- NAT
- NAT44
- PAT
- NVI
- NAT-PT
- NAT-PT static
- IPv4 → IPv6 dynamic NAT
- IPv6 → IPv4 PAT
- v4-mapped
- NAT64
- DNS64
- 464XLAT
- NPTv6
- IPv6 over IPv4 tunnels
- 6to4
- 6in4
- ISATAP
- Server
- Client
- 6rd
NAT
- types
- full cone
- IP + port → eIP + port
- permits traffic from any external IP (e.g., PAT, non-stateful NAT)
- restricted cone
- full cone + external IP can only respond (dst IP is accounted on NAT)
- external host cannot initiate session
- port restricted cone
- restricted cone + account for destination port
- symmetric
- own mapping for every connection
NAT44
- application level gateway (ALG):
- TCP: recalculates checksum, because src IP is used in pseudoheader
- ICMP: replaces addresses in payload (e.g., in Destination Unreachable)
- DNS: changes addresses in payload, creates mapping in dynamic NAT
- FTP: changes addresses in payload, changes TCP SEQ/ACK numbers
- SMTP: changes addresses in payload
- traceroute: changes address in payload, both ICMP and UDP
- SIP, H.323
- ESP
- fragments
- cached until first fragment is received, then only session info is used
- session timeout for fragments – 60s, if exceeded – ICMP fragment reassembly time exceeded
- ACL is verified before (ingress) and after (egress)
- inside → outside priority:
- PBR
- routing
- NAT
- outside → inside priority
- NAT
- PBR
- routing
; 60s default
(config)# ip nat translation dns-timeout <sec>|never
; 60s default, sessions after RST or FIN
(config)# ip nat translation finrst-timeout <sec>
; 60s default
(config)# ip nat translation icmp-timeout <sec>
; per port timeout, 60s default
(config)# ip nat translation port-timeout tcp|udp <PORT> <sec>
; 60s default
(config)# ip nat translation syn-timeout <sec>
; 24h default
(config)# ip nat translation tcp-timeout <sec>
; 24h default, dynamic NAT, 0 ≡ never
(config)# ip nat translation timeout <sec>
; ∞ default
(config)# ip nat translation max-entries <N>
; on default, waits for all fragments before forwarding and NAT (does not reassemble!)
(config-if)# ip virtual-assembly
(config-if)# ip virtual-assembly in|out drop-fragments
; 32 default, fragments in reassembly
(config-if)# ip virtual-assembly in|out max-fragments <N>
; 16 default, concurrent reassemlies
(config-if)# ip virtual-assembly in|out max-reassemblies <N>
; 3s default
(config-if)# ip virtual-assembly in|out timeout <sec>
PAT
- reassemblies fragments
- incompatible with ALG
NVI
(config)# ip nat source list <ACL> interface <INTF> overload
; inside and outside
(config-if)# ip nat enable
# show ip nat nvi translation
# show ip nat nvi statistics
NAT-PT
- not compatible with CEF, DNSsec
- NAPT-PT not compatible with fragmented packets
- IPv4 ←→ IPv6
- when IPv6 fragments are translated, DF flag in IPv4 is set
- types: static, dynamic, PAT, IPv4-mapped
- deprecated: dual-stack hosts are better
- NAT-PT translated address may be chosen because of DNS ALG
- translates DNS A record even for pure IPv4 request
(config)# no ip cef
(config)# no ipv6 cef
; /96 – the only supported length, NAT-PT is triggered, when IPv6 packet
; with dst from PREFIX is received
(config)# ipv6 nat prefix <PREFIX>/96
; enable NAT-PT on interface
(config-if)# ipv6 nat
(config-if)# ipv6 nat prefix <PREFIX>/96
NAT-PT static
; address translation for both src and dst, IPv6 → IPv4
; one address must be from PREFIX
(config)# ipv6 nat v4v6 source <IPv4> <IPv6>
(config)# ipv6 nat v6v4 source <IPv6> <IPv4>
IPv4 → IPv6 dynamic NAT
; [start, end] ∈ PREFIX forreturn traffic to trigger NAT-PT
