- Configuring NAT for IP Address Conservation
- Using Application-Level Gateways with NAT
- MSRPC ALG Support for Firewall and NAT
- Configuring NAT for High Availability
- Integrating NAT with MPLS VPNs
- Monitoring and Maintaining NAT
- Configuring Stateful Interchassis Redundancy
- Stateless Network Address Translation 64
- Stateful Network Address Translation 64
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- IP Multicast Dynamic NAT
- Match-in-VRF Support for NAT
- Finding Feature Information
- Restrictions for Stateless Network Address Translation 64
- Information About Stateless Network Address Translation 64
- How to Configure Stateless Network Address Translation 64
- Configuration Examples for Stateless Network Address Translation 64
- Additional References
- Feature Information for Stateless Network Address Translation 64
- Glossary
Stateless Network Address Translation 64
The Stateless Network Address Translation 64 (NAT64) feature provides a translation mechanism that translates an IPv6 packet into an IPv4 packet and vice versa. The translation involves parsing the entire IPv6 header, including the extension headers, and extracting the relevant information and translating it into an IPv4 header. Similarly, the IPv4 header is parsed in its entirety, including the IPv4 options, to construct an IPv6 header. This processing happens on a per-packet basis on the interfaces that are configured for Stateless NAT64 translation.
The Stateless NAT64 translator enables native IPv6 or IPv4 communication and facilitates coexistence of IPv4 and IPv6 networks.
The Stateless NAT64 translator does not maintain any state information in the datapath. This translator is based on the IETF working group Behavior Engineering for Hindrance Avoidance (BEHAVE) drafts about the framework for IPv4/IPv6 translation. This draft describes the mechanism to translate an IPv6 packet to an IPv4 packet and vice versa, including the transport layer headers and Internet Control Message Protocol (ICMP).
- Finding Feature Information
- Restrictions for Stateless Network Address Translation 64
- Information About Stateless Network Address Translation 64
- How to Configure Stateless Network Address Translation 64
- Configuration Examples for Stateless Network Address Translation 64
- Additional References
- Feature Information for Stateless Network Address Translation 64
- Glossary
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Stateless Network Address Translation 64
The following restrictions apply to the Stateless NAT64 feature:
- Only valid IPv4-translatable addresses can be used for stateless translation.
- Multicast is not supported.
- Applications without a corresponding application layer gateway (ALG) may not work properly with the Stateless NAT64 translator.
- The translation of IPv4 options, IPv6 routing headers, hop-by-hop extension headers, destination option headers, and source routing headers are not supported.
- Fragmented IPv4 UDP packets that do not contain a UDP checksum are not translated.
- IPv6 packets with zero UDP checksum are not translated.
Information About Stateless Network Address Translation 64
- Fragmentation of IP Datagrams in IPv6 and IPv4 Networks
- Translation of ICMP for Stateless NAT64 Translation
- IPv4-Translatable IPv6 Address
- Supported Stateless NAT64 Scenarios
- Multiple Prefixes Support for Stateless NAT64 Translation
Fragmentation of IP Datagrams in IPv6 and IPv4 Networks
In IPv4 networks, any intermediate router can do the fragmentation of an IP datagram. However, in IPv6 networks, fragmentation can be done only by the originating IPv6 host. Because fragmentation in IPv6 networks is done by the IPv6 hosts, the path maximum transmission unit (PMTU) discovery should also be done by the IPv6 hosts. However, a PMTU discovery is not possible across an IPv4 network where the routers are allowed to fragment the packets. In IPv4 networks, a Stateless NAT64 translator is used to fragment the IPv6 datagram and set the Don't Fragment (DF) bits in the IPv4 header. Similarly, the translator can add the fragment header to the IPv6 packet if an IPv4 fragment is received.
Translation of ICMP for Stateless NAT64 Translation
The IETF draft on the IP/ICMP translation algorithm describes the ICMP types or codes that should be translated between IPv4 and IPv6. ICMP errors embed the actual IP header and the transport header. Because the ICMP errors are embedded in the IP header, the IP header is not translated properly. For ICMP error packets, Stateless NAT64 translation should be applied twice: once for the outer header, and once again for the embedded header.
IPv4-Translatable IPv6 Address
IPv4-translatable IPv6 addresses are IPv6 addresses assigned to the IPv6 nodes for use with stateless translation. IPv4-translatable addresses consist of a variable-length prefix, an embedded IPv4 address, fixed universal bits (u-bits), and in some cases a suffix. IPv4-embedded IPv6 addresses are IPv6 addresses in which 32 bits contain an IPv4 address. This format is the same for both IPv4-converted and IPv4-translatable IPv6 addresses.
The figure below shows an IPv4-translatable IPv6 address format with several different prefixes and embedded IPv4 address positions.
Figure 1 | IPv4-Translatable IPv6 Address Format |
Prefixes Format
A set of bits at the start of an IPv6 address is called the format prefix. Prefix length is a decimal value that specifies how many of the leftmost contiguous bits of an address comprise the prefix.
