05-Layer 3 - IP Services Configuration Guide

HomeSupportResource CenterRoutersH3C SR8800 Series RoutersH3C SR8800Technical DocumentsConfigureConfiguration GuideH3C SR8800 Configuration Guide-Release3347-6W10305-Layer 3 - IP Services Configuration Guide
12-NAT-PT Configuration
Title Size Download
12-NAT-PT Configuration 200.78 KB

 

 

NOTE:

SPE cards in this document refer to cards prefixed with SPE such as SPE-1020-E-II.

Only the cards SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II support NAT service interface configuration.

 

NAT-PT overview

Application scenario

Because of the coexistence of IPv4 networks and IPv6 networks, Network Address Translation – Protocol Translation (NAT-PT) was introduced to realize translation between IPv4 and IPv6 addresses. For example, it can enable a host in an IPv6 network to access the FTP server in an IPv4 network.

As shown in Figure 1, NAT-PT runs on the router between IPv4 and IPv6 networks. The address translation is transparent to both IPv4 and IPv6 networks. Users in the IPv6 and IPv4 networks can communicate without changing their configurations.

Figure 1 Network diagram

 

Basic concepts

NAT-PT mechanism

There are three NAT-PT mechanisms to realize translation between IPv4 and IPv6 addresses: static mapping, dynamic mapping, and NAPT-PT.

1.      Static mapping

Static mappings are manually configured for translation between IPv6 and IPv4 addresses.

2.      Dynamic mapping

Dynamic mappings are dynamically generated for translation between IPv6 and IPv4 addresses. Different from static mappings, dynamic mappings are not fixed one-to-one mappings between IPv6 and IPv4 addresses.

3.      NAPT-PT

Network Address Port Translation – Protocol Translation (NAPT-PT) realizes the TCP/UDP port number translation besides static or dynamic address translation. With NAPT-PT, different IPv6 addresses can correspond to one IPv4 address. Different IPv6 hosts are distinguished by different port numbers so that these IPv6 hosts can share one IPv4 address to accomplish the address translation and save IPv4 addresses.

NAT-PT prefix

The 96-bit NAT-PT prefix in the IPv6 address prefix format is used in the following cases:

·           Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT router detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the router will translate source and destination IPv6 addresses of the packet into IPv4 addresses.

·           After a packet from an IPv4 host to an IPv6 host is translated through NAT-PT, the prefix of the translated source IPv6 address is the configured NAT-PT prefix.

Implementing NAT-PT

Session initiated by an IPv6 host

Figure 2 NAT-PT implementation (session initiated by an IPv6 host)

 

NAT-PT works as follows:

1.      Determines whether to perform NAT-PT or not

Upon receiving a packet from an IPv6 host to an IPv4 host, the NAT-PT router detects the prefix of the destination IPv6 address in the packet. If the prefix is the same as the configured NAT-PT prefix, the router considers that the packet needs to be forwarded to the IPv4 network and NAT-PT needs to be performed.

2.      Translates the source IP address

The NAT-PT router translates the source IPv6 address of the packet into an IPv4 address according to the static or dynamic mapping on the IPv6 side.

3.      Translates the destination IP address

The NAT-PT router translates the destination IPv6 address of the packet into an IPv4 address according to the static mapping, if configured, on the IPv4 network side. Without any static mapping configured on the IPv4 network side, if the lowest 32 bits of the destination IPv6 address in the packet can be directly translated into a valid IPv4 address, the destination IPv6 address is translated into that IPv4 address. Otherwise, the translation fails.

4.      Forwards the packet and stores the mappings

After the source and destination IPv6 addresses of the packet are translated into IPv4 addresses, the NAT-PT router forwards the packet to the IPv4 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT router.

5.      Forwards the reply packet according to the stored mappings

Upon receiving a reply packet from the IPv4 host to the IPv6 host, the NAT-PT router swaps the source and destination IPv4 addresses according to the stored mappings and forwards the packet to the IPv6 host.

Session initiated by an IPv4 host

The NAT-PT implementation process for a session initiated by an IPv4 host is as follows:

1.      Determines whether to perform NAT-PT or not

Upon receiving a packet from an IPv4 host to an IPv6 host, the NAT-PT router checks the destination IPv4 address in the packet against the static mappings configured on the IPv6 network side. If a match is found, the router considers that the packet needs to be forwarded to the IPv6 network and NAT-PT needs to be performed.

2.      Translates the source IP address

The NAT-PT router translates the source IPv4 address of the packet into an IPv6 address according to the static or dynamic mapping on the IPv4 side. If no mapping is configured on the IPv4 side, the source IPv4 address with the first configured NAT-PT prefix is used as the translated source IPv6 address.

3.      Translates the destination IP address

The NAT-PT router translates the destination IPv4 address of the packet into an IPv6 address according to the static mapping on the IPv6 side.

4.      Forwards the packet and stores the mappings

After the source and destination IPv4 addresses of the packet are translated into IPv6 addresses, the NAT-PT router forwards the packet to the IPv6 host. Meanwhile, the IPv4/IPv6 address mappings are stored in the NAT-PT router.

5.      Forwards the reply packet according to the stored mappings

Upon receiving a reply packet from the IPv6 host to the IPv4 host, the NAT-PT router swaps the source and destination IPv6 addresses according to the stored mappings and forwards the packet to the IPv4 host.

NAT-PT limitations

NAT-PT has the following limitations:

·           In NAT-PT translation, the request and response packets of a session must be processed by the same NAT-PT router.

·           The Options field in the IPv4 packet header cannot be translated.

·           NAT-PT does not provide end-to-end security.

Therefore, NAT-PT is not recommended in some applications. For example, tunneling is recommended in the case where an IPv6 host needs to communicate with another IPv6 host across an IPv4 network. For more information about tunneling, see the chapter “Configuring tunneling.”

