NAT

1. NAT
2. NAT44
   1. PAT
3. NVI
4. NAT-PT
   1. NAT-PT static
   2. IPv4 → IPv6 dynamic NAT
   3. IPv6 → IPv4 PAT
   4. v4-mapped
5. NAT64
   1. DNS64
   2. 464XLAT
6. NPTv6
7. IPv6 over IPv4 tunnels
   1. 6to4
   2. 6in4
   3. ISATAP
      1. Server
      2. Client
   4. 6rd

• types
  1. full cone
     • IP + port → eIP + port
     • permits traffic from any external IP (e.g., PAT, non-stateful NAT)
  2. restricted cone
     • full cone + external IP can only respond (dst IP is accounted on NAT)
     • external host cannot initiate session
  3. port restricted cone
     • restricted cone + account for destination port
  4. symmetric
     • own mapping for every connection

NAT44

• application level gateway (ALG):
  • TCP: recalculates checksum, because src IP is used in pseudoheader
  • ICMP: replaces addresses in payload (e.g., in Destination Unreachable)
  • DNS: changes addresses in payload, creates mapping in dynamic NAT
  • FTP: changes addresses in payload, changes TCP SEQ/ACK numbers
  • SMTP: changes addresses in payload
  • traceroute: changes address in payload, both ICMP and UDP
  • SIP, H.323
  • ESP
• fragments
  • cached until first fragment is received, then only session info is used
  • session timeout for fragments – 60s, if exceeded – ICMP fragment reassembly time exceeded
• ACL is verified before (ingress) and after (egress)
• inside → outside priority:
  1. PBR
  2. routing
  3. NAT
• outside → inside priority
  1. NAT
  2. PBR
  3. routing

; 60s default
(config)# ip nat translation dns-timeout <sec>|never

; 60s default, sessions after RST or FIN
(config)# ip nat translation finrst-timeout <sec>

; 60s default
(config)# ip nat translation icmp-timeout <sec>

; per port timeout, 60s default
(config)# ip nat translation port-timeout tcp|udp <PORT> <sec>

; 60s default
(config)# ip nat translation syn-timeout <sec>

; 24h default
(config)# ip nat translation tcp-timeout <sec>

; 24h default, dynamic NAT, 0 ≡ never
(config)# ip nat translation timeout <sec>

; ∞ default
(config)# ip nat translation max-entries <N>

; on default, waits for all fragments before forwarding and NAT (does not reassemble!)
(config-if)# ip virtual-assembly 

(config-if)# ip virtual-assembly in|out drop-fragments

; 32 default, fragments in reassembly
(config-if)# ip virtual-assembly in|out max-fragments <N>

; 16 default, concurrent reassemlies
(config-if)# ip virtual-assembly in|out max-reassemblies <N>

; 3s default
(config-if)# ip virtual-assembly in|out timeout <sec>

PAT

• reassemblies fragments
• incompatible with ALG

NVI

(config)# ip nat source list <ACL> interface <INTF> overload

; inside and outside
(config-if)# ip nat enable

# show ip nat nvi translation
# show ip nat nvi statistics

NAT-PT

• not compatible with CEF, DNSsec
• NAPT-PT not compatible with fragmented packets
• IPv4 ←→ IPv6
• when IPv6 fragments are translated, DF flag in IPv4 is set
• types: static, dynamic, PAT, IPv4-mapped
• deprecated: dual-stack hosts are better
  • NAT-PT translated address may be chosen because of DNS ALG
  • translates DNS A record even for pure IPv4 request

(config)# no ip cef
(config)# no ipv6 cef

; /96 – the only supported length, NAT-PT is triggered, when IPv6 packet
; with dst from PREFIX is received
(config)# ipv6 nat prefix <PREFIX>/96

; enable NAT-PT on interface
(config-if)# ipv6 nat
(config-if)# ipv6 nat prefix <PREFIX>/96

NAT-PT static

; address translation for both src and dst, IPv6 → IPv4
; one address must be from PREFIX
(config)# ipv6 nat v4v6 source <IPv4> <IPv6>
(config)# ipv6 nat v6v4 source <IPv6> <IPv4>

IPv4 → IPv6 dynamic NAT

• destination mapped

; [start, end] ∈ PREFIX forreturn traffic to trigger NAT-PT
(config)# ipv6 nat v4v6 pool <POOL> <IPv6_START> <IPv6_END> prefix-length <N>

