Mapping Address and Port (MAP)

Mapping Address and Port (MAP) is a carrier-grade feature for translating IPv4 addresses to IPv6, so the traffic can be sent over the service provider’s IPv6 network before being translated back to IPv4 at the service provider edge.

About Mapping Address and Port (MAP)

Mapping Address and Port (MAP) is primarily a feature for use in service provider (SP) networks. The service provider can operate an IPv6-only network, the MAP domain, while supporting IPv4-only subscribers and their need to communicate with IPv4-only sites on the public Internet. MAP is defined in RFC7597, RFC7598, and RFC7599.

For the service provider, within the MAP domain, the benefit of MAP over NAT46 is that the substitution of an IPv6 address for the subscriber’s IPv4 address (and back again to IPv4 at the SP network edge) is stateless. This provides greater efficiency within the SP network compared to NAT46.

There are two MAP techniques, MAP-Translation (MAP-T) and MAP-Encapsulation (MAP-E). The ASA supports MAP-T; MAP-E is not supported.

About Mapping Address and Port Translation (MAP-T)

With MAP-T, the subscriber’s IPv4 address is first translated to the server provider’s (SP) public IPv4 address, which could be either a one-to-one address mapping, or a mapping to a prefix or a shared address. Next, that IPv4 address is translated to an IPv6 address within the MAP domain, and the packet is transmitted over the SP IPv6 network. At the network edge, the SP’s border relay is responsible for translating the IPv6 address back to the SP’s IPv4 address before routing the packet to the public IPv4 network. The exact reverse is performed for traffic coming from the public IPv4 network to the subscriber.

Figure 1. MAP-T Network

MAP-T network diagram.

By using MAP-T, you can transition the SP network to an IPv6-only architecture while allowed subscribers to continue using IPv4 and communicate with IPv4-only Internet or other sites outside the SP network.

MAP-T behaves like a NAT64 translation but instead of using an IPv6 address with an embedded IPv4 address, it uses an encoding scheme that also embeds the port number. Thus, MAP-T provides a way to restrict the port range used by devices.

A MAP-T system includes the following:

  • Customer Edge (CE) device—The CE is a home gateway (wireless router, cable modem with router, and so forth). The CE provides IPv4/IPv6 translation as well as native IPv6 forwarding. It has one WAN-side provider-facing IPv6-addressed interface and one or more LAN-side interfaces addressed using private IPv4 addressing. You would configure one or more MAP domains for the CE to use to translate IPv4 packets to IPv6 and vice-verse.

  • Border Relay (BR) device—You would install the ASA as a border relay. The BR is a provider-side component at the edge of the MAP domain that supports the IPv4/IPv6 translation. The BR has at least one IPv6-enabled interface and one IPv4 interface connected to the IPv4 network. You would configure one or more MAP domains for the BR to use to translate IPv4 packets to IPv6 and vice-verse. You must configure the CEs and BR with the same MAP domain rules.

  • MAP Domain—A MAP domain is a mechanism to group a set of MAP-T CE devices with a set of MAP-T BR devices. A domain is a set of parameters that are shared between the BR and CE devices assigned to the domain. You configure the same domain with the same parameters on each of the BR and CE devices.

Guidelines for Mapping Address and Port (MAP)

Firewall Mode Guidelines

You can configure MAP in routed mode only. Transparent mode is not supported.

Additional Guidelines

  • The ASA does not get involved in packet forwarding in mesh mode. Thus, you cannot configure forward mapping rules (FMR) in a MAP domain.

  • MAP does not support tunneled VPN, multicast, or anycast traffic.

  • You cannot use both NAT and MAP on a given connection. Ensure that your NAT and MAP rules do not overlap. You will get unexpected results if you have overlapping rules.

  • The follow inspections do not support MAP translation. Packets subject to these inspections are not translated.

    • CTIQBE

    • DCERPC

    • Diameter

    • Name resolution over WINS

    • GTP

    • H.323 and H.225 and H.245 and RAS

    • ILS (LDAP)

    • Instant Messaging

    • IP Options (RFC 791, 2113)

    • IPSec Pass Through

    • LISP

    • M3UA

    • MGCP

    • MMP

    • NetBIOS

    • PPTP

    • RADIUS accounting

    • RSH

    • RTSP

    • SIP

    • SKINNY

    • SMTP and ESMTP

    • SNMP

    • SQL*Net

    • STUN

    • Sun RPC

    • TFTP

    • WAAS

    • XDMCP

    • Active FTP

Configure MAP-T Domains

To configure MAP-T, you create one or more domains. When you configure MAP-T on customer edge (CE) and border relay (BR) devices, ensure that you use the same parameters for each device that will participate in each domain.

You can configure up to 25 MAP-T domains. In multiple-context mode, you can configure up to 25 domains per context.

Procedure

Step 1

Create (or edit) the MAP domain.

map-domain name

Where the name is an alphanumeric string up to 48 characters. The name can also include the following special characters: period (.), slash (/), and colon (:).

Example:


ciscoasa(config)# map-domain 1
ciscoasa(config-map-domain)#
Step 2

Configure the default mapping rule.

default-mapping-rule ipv6_prefix/prefix_length

Specify an IPv6 prefix to be used to embed IPv4 destination addresses per RFC 6052. The prefix length should normally be 64, but allowed values are 32, 40, 48, 56, 64 or 96. Any trailing bits after the embedded IPv4 address are set to 0.

The border relay (BR) device uses this rule to translate all IPv4 addresses outside the MAP domain to an IPv6 address that works within the MAP domain.

Example:


ciscoasa(config-map-domain)# default-mapping-rule 2001:DB8:CAFE:CAFE::/64
Step 3

Configure the basic mapping rule.

