Skip to main content

IPV6 NAT-PT Dynamic

 

image

IPv6 NAT-PT is one of the methods out there for migration between V4 to V6, the NAT-PT is not a normal NAT as with normal NAT you would translate one address to another, in our case NAT-PT we do a translation between 2 different protocols ipv6 to ipv4 (and vice versa).

In the above scenario I have done a simple topology R1 is a host running only IPv6, R2 is my translator between IPv6 to IPv4 and R3 is my gateway out side (Only IPv4), on R3 as you can see from above I have connected it to my home network so I have done Normal IPv4 NAT between the what is coming in from f0/0 and going out f0/1 (my home net)

R1 R2 R3
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:100:100::1/64
 ipv6 address FE80::1 link-local
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
!
ipv6 route ::/0 2001:100:100::2
!
!
!
!
!
ipv6 unicast-routing
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:100:100::2/64
 ipv6 address FE80::2 link-local
 ipv6 nat
!
interface FastEthernet0/1
 ip address 100.100.0.1 255.255.255.0
 duplex auto
 speed auto
 ipv6 nat
!
ip route 0.0.0.0 0.0.0.0 100.100.0.2
!
!
ip http server
no ip http secure-server
!
ipv6 nat v6v4 source list NAT_TRANSLATIONS pool V4POOL
ipv6 nat v6v4 pool V4POOL 100.100.0.101 100.100.0.110 prefix-length 24
ipv6 nat prefix 2001::/96 v4-mapped NAT_TRANSLATIONS
!
!
!
!
ipv6 access-list NAT_TRANSLATIONS
 permit ipv6 any 2001::/96
!
!
!
!
interface FastEthernet0/0
 ip address 100.100.0.2 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
access-list 100 permit ip 100.100.0.0 0.0.0.255 any
!

 

As you can see from above configuration R1 in IPv6 only, and R3 is IPv4 only

IPV6_HOST#ping 2001::808:808
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::808:808, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/142/184 ms
IPV6_HOST#
From above you can see I ping 2001::808:808, the 2001:: is the prefix I use
for the NAT-PT and the 32 last bits 0808:0808 is translated to 8.8.8.8 (Google DNS)

to verify the translation on the NAT-PT router:

NAT_PT_ROUTER#sh ipv nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.0.0.2                 2001::A00:2
icmp  100.100.0.102,3764       2001:100:100::1,3764
      8.8.8.8,3764             2001::808:808,3764
---   100.100.0.102            2001:100:100::1
      10.0.0.2                 2001::A00:2
---   100.100.0.102            2001:100:100::1
      ---                      ---
NAT_PT_ROUTER#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT_PT_ROUTER#
*Mar  1 14:12:06.104: IPv6 NAT: icmp src (2001:100:100::1) -> (100.100.0.102), dst (2001::808:808) -> (8.8.8.8)
*Mar  1 14:12:06.236: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.256: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.264: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.280: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
default timeout for the translation rule to expire from the table is 60 sec, to save some
work from the router i would suggest to increase that timeout
ipv nat translation timeout 300 (increase to 5 min)
now with that said you can increase or decrease timeout for tcp , udp , icmp , I would love if there would be also the
option to specifically decrease the timeout for SYN (prevent from SYN flood attack) currently there is an option only 
for FIN or RST flags (and I suggest to decrease their time out.
ipv nat translation finrst-timeout 10 
1 comment

Popular posts from this blog

Step By Step MPLS – Basic MPLS Setup

Initial configuration , very basic with no MPLS, connectivity only to directly connected interfaces.R1R2R3R4!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.31.1 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.42.2 255.255.255.0
duplex auto
speed auto
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.31.3 255.255.255.0
duplex auto
speed auto
  no clns route-cache
!
interface Serial1/0
ip address 10.0.43.3 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
!
!
interface Loopback0
ip address 4.4.4.4 255.255.255.255
no clns route-cache
!
interface FastEthernet0/0
ip address 10.0.42.4 255.255.255.0
duplex auto
speed auto
!
interface Serial1/0
ip address 10.0.43.4 255.255.255.0
  serial restart-delay 0
no clns route-cache
!
adding to the following configuration MPLS labels we will start wi…

What is about to change in CISSP from Apr 2018

Change have arrived and like with other professional certification there is almost a standard time before certification gets its update, with most anywhere it is between 3 - 4 years, CISSP is no different and since last update was on 2015 the change is arriving here as well.

For the people that wish to see the official existing and new outline

I have decided to write this post as the new out line is more of a list of Domain and Sections within the domain without hint or indication to what was modified actually and I could not find anyone else that done that comparison, I had to take the task and do the comparison, please be advised that I have done it for my own "pleasure" so apologies if I missed something :-)
Lets start with the obvious change:
CISSP - Before Apr 2018CISSP - from Apr 20181. Security and Risk Management16%15%2. Asset Security10%10%3. Security Engineering12%13%4. Communications and Network Security12%14%5. Identity and Access Management13%13%6. …

VRF Maximum Routes

Maximum routes under customer vrf, if the service provider had unlimited resources he would not have needed that!
however normally resources are limited and expensive, and Service provider would like to make money from his available resources. maximum routes configured under VRF provide a mean of controlling PE local resource and abuse avoidance from the CE side.I have vrf called DC_EXTRANET, you can see that I have 16 routes, I have configured 10 maximum routes under that vrf however I did not want to be aggressive so I have set the warning only option. See that immediately I get a notice that I have more routes then the maximum, however no action is taken other then alerting and sending a syslog. ! PE_ashdod_otherisp.n(config-vrf)# maximum routes 10 warning-only % The current number of routes in the routing table is equal to, or exceeds the configured warning limit PE_ashdod_otherisp.n(config-vrf)# *Nov 26 20:39:41.175: %IPRT-3-ROUTELIMITWARNING: IP routing table limit warning - DC_…