An embedded IPv4 address is used to construct IPv4 addresses from the IPv6 packet. The Stateless NAT64 translator has to derive the IPv4 addresses that are embedded in the IPv6-translatable address by using the prefix length. The translator has to construct an IPv6-translatable address based on the prefix and prefix length and embed the IPv4 address based on the algorithm.
According to the IETF address format BEHAVE draft, a u-bit (bit 70) defined in the IPv6 architecture should be set to zero. For more information on the u-bit usage, see RFC 2464. The reserved octet, also called u-octet, is reserved for compatibility with the host identifier format defined in the IPv6 addressing architecture. When constructing an IPv6 packet, the translator has to make sure that the u-bits are not tampered with and are set to the value suggested by RFC 2373. The suffix will be set to all zeros by the translator. IETF recommends that the 8 bits of the u-octet (bit range 64-71) should be set to zero.
The prefix lengths of 32, 40, 48, 56, 64, or 96 are supported for Stateless NAT64 translation. The Well Known Prefix (WKP) is not supported. When traffic flows from the IPv4-to-IPv6 direction, either a WKP or a configured prefix can be added only in stateful translation.
Supported Stateless NAT64 Scenarios
The IETF framework draft for IPv4/IPv6 translation describes eight different network communication scenarios for Stateless NAT64 translation. The following scenarios are supported by the Cisco IOS Stateless NAT64 feature and are described in this section:
- Scenario 1--an IPv6 network to the IPv4 Internet
- Scenario 2--the IPv4 Internet to an IPv6 network
- Scenario 5--an IPv6 network to an IPv4 network
- Scenario 6--an IPv4 network to an IPv6 network
The figure below shows stateless translation for scenarios 1 and 2. An IPv6-only network communicates with the IPv4 Internet.
Figure 2 | Stateless Translation for Scenarios 1 and 2 |
Scenario 1 is an IPv6 initiated connection and scenario 2 is an IPv4 initiated connection. Stateless NAT64 translates these two scenarios only if the IPv6 addresses are IPv4 translatable. In these two scenarios, the Stateless NAT64 feature does not help with IPv4 address depletion, because each IPv6 host that communicates with the IPv4 Internet is a globally routable IPv4 address. This consumption is similar to the IPv4 consumption rate as a dual-stack. The savings, however, is that the internal network is 100 percent IPv6, which eases management (Access Control Lists, routing tables), and IPv4 exists only at the edge where the Stateless translators live.
The figure below shows stateless translation for scenarios 5 and 6. The IPv4 network and IPv6 network are within the same organization.
Figure 3 | Stateless Translation for Scenarios 5 and 6 |
The IPv4 addresses used are either public IPv4 addresses or RFC 1918 addresses. The IPv6 addresses used are either public IPv6 addresses or Unique Local Addresses (ULAs).
Both these scenarios consist of an IPv6 network that communicates with an IPv4 network. Scenario 5 is an IPv6 initiated connection and scenario 6 is an IPv4 initiated connection. The IPv4 and IPv6 addresses may not be public addresses. These scenarios are similar to the scenarios 1 and 2. The Stateless NAT64 feature supports these scenarios if the IPv6 addresses are IPv4 translatable.
Multiple Prefixes Support for Stateless NAT64 Translation
Network topologies that use the same IPv6 prefix for source and destination addresses may not handle routing correctly and may be difficult to troubleshoot. The Stateless NAT64 feature addresses these challenges in Cisco IOS XE Release 3.3S and later releases through the support of multiple prefixes for stateless translation. The entire IPv4 Internet is represented as using a different prefix from the one used for the IPv6 network.
How to Configure Stateless Network Address Translation 64
- Configuring a Routing Network for Stateless NAT64 Communication
- Configuring Multiple Prefixes for Stateless NAT64 Translation
- Monitoring and Maintaining the Stateless NAT64 Routing Network
Configuring a Routing Network for Stateless NAT64 Communication
Perform this task to configure and verify a routing network for Stateless NAT64 communication.
- An IPv6 address assigned to any host in the network should have a valid IPv4-translatable address and vice versa.
- You should enable the ipv6 unicast-routing command for this configuration to work.
DETAILED STEPS
Configuring Multiple Prefixes for Stateless NAT64 Translation
Perform this task to configure multiple prefixes for Stateless NAT64 translation.
DETAILED STEPS
Monitoring and Maintaining the Stateless NAT64 Routing Network
Perform this task to verify and monitor the Stateless NAT64 routing network. In the privileged EXEC mode, you can enter the commands in any order.