(config)# ipv6 nat v4v6 pool <POOL> <IPv6_START> <IPv6_END> prefix-length <N>
(config)# ipv6 nat v4v6 source list <ACL> pool <POOL>
IPv6 → IPv4 PAT
(config)# ipv6 nat v6v4 source list <ACL> interface <INTF> overload
v4-mapped
- uses last 32 bits as destination address
; ACL verifies IPv6 src
(config)# ipv6 nat <PREFIX>/96 v4-mapped <ACL>
NAT64
- does not support VRF, IPv4/IPv6 options, fragmented UDP without CRC
- better than NAT-PT: separates NAT and DNS64 function
- 64:ff9b::/96 + IPv4 address
- discovery of NAT64 prefix (RFC 7050)
- host requests AAAA for ipv4only.arpa
- well-known IPv4 address (WKA): 192.0.0.170, 192.0.0.171
- DNS64 returns addresses of NAT64 + WKA
- stateless
- inserts IPv4 address into IPv6 (1:1 mapping)
- wastes IPv4 addresses
- IPv6 hosts must have coresponding addresses (RFC 6052)
- stateful
- uses 1 IPv4 address (≈ PAT)
- creates IPv4 route to pool range via NVI
; adds route via NVI
(config)# nat64 prefix stateful <PREFIX>
; IPv6 must be from PREFIX
(config)# nat64 static <IPv6> <IPv4>
(config)# nat64 v4 pool <POOL> <START_IPv4> <END_IPv4>
(config)# nat64 v6v4 list <ACL> pool <POOL> [overload]
; stateless, process matching packets via NAT instead of routing
(config)# nat64 route <IPv4> <INTF>
(config-if)# nat64 enable
# show nat64 aliases
# show nat64 logging
# show nat64 prefix stateful
# show nat64 timeouts
# show nat64 mappings
DNS64
- if A record is found and no AAAA record is available – return NAT64 address
- can conflict with DNSsec (address not registered by domain owner)
464XLAT
- software
- for IPv4 application over IPv6 connection (CLAT: 192.0.0.0/29)
NPTv6
- stateless
- RFC 6296
- IPv6 → IPv6
- no support for VRF, NAT64, mcast, firewall, L4 translation, syslog
(config)# nat66 prefix inside <PREFIX1> outside <PREFIX2>
(config-if)# nat66 inside|outside
# show nat66 prefix
# show nat66 statistics
IPv6 over IPv4 tunnels
6to4
- 2002:<IPv4>::/48
- does not support mcast ⇒ BGP as routing protocol
- P2M
(config-if)# tunnel mode ipv6ip 6to4
(config-if)# tunnel source <INTF>
; 2002:<IPv4>::/48
(config-if)# ipv6 addr <IPv6>
; address of 6to4 peer
(config)# ipv6 route <IPv6_PEER> tunnel0
6in4
- IPv6 tunnel over IPv4 network
ISATAP
- server IPv6 interface ID: ::5efe:<IPv4>
- client receives address via tunnel
- support for IGP in unicast mode
- P2M – only server
Server
(config-if)# tunnel mode ipv6ip isatap
(config-if)# ipv6 address <PREFIX>
(config-if)# no ipv6 nd ra suppress
Client
(config-if)# tunnel mode ipv6ip
(config-if)# ipv6 address autoconfig
(config-if)# tunnel destination <IPv4>
6rd
- rapid deployment
- within ISP network: 6rd CPE, info via DHCP
- 6rd prefix + IPv4 + subnet/64:
- prefix – N bits
- IPv4 – M bits
- subnet – Z bits
- IPv6 client, IPv4 core
- common prefix and common suffix allow sending only Δ:
- 2001:0:db8:0200::c15c:0
- 2001:db8:: – 6rd
- 10.1.0.0/16 – common prefix
- 0.0.0.1/8 – common suffix
- 02 – Δ
- destination = 10.1.2.1
- source = IPv4 upstream interface
- IP41
- border router (BR)
- by default source IPv4 and IPv6 must correspond to each other – verified by CPE
- BR sends packets from native IPv6 – check must be disabled
(config)# ipv6 general-prefix <NAME> 6rd Tunnel0
(config-if)# tunnel mode ipv6ip
(config-if)# tunnel source <INTF>
(config-if)# tunnel 6rd prefix <IPv6>/<LENGTH>
(config-if)# tunnel 6rd ipv4 prefix-len <LENGTH> suffix-len <LENGTH>
(config-if)# tunnel 6rd br <IPv4_ADDR>
; towards ISP network
(config-if)# ipv6 address <NAME>::?128 anycast
; towards client
(config-if)# ipv6 address <NAME>::/64 eui-64
# show tunnel 6rd