(config)# ipv6 nat v4v6 source list <ACL> pool <POOL>

IPv6 → IPv4 PAT

• destination mapped

(config)# ipv6 nat v6v4 source list <ACL> interface <INTF> overload

v4-mapped

• uses last 32 bits as destination address

; ACL verifies IPv6 src
(config)# ipv6 nat <PREFIX>/96 v4-mapped <ACL>

NAT64

• does not support VRF, IPv4/IPv6 options, fragmented UDP without CRC
• better than NAT-PT: separates NAT and DNS64 function
• 64:ff9b::/96 + IPv4 address
• discovery of NAT64 prefix (RFC 7050)
  • host requests AAAA for ipv4only.arpa
  • well-known IPv4 address (WKA): 192.0.0.170, 192.0.0.171
  • DNS64 returns addresses of NAT64 + WKA
• stateless
  • inserts IPv4 address into IPv6 (1:1 mapping)
  • wastes IPv4 addresses
  • IPv6 hosts must have coresponding addresses (RFC 6052)
• stateful
  • uses 1 IPv4 address (≈ PAT)
  • creates IPv4 route to pool range via NVI

; adds route via NVI
(config)# nat64 prefix stateful <PREFIX>

; IPv6 must be from PREFIX
(config)# nat64 static <IPv6> <IPv4>

(config)# nat64 v4 pool <POOL> <START_IPv4> <END_IPv4>

(config)# nat64 v6v4 list <ACL> pool <POOL> [overload]

; stateless, process matching packets via NAT instead of routing
(config)# nat64 route <IPv4> <INTF>

(config-if)# nat64 enable

# show nat64 aliases
# show nat64 logging
# show nat64 prefix stateful
# show nat64 timeouts
# show nat64 mappings

DNS64

• if A record is found and no AAAA record is available – return NAT64 address
• can conflict with DNSsec (address not registered by domain owner)

464XLAT

• software
• for IPv4 application over IPv6 connection (CLAT: 192.0.0.0/29)

NPTv6

• stateless
• RFC 6296
• IPv6 → IPv6
• no support for VRF, NAT64, mcast, firewall, L4 translation, syslog

(config)# nat66 prefix inside <PREFIX1> outside <PREFIX2>

(config-if)# nat66 inside|outside

# show nat66 prefix
# show nat66 statistics

IPv6 over IPv4 tunnels

6to4

• 2002:<IPv4>::/48
• does not support mcast ⇒ BGP as routing protocol
• P2M

(config-if)# tunnel mode ipv6ip 6to4
(config-if)# tunnel source <INTF>

; 2002:<IPv4>::/48
(config-if)# ipv6 addr <IPv6>

; address of 6to4 peer
(config)# ipv6 route <IPv6_PEER> tunnel0

6in4

• IPv6 tunnel over IPv4 network

ISATAP

• server IPv6 interface ID: ::5efe:<IPv4>
• client receives address via tunnel
• support for IGP in unicast mode
• P2M – only server

Server

(config-if)# tunnel mode ipv6ip isatap
(config-if)# ipv6 address <PREFIX>
(config-if)# no ipv6 nd ra suppress

Client

(config-if)# tunnel mode ipv6ip
(config-if)# ipv6 address autoconfig
(config-if)# tunnel destination <IPv4>

6rd

• rapid deployment
• within ISP network: 6rd CPE, info via DHCP
• 6rd prefix + IPv4 + subnet/64:
  • prefix – N bits
  • IPv4 – M bits
  • subnet – Z bits
• IPv6 client, IPv4 core
• common prefix and common suffix allow sending only Δ:
  • 2001:0:db8:0200::c15c:0
    • 2001:db8:: – 6rd
    • 10.1.0.0/16 – common prefix
    • 0.0.0.1/8 – common suffix
    • 02 – Δ
  • destination = 10.1.2.1
• source = IPv4 upstream interface
• IP41
• border router (BR)
  • by default source IPv4 and IPv6 must correspond to each other – verified by CPE
  • BR sends packets from native IPv6 – check must be disabled

(config)# ipv6 general-prefix <NAME> 6rd Tunnel0

(config-if)# tunnel mode ipv6ip
(config-if)# tunnel source <INTF>
(config-if)# tunnel 6rd prefix <IPv6>/<LENGTH>
(config-if)# tunnel 6rd ipv4 prefix-len <LENGTH> suffix-len <LENGTH>
(config-if)# tunnel 6rd br <IPv4_ADDR>

; towards ISP network
(config-if)# ipv6 address <NAME>::?128 anycast

; towards client
(config-if)# ipv6 address <NAME>::/64 eui-64

# show tunnel 6rd