IPv6 NAT-PT is one of the methods out there for migration between V4 to V6, the NAT-PT is not a normal NAT as with normal NAT you would translate one address to another, in our case NAT-PT we do a translation between 2 different protocols ipv6 to ipv4 (and vice versa).
In the above scenario I have done a simple topology R1 is a host running only IPv6, R2 is my translator between IPv6 to IPv4 and R3 is my gateway out side (Only IPv4), on R3 as you can see from above I have connected it to my home network so I have done Normal IPv4 NAT between the what is coming in from f0/0 and going out f0/1 (my home net)
R1 | R2 | R3 |
! |
!!!ipv6 unicast-routing!! |
!!! |
As you can see from above configuration R1 in IPv6 only, and R3 is IPv4 only
IPV6_HOST#ping 2001::808:808Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::808:808, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 128/142/184 ms
IPV6_HOST#From above you can see I ping 2001::808:808, the 2001:: is the prefix I use
for the NAT-PT and the 32 last bits 0808:0808 is translated to 8.8.8.8 (Google DNS)
to verify the translation on the NAT-PT router:
NAT_PT_ROUTER#sh ipv nat translationsProt IPv4 source IPv6 sourceIPv4 destination IPv6 destination--- --- ---10.0.0.2 2001::A00:2icmp 100.100.0.102,3764 2001:100:100::1,37648.8.8.8,3764 2001::808:808,3764--- 100.100.0.102 2001:100:100::110.0.0.2 2001::A00:2--- 100.100.0.102 2001:100:100::1--- ---NAT_PT_ROUTER#debug ipv6 natIPv6 NAT-PT debugging is onNAT_PT_ROUTER#*Mar 1 14:12:06.104: IPv6 NAT: icmp src (2001:100:100::1) -> (100.100.0.102), dst (2001::808:808) -> (8.8.8.8)*Mar 1 14:12:06.236: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)*Mar 1 14:12:06.256: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)*Mar 1 14:12:06.264: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)*Mar 1 14:12:06.280: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)default timeout for the translation rule to expire from the table is 60 sec, to save somework from the router i would suggest to increase that timeout
ipv nat translation timeout 300 (increase to 5 min)
now with that said you can increase or decrease timeout for tcp , udp , icmp , I would love if there would be also theoption to specifically decrease the timeout for SYN (prevent from SYN flood attack) currently there is an option onlyfor FIN or RST flags (and I suggest to decrease their time out.ipv nat translation finrst-timeout 10