IPV6 NAT-PT Dynamic

 

IPv6 NAT-PT is one of the methods out there for migration between V4 to V6, the NAT-PT is not a normal NAT as with normal NAT you would translate one address to another, in our case NAT-PT we do a translation between 2 different protocols ipv6 to ipv4 (and vice versa).

In the above scenario I have done a simple topology R1 is a host running only IPv6, R2 is my translator between IPv6 to IPv4 and R3 is my gateway out side (Only IPv4), on R3 as you can see from above I have connected it to my home network so I have done Normal IPv4 NAT between the what is coming in from f0/0 and going out f0/1 (my home net)

R1	R2	R3
! interface FastEthernet0/0 no ip address duplex auto speed auto ipv6 address 2001:100:100::1/64 ipv6 address FE80::1 link-local ! interface FastEthernet0/1 no ip address shutdown duplex auto speed auto ! ! ! ip http server no ip http secure-server ! ipv6 route ::/0 2001:100:100::2 ! !	! ! ! ipv6 unicast-routing ! ! interface FastEthernet0/0 no ip address duplex auto speed auto ipv6 address 2001:100:100::2/64 ipv6 address FE80::2 link-local ipv6 nat ! interface FastEthernet0/1 ip address 100.100.0.1 255.255.255.0 duplex auto speed auto ipv6 nat ! ip route 0.0.0.0 0.0.0.0 100.100.0.2 ! ! ip http server no ip http secure-server ! ipv6 nat v6v4 source list NAT_TRANSLATIONS pool V4POOL ipv6 nat v6v4 pool V4POOL 100.100.0.101 100.100.0.110 prefix-length 24 ipv6 nat prefix 2001::/96 v4-mapped NAT_TRANSLATIONS ! ! ! ! ipv6 access-list NAT_TRANSLATIONS permit ipv6 any 2001::/96 !	! ! ! interface FastEthernet0/0 ip address 100.100.0.2 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! interface FastEthernet0/1 ip address dhcp ip nat outside ip virtual-reassembly duplex auto speed auto ! ! ! ip http server no ip http secure-server ip nat inside source list 100 interface FastEthernet0/1 overload ! access-list 100 permit ip 100.100.0.0 0.0.0.255 any !

 

As you can see from above configuration R1 in IPv6 only, and R3 is IPv4 only

IPV6_HOST#ping 2001::808:808
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001::808:808, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 128/142/184 ms
IPV6_HOST#
From above you can see I ping 2001::808:808, the 2001:: is the prefix I use
for the NAT-PT and the 32 last bits 0808:0808 is translated to 8.8.8.8 (Google DNS)

to verify the translation on the NAT-PT router:

NAT_PT_ROUTER#sh ipv nat translations
Prot  IPv4 source              IPv6 source
      IPv4 destination         IPv6 destination
---   ---                      ---
      10.0.0.2                 2001::A00:2
icmp  100.100.0.102,3764       2001:100:100::1,3764
      8.8.8.8,3764             2001::808:808,3764
---   100.100.0.102            2001:100:100::1
      10.0.0.2                 2001::A00:2
---   100.100.0.102            2001:100:100::1
      ---                      ---
NAT_PT_ROUTER#debug ipv6 nat
IPv6 NAT-PT debugging is on
NAT_PT_ROUTER#
*Mar  1 14:12:06.104: IPv6 NAT: icmp src (2001:100:100::1) -> (100.100.0.102), dst (2001::808:808) -> (8.8.8.8)
*Mar  1 14:12:06.236: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.256: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.264: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
*Mar  1 14:12:06.280: IPv6 NAT: icmp src (8.8.8.8) -> (2001::808:808), dst (100.100.0.102) -> (2001:100:100::1)
default timeout for the translation rule to expire from the table is 60 sec, to save some
work from the router i would suggest to increase that timeout
ipv nat translation timeout 300 (increase to 5 min)
now with that said you can increase or decrease timeout for tcp , udp , icmp , I would love if there would be also the
option to specifically decrease the timeout for SYN (prevent from SYN flood attack) currently there is an option only 
for FIN or RST flags (and I suggest to decrease their time out.
ipv nat translation finrst-timeout 10