DETAILED STEPS
Configuration Examples for Stateless Network Address Translation 64
- Example Configuring a Routing Network for Stateless NAT64 Translation
- Example: Configuring Multiple Prefixes for Stateless NAT64 Translation
Example Configuring a Routing Network for Stateless NAT64 Translation
The following example shows how to configure a routing network for Stateless NAT64 translation:
ipv6 unicast-routing ! interface gigabitethernet 0/0/0 description interface facing ipv6 ipv6 enable ipv6 address 2001:DB8::1/128 nat64 enable ! interface gigabitethernet 1/2/0 description interface facing ipv4 ip address 198.51.100.1 255.255.255.0 nat64 enable ! nat64 prefix stateless 2001:0db8:0:1::/96 nat64 route 203.0.113.0/24 gigabitethernet 0/0/0 ipv6 route 2001:DB8:0:1::CB00:7100/120 gigabitethernet 0/0/0
Example: Configuring Multiple Prefixes for Stateless NAT64 Translation
ipv6 unicast-routing ! interface gigabitethernet 0/0/0 ipv6 address 2001:DB8::1/128 ipv6 enable nat64 enable nat64 prefix stateless v6v4 2001:0db8:0:1::/96 ! interface gigabitethernet 1/2/0 ip address 198.51.100.1 255.255.255.0 negotiation auto nat64 enable ! nat64 prefix stateless v4v6 2001:DB8:2::1/96 ipv6 route 2001:DB8:0:1::CB00:7100/120 gigabitethernet 0/0/0
Additional References
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
NAT commands |
|
NAT concepts, configuration tasks, and examples |
Standards
Standard |
Title |
---|---|
Framework for IPv4/IPv6 translation |
Framework for IPv4/IPv6 Translation draft-ietf-behave-v6v4-framework-03 |
IETF address format-10 BEHAVE draft |
IPv6 Addressing of IPv4/IPv6 Translators draft-ietf-behave-address-format-10 |
IP/ICMP translation algorithm |
IP/ICMP Translation Algorithm draft-ietf-behave-v6v4-xlate-05 |
IPv6 addressing of IPv4/IPv6 translators |
IPv6 Addressing of IPv4/IPv6 Translators draft-ietf-behave-address-format-02 |
MIBs
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFCs
RFC |
Title |
---|---|
RFC 1191 |
Path MTU discovery |
RFC 1918 |
Address Allocation for Private Internets |
RFC 2373 |
IP Version 6 Addressing Architecture |
RFC 2464 |
Transmission of IPv6 Packets over Ethernet Networks |
RFC 2765 |
Stateless IP/ICMP Translation Algorithm (SIIT) |
RFC 2766 |
Network Address Translation - Protocol Translation (NAT-PT) |
RFC 4787 |
Network Address Translation (NAT) Behavioral Requirements for Unicast UDP |
RFC 4966 |
Reasons to Move the Network Address Translator - Protocol Translator (NAT-PT) to Historic Status |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Stateless Network Address Translation 64
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for Stateless Network Address Translation 64 |
Feature Name |
Releases |
Feature Information |
---|---|---|
Stateless Network Address Translation 64 |
Cisco IOS XE Release 3.2S |
The Stateless Network Address Translation 64 feature provides a translation mechanism that translates an IPv6 packet into an IPv4 packet and vice versa. The translation involves parsing the entire IPv6 header, including the extension headers, and extracting the relevant information and translating it into an IPv4 header. Similarly, the IPv4 header is parsed in its entirety, including the IPv4 options, to construct an IPv6 header. This processing happens on a per-packet basis on the interfaces that are configured for Stateless NAT64 translation. The following commands were introduced or modified: clear nat64 ha statistics, clear nat64 statistics, debug nat64, nat64 enable, nat64 prefix, nat64 route, show nat64 adjacency, show nat64 ha status, show nat64 prefix stateless, show nat64 routes, and show nat64 statistics. |
Glossary
ALG--application-layer gateway or application-level gateway.
FP--Forward Processor.
IPv4-converted address--IPv6 addresses used to represent the IPv4 hosts. These have an explicit mapping relationship to the IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. Both stateless and stateful translators use IPv4-converted IPv6 addresses to represent the IPv4 hosts.
IPv6-converted address--IPv6 addresses that are assigned to the IPv6 hosts for the stateless translator. These IPv6-converted addresses have an explicit mapping relationship to the IPv4 addresses. This relationship is self-described by mapping the IPv4 address in the IPv6 address. The stateless translator uses the corresponding IPv4 addresses to represent the IPv6 hosts. The stateful translator does not use IPv6-converted addresses, because the IPv6 hosts are represented by the IPv4 address pool in the translator via dynamic states.
NAT--Network Address Translation.
RP--Route Processor.
stateful translation--In stateful translation a per-flow state is created when the first packet in a flow is received. A translation algorithm is said to be stateful if the transmission or reception of a packet creates or modifies a data structure in the relevant network element. Stateful translation allows the use of multiple translators interchangeably and also some level of scalability. Stateful translation is defined to enable the IPv6 clients and peers without mapped IPv4 addresses to connect to the IPv4-only servers and peers.
stateless translation--A translation algorithm that is not stateful is called stateless. A stateless translation requires configuring a static translation table, or may derive information algorithmically from the messages it is translating. Stateless translation requires less computational overhead than stateful translation. It also requires less memory to maintain the state, because the translation tables and the associated methods and processes exist in a stateful algorithm and do not exist in a stateless one. Stateless translation enables the IPv4-only clients and peers to initiate connections to the IPv6-only servers or peers that are equipped with IPv4-embedded IPv6 addresses. It also enables scalable coordination of IPv4-only stub networks or ISP IPv6-only networks. Because the source port in an IPv6-to-IPv4 translation may have to be changed to provide adequate flow identification, the source port in the IPv4-to-IPv6 direction need not be changed.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.