The customer edge (CE) device uses the basic mapping rule to determine its dedicated IPv4 addressing or shared address and port set assignment. The CE device first translates the system’s IPv4 address to an IPv4 address and port within the pool’s prefix and port range (using NAT44), then MAP translates the new IPv4 address to an IPv6 address within the pool defined by the rule’s IPv6 prefix. The packet is then ready to be transmitted over the service provider’s IPv6-only network to a border relay (BR) device.

  1. Enter basic mapping rule configuration mode.

    basic-mapping-rule

  2. Configure the IPv4 prefix.

    ipv4-prefix ipv4_network_address netmask

    The IPv4 prefix defines the IPv4 address pool for the customer edge (CE) device. The CE device first translates its IPv4 address to an address (and port number) in the pool defined by the IPv4 prefix. MAP then translates this new address to an IPv6 address using the prefix in the default mapping rule.

    Specify a network address and subnet mask, for example, 192.168.3.0 255.255.255.0. You cannot use the same IPv4 prefix in different MAP domains.

  3. Configure the IPv6 prefix.

    ipv6-prefix ipv6_prefix/prefix_length

    The IPv6 prefix defines the address pool for the CE device’s IPv6 address. MAP translates IPv6 packets back to IPv4 only if the packets have a destination address with this prefix and a source address with the IPv6 prefix defined in the default mapping rule, and is within the right port range. Any IPv6 packets sent to the CE device from other addresses are simply processed as IPv6 traffic without MAP translation. Packets from the MAP source/destination pools, but with out-of-range ports, are simply dropped.

    Specify an IPv6 prefix and prefix length, which is normally 64, but cannot be less than 8. You cannot use the same IPv6 prefix in different MAP domains.

  4. Configure the starting port.

    start-port number

    The first port in the port pool for the translated address. The port you specify must be a power of 2, from 1-32768 such as 1, 2, 4, 8, and so forth. If you want to exclude the well-known ports, start at 1024 or higher.

  5. Configure the port ratio, which determines how many ports are in the port pool.

    share-ratio number

    Specify the number of ports that should be in the pool. The number must be a power of 2, from 1-65536, such as 1, 2, 4, 8, and so forth.

Example:


ciscoasa(config-map-domain)# basic-mapping-rule
ciscoasa(config-map-domain-bmr)# ipv4-prefix 192.168.3.0 255.255.255.0
ciscoasa(config-map-domain-bmr)# ipv6-prefix 2001:cafe:cafe:1::/64
ciscoasa(config-map-domain-bmr)# start-port 1024
ciscoasa(config-map-domain-bmr)# share-ratio 16

Example


ciscoasa(config)# map-domain 1
ciscoasa(config-map-domain)# default-mapping-rule 2001:DB8:CAFE:CAFE::/64
ciscoasa(config-map-domain)# basic-mapping-rule
ciscoasa(config-map-domain-bmr)# ipv4-prefix 192.168.3.0 255.255.255.0
ciscoasa(config-map-domain-bmr)# ipv6-prefix 2001:cafe:cafe:1::/64
ciscoasa(config-map-domain-bmr)# start-port 1024
ciscoasa(config-map-domain-bmr)# share-ratio 16

Monitoring MAP

The following topics explain how you can monitor the MAP configuration and activity.

Verifying the MAP Domain Configuration

You can view the map domains and their status to verify the configuration is correct.

The show map-domain command displays the MAP configuration (similar to the show running-config map-domain command), but also indicates whether a domain configuration is valid. In the following example, there are two domains, 1 and 2. The output explains that MAP domain 2 is incomplete, and thus it is not active. 


MAP Domain 1
  Default Mapping Rule
    IPv6 prefix 2001:db8:cafe:cafe::/64
  Basic Mapping Rule
    IPv6 prefix 2001:cafe:cafe:1::/64
    IPv4 prefix 192.168.3.0 255.255.255.0
    share ratio 16
    start port 1024
    PSID length 4
    PSID offset 6
    Rule EA-bit length 12

MAP Domain 2
  Default Mapping Rule
    IPv6 prefix 2001:db8:1234:1234::/64

Warning: map-domain 2 configuration is incomplete and not in effect.

Monitoring MAP Syslog Messages

If you enable syslog, you can monitor MAP behavior with the following syslog messages:

  • 305018: MAP translation from interface name:source IP address/source port-destination IP address/destination port to interface name:translated source IP address/translated source port-translated destination IP address/translated destination port

    A new MAP translation was made. The message shows the original and translated source and destination.

  • 305019: MAP node address IP address/port has inconsistent Port Set ID encoding

    A packet has an address that matches MAP basic mapping rules, which means it is meant to be translated, but the Port Set ID encoded within the address is inconsistent per RFC7599. This likely means there is a software fault on the MAP node where this packet originates.

  • 305020: MAP node with address IP address is not allowed to use port port

    A packet has an address that matches MAP basic mapping rules, which means it is meant to be translated, but the associated port does not fall within the range allocated to that address. This likely means there is misconfiguration on the MAP node where this packet originates.

History for MAP

Feature Name

Platform Releases

Description

Mapping Address and Port-Translation (MAP-T)

9.13(1)

Mapping Address and Port (MAP) is primarily a feature for use in service provider (SP) networks. The service provider can operate an IPv6-only network, the MAP domain, while supporting IPv4-only subscribers and their need to communicate with IPv4-only sites on the public Internet. MAP is defined in RFC7597, RFC7598, and RFC7599.

We introduced or modified the following commands: basic-mapping-rule , default-mapping-rule , ipv4-prefix , ipv6-prefix , map-domain , share-ratio , show map-domain , start-port .