv6 mapping of the IPv4 address that is configured on the NAT-PT device.
The figure below shows how the IPv6-only node named A can communicate with the IPv4-only node named C using NAT-PT. The NAT-PT device is configured to map the source IPv6 address for node A of 2001:DB8:bbbb:1::1 to the IPv4 address 192.168.99.2. NAT-PT is also configured to map the source address of IPv4 node C, 192.168.30.1 to 2001:DB8::a. When packets with a source IPv6 address of node A are received at the NAT-PT device, these packets are translated to have a destination address that matches node C in the IPv4-only network. You can also configure NAT-PT to match a source IPv4 address and translate the packet to an IPv6 destination address to allow an IPv4-only host to communicate with an IPv6-only host.
If you have multiple IPv6-only or IPv4-only hosts, you may need to configure multiple static NAT-PT mappings. Static NAT-PT is useful when applications or servers require access to a stable IPv4 address, such as accessing an external IPv4 Domain Name System (DNS) server.
Dynamic NAT-PT Operation
Dynamic NAT-PT allows multiple NAT-PT mappings by allocating addresses from a pool of addresses. NAT-PT is configured with a pool of IPv6 and/or IPv4 addresses. At the start of a NAT-PT session a temporary address is dynamically allocated from this pool. The number of addresses available in the address pool determines the maximum number of concurrent sessions. The NAT-PT device records each mapping between addresses in a dynamic state table.
The figure below shows how dynamic NAT-PT operates. The IPv6-only node B can communicate with the IPv4-only node D using dynamic NAT-PT. The NAT-PT device is configured with an IPv6 access list, prefix list, or route map to determine which packets are to be translated by NAT-PT. A pool of IPv4 addresses--10.21.8.1 to 10.21.8.10 in the figure -- is also configured. When an IPv6 packet to be translated is identified, NAT-PT uses the configured mapping rules and assigns a temporary IPv4 address from the configured pool of IPv4 addresses.
Dynamic NAT-PT translation operation requires at least one static mapping for the IPv4 Domain Name System (DNS) server.
After the IPv6 to IPv4 connection is established, reply packets going from IPv4 to IPv6 uses the previously established dynamic mapping to translate back from IPv4 to IPv6 and vice versa for an IPv4-only host.
Port Address Translation
Port Address Translation (PAT), also known as overload configuration, allows a single IPv4 address to be used among multiple sessions by multiplexing on the port number to associate several IPv6 users with a single IPv4 address. PAT can be accomplished through a specific interface or through a pool of addresses. The figure below shows multiple IPv6 addresses from the IPv6 network that is linked to a single IPv4 interface into the IPv4 network.
IPv4-Mapped Operation
You can send traffic from your IPv6 network to an IPv4 network without configuring the IPv6 destination address mapping. A packet that arrives at an interface is checked to discover if it has a NAT-PT prefix that was configured with the ipv6 nat prefix v4-mapped command. If the prefix matches, then an access-list check is performed to discover if the source address matches the access list or prefix list. If the prefix does not match, the packet is dropped. If the prefix matches, the source address translation is performed.
If a rule is configured for the source address translation, the last 32 bits of the destination IPv6 address is used as the IPv4 destination and a flow entry is created.
With an IPv4-mapping configuration on a device, when the Domain Name System (DNS) application-level gateway (ALG) IPv4 address is converted to an IPv6 address, the IPv6 address is processed and ALGs of the DNS packets from IPv4 network is translated into the IPv6 network.
How to Configure NAT-PT for IPv6
Configuring Basic IPv6 to IPv4 Connectivity for NAT-PT for IPv6
Perform this task to configure basic IPv6 to IPv4 connectivity for NAT-PT, which consists of configuring the NAT-PT prefix globally, and enable NAT-PT on an interface. For NAT-PT to be operational, NAT-PT must be enabled on both the incoming and outgoing interfaces.
An IPv6 prefix with a prefix length of 96 must be specified for NAT-PT to use. The IPv6 prefix can be a unique local unicast prefix, a subnet of your allocated IPv6 prefix, or even an extra prefix obtained from your Internet service provider (ISP). The NAT-PT prefix is used to match a destination address of an IPv6 packet. If the match is successful, NAT-PT will use the configured address mapping rules to translate the IPv6 packet to an IPv4 packet. The NAT-PT prefix can be configured globally or with different IPv6 prefixes on individual interfaces. Using a different NAT-PT prefix on several interfaces allows the NAT-PT router to support an IPv6 network with multiple exit points to IPv4 networks.
1.
enable
2.
configure
terminal
3.
ipv6
nat
prefix
ipv6-prefix
/
prefix-length
4.
interface
type
number
5.
ipv6
address
ipv6-address
{/prefix-length |
link-local}
6.
ipv6
nat
7.
exit
8.
interface
type
number
9.
ip
address
ip-address
mask
[secondary]
10.
ipv6
nat
DETAILED STEPS
Configuring IPv4-Mapped NAT-PT
Perform this task to enable customers to send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping. This task shows the ipv6 nat prefix v4-mapped command configured on a specified interface, but the command could alternatively be configured globally:
1.
enable
2.
configure
terminal
3.
interface
type
number
4.
ipv6
nat
prefix
ipv6-prefix
v4-mapped
{access-list-name |
ipv6-prefix}
DETAILED STEPS
Configuring Mappings for IPv6 Hosts Accessing IPv4 Hosts
Perform this task to configure static or dynamic IPv6 to IPv4 address mappings. The dynamic address mappings include assigning a pool of IPv4 addresses and using an access list, prefix list, or route map to define which packets are to be translated.
1.
enable
2.
configure
terminal
3.
Configure one of the following commands:
4.
ipv6
nat
v6v4
pool
name
start-ipv4
end-ipv4
prefix-length
prefix-length
5.
ipv6
nat
translation
[max-entries
number] {timeout |
udp-timeout |
dns-timeout |
tcp-timeout |
finrst-timeout |
icmp-timeout} {seconds |
never}
6.
ipv6
access-list
access-list-name
7.
permit
protocol
{source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address}
8.
end
9.
show
ipv6
nat
translations
[icmp |
tcp |
udp] [verbose]
10.
show
ipv6
nat
statistics
DETAILED STEPS
Configuring Mappings for IPv4 Hosts Accessing IPv6 Hosts
Perform this optional task to configure static or dynamic IPv4 to IPv6 address mappings. The dynamic address mappings include assigning a pool of IPv6 addresses and using an access list, prefix list, or route map to define which packets are to be translated.
1.
enable
2.
configure
terminal
3.
Configure one of the following commands:
4.
ipv6
nat
v4v6
pool
name
start-ipv6
end-ipv6
prefix-length
prefix-length
5.
access-list
{access-list-name |
number}{deny |
permit} [source
source-wildcard] [log]
6.
end
DETAILED STEPS
Configuring PAT for IPv6 to IPv4 Address Mappings
Perform this task to configure Port Address Translation (PAT) for IPv6 to IPv4 address mappings. Multiple IPv6 addresses are mapped to a single IPv4 address or to a pool of IPv4 addresses. Use an access list, a prefix list, or a route map to define which packets must be translated.
1.
enable
2.
configure
terminal
3.
Configure one of the following commands:
4.
ipv6
nat
v6v4
pool
name
start-ipv4
end-ipv4
prefix-length
prefix-length
5.
ipv6
nat
translation
[max-entries
number] {timeout |
udp-timeout |
dns-timeout |
tcp-timeout |
finrst-timeout |
icmp-timeout} {seconds |
never}
6.
ipv6
access-list
access-list-name
7.
permit
protocol
{source-ipv6-prefix/prefix-length |
any |
host
source-ipv6-address} [operator [port-number]] {destination-ipv6-prefix/prefix-length |
any |
host
destination-ipv6-address}
8.
end
DETAILED STEPS
Verifying NAT-PT Configuration and Operation
These commands are optional. Use these commands in any order.
1.
enable
2.
clear
ipv6
nat
translation
*
3.
debug
ipv6
nat
[detailed |
port]
DETAILED STEPS
Configuration Examples for NAT-PT for IPv6
Example: Static NAT-PT Configuration
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures two static NAT-PT mappings. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1 ipv6 address 2001:DB8:3002::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2 ipv6 nat v6v4 source 2001:DB8:bbbb:1::1 10.21.8.10 ipv6 nat prefix 2001:DB8:0::/96
Example: Configuring IPv4-Mapped NAT-PT
The following example shows an access list that permits any IPv6 source address with the prefix 2001::/96 to enter the destination with the 2000::/96 prefix. The destination is translated to the last 32 bit of its IPv6 address; for example: source address is 2001::1 and destination address is 2000::192.168.1.1. The destination is translated to 192.168.1.1 in the IPv4 network.
interface gigabitethernet 3/1/1 ipv6 nat prefix 2000::/96 v4-mapped v4map-acl ipv6 access-list v4map-acl permit ipv6 2001::/96 2000::/96
Example: Dynamic NAT-PT Configuration for IPv6 Hosts Accessing IPv4 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT mapping is also configured to map IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named v4pool. The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. The User Datagram Protocol (UDP) translation entries are configured to time out after 10 minutes. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1 ipv6 address 2001:DB8:bbbb:1::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source 192.168.30.1 2001:DB8:0::2 ipv6 nat v6v4 source list pt-list1 pool v4pool ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24 ipv6 nat translation udp-timeout 600 ipv6 nat prefix 2001:DB8:1::/96 ! ipv6 access-list pt-list1 permit ipv6 2001:DB8:bbbb:1::/64 any
Example: Dynamic NAT-PT Configuration for IPv4 Hosts Accessing IPv6 Hosts
The following example configures the NAT-PT prefix globally, enables NAT-PT on two interfaces, and configures one static NAT-PT mapping (used, for example, to access a DNS server). A dynamic NAT-PT mapping is also configured to map IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. Ethernet interface 3/1 is configured as IPv6 only, and Ethernet interface 3/3 is configured as IPv4 only.
interface Ethernet3/1 ipv6 address 2001:DB8:bbbb:1::9/64 ipv6 enable ipv6 nat ! interface Ethernet3/3 ip address 192.168.30.9 255.255.255.0 ipv6 nat ! ipv6 nat v4v6 source list 72 pool v6pool ipv6 nat v4v6 pool v6pool 2001:DB8:0::1 2001:DB8:0::2 prefix-length 128 ipv6 nat v6v4 source 2001:DB8:bbbb:1::1 10.21.8.0 ipv6 nat prefix 2001:DB8:0::/96 ! access-list 72 permit 192.168.30.0 0.0.0.255
Example: Displaying Dynamic NAT-PT Translations
The following example shows how all dynamic NAT-PT translations are cleared from the dynamic translation state table using the clear ipv6 nat translation * command. After configuring the clear command, when you configure the show ipv6 nat translations command, only static translation configurations are displayed.
Device# clear ipv6 nat translation *
Device# show ipv6 nat translations
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
192.168.123.2 2001:DB8::2
--- --- ---
192.168.122.10 2001:DB8::10
--- 192.168.124.8 2001:DB8:3::8
--- ---
--- 192.168.121.4 2001:DB8:5::4
--- ---
Example: Displaying Active NAT-PT Translations
The following sample output from the show ipv6 nat translations command displays information about active Network Address Translation (NAT)-Port Translation (PT) translations:
Device# show ipv6 nat translations
Prot IPv4 source IPv6 source
IPv4 destination IPv6 destination
--- --- ---
192.168.123.2 2001:DB8::2
--- --- ---
192.168.122.10 2001:DB8::10
tcp 192.168.124.8,11047 2001:DB8:3::8,11047
192.168.123.2,23 2001:DB8::2,23
udp 192.168.124.8,52922 2001:DB8:3::8,52922
192.168.123.2,69 2001::2,69
udp 192.168.124.8,52922 2001:DB8:3::8,52922
192.168.123.2,52922 2001:DB8::2,52922
--- 192.168.124.8 2001:DB8:3::8
192.168.123.2 2001:DB8::2
--- 192.168.124.8 2001:DB8:3::8
--- --- ---
Example: Displaying Information About NAT-PT Statistics
Router# show ipv6 nat statistics Total active translations: 4 (4 static, 0 dynamic; 0 extended) NAT-PT interfaces: Ethernet3/1, Ethernet3/3 Hits: 0 Misses: 0 Expired translations: 0
Additional References
Related Documents
Related Topic |
Document Title |
|---|---|
|
IPv6 addressing and connectivity |
IPv6 Configuration Guide |
|
Cisco IOS commands |
|
|
IPv6 commands |
|
|
Cisco IOS IPv6 features |
Standards and RFCs
Standard/RFC |
Title |
|---|---|
|
RFCs for IPv6 |
IPv6 RFCs |
Technical Assistance
Description |
Link |
|---|---|
|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for NAT-PT for IPv6
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
|---|---|---|
|
NAT-PT: Support for DNS ALG |
12.2(13)T |
IPv6 provides DNS ALG support. |
|
NAT-PT: Support for FTP ALG |
12.3(2)T |
IPv6 provides FTP ALG support. |
|
NAT-PT: Support for Fragmentation |
12.3(2)T |
Packet fragmentation is enabled by default when IPv6 is configured, allowing IPv6 and IPv4 networks to resolve fragmentation problems between the networks. |
|
NAT-PT: Support for Overload |
12.3(2)T |
This feature allows a single IPv4 address to be used among multiple sessions by multiplexing on the port number to associate several IPv6 users with a single IPv4 address. |
Feedback