Currently, NAT-PT supports Internet Control Message Protocol (ICMP), Domain Name System (DNS), File Transfer Protocol (FTP), and other protocols that employ the network layer protocol but have no address information in the protocol messages.

Protocols and standards

·           RFC 2765, Stateless IP/ICMP Translation Algorithm

·           RFC 2766, Network Address Translation - Protocol Translation (NAT-PT)

NAT-PT configuration task list

Complete the following tasks to configure NAT-PT to allow active access from an IPv6 host to an IPv4 host:

 

Task

Remarks

Enabling NAT-PT

Required

Configuring a NAT-PT prefix

Required

Configuring IPv4/IPv6 address mappings on the IPv6 side

Required

Configuring a static IPv4/IPv6 address mapping on the IPv4 side

Optional

If no static IPv4/IPv6 address mapping is configured, the lowest 32 bits of the destination IPv6 address is used as the translated destination IPv4 address.

Setting the ToS field after NAT-PT translation

Optional

 

Complete the following tasks to configure NAT-PT to allow active access from an IPv4 host to an IPv6 host:

 

Task

Remarks

Enabling NAT-PT

Required

Configuring a NAT-PT prefix

Required

Configuring IPv4/IPv6 address mappings on the IPv4 side

Optional

If no IPv4/IPv6 address mapping is configured, the source IPv4 address added with the first configured NAT-PT prefix is used as the translated source IPv6 address.

Configuring a static mapping on the IPv6 side

Required

Complete either task.

Configuring static NAPT-PT mappings of IPv6 servers

Setting the traffic class field after NAT-PT translation

Optional

 

Configuring NAT-PT

Configuration prerequisites

Before implementing NAT-PT, complete the following tasks:

·           Enable IPv6 on the router. For more information, see the chapter “IPv6 basics configuration.“

·           Configure an IPv4 or IPv6 address as required on the interface to be enabled with NAT-PT.

Enabling NAT-PT

After NAT-PT is enabled on both the IPv4 network interface and the IPv6 network interface, the router can implement translation between IPv4 and IPv6 addresses.

To enable NAT-PT:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Enter interface view.

interface interface-type interface-number

N/A

3.     Enable NAT-PT on the interface.

natpt enable

Disabled by default

 

Configuring a NAT-PT prefix

To configure a NAT-PT prefix:

 

Step

Command

1.     Enter system view.

system-view

2.     Enter NAT service interface view.

interface nat interface-number

3.     Configure a NAT-PT prefix.

natpt prefix natpt-prefix

 

CAUTION

CAUTION:

·       The NAT-PT prefix must be different from the IPv6 address prefix of a local interface. Otherwise, incoming packets matching the prefix will get lost due to NAT-PT translation.

·       To delete a NAT-PT prefix that has been referenced by using the natpt v4bound dynamic or natpt v6bound dynamic command, you must cancel the referenced configuration first.

 

Configuring IPv4/IPv6 address mappings on the IPv6 side

IPv4/IPv6 address mappings on the IPv6 side can be static or dynamic.

Configuring a static mapping on the IPv6 side

A static mapping on the IPv6 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address.

·           If the source IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches the static mapping, the source IPv6 address is translated into the corresponding IPv4 address.

·           If the destination IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches the static mapping, the destination IPv4 address is translated into the corresponding IPv6 address.

To configure a static IPv4/IPv6 address mapping on the IPv6 side:

 

Step

Command

1.     Enter system view.

system-view

2.     Enter NAT service interface view.

interface nat interface-number

3.     Configure a static IPv4/IPv6 address mapping on the IPv6 side.

natpt v6bound static ipv6-address ipv4-address

 

Configuring a dynamic IPv4/IPv6 mapping policy on the IPv6 side

A dynamic IPv4/IPv6 mapping policy on the IPv6 side means that if the source IPv6 address matches a specified IPv6 ACL or the destination IPv6 address is the same as the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in a specified NAT-PT address pool or the IPv4 address of a specified interface.

The router provides four types of dynamic mapping policies.

·           Policy 1—Associate an IPv6 ACL with an address pool.

If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address in the specified address pool.

·           Policy 2—Associate an IPv6 ACL with an interface address.

If the source IPv6 address of a packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface.

·           Policy 3—Associate a NAT-PT prefix with an address pool.

If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address in the specified address pool.

·           Policy 4—Associate a NAT-PT prefix with an interface address.

If the destination IPv6 address of a packet matches the NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface.

To use policy 1 or 3, you must configure a NAT-PT address pool first.

A NAT-PT address pool is a group of contiguous IPv4 addresses and is used to translate an IPv6 address into an IPv4 address dynamically. When an IPv6 packet is sent from an IPv6 network to an IPv4 network, if policy 1 or 3 is set, the NAT-PT device will select an IPv4 address from the NAT-PT address pool as the source IPv4 address of the IPv6 packet.

To configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Configure a NAT-PT address pool.

natpt address-group group-number start-ipv4-address end-ipv4-address

Required for the first type and third type in which the source IPv6 address is translated into an IPv4 address in the specified address pool.

This configuration is not needed in the second type and fourth type.

3.     Enter the NAT service interface view.

interface nat interface-number

N/A

4.     Configure a dynamic IPv4/IPv6 address mapping policy on the IPv6 side.

·       Associate an IPv6 ACL with an address pool:
natpt v6bound dynamic acl6
number acl-number address-group address-group [ no-pat ]

·       Associate an IPv6 ACL with an interface address:
natpt v6bound dynamic acl6
number acl-number interface interface-type interface-number

·       Associate a NAT-PT prefix with an address pool:
natpt v6bound dynamic prefix
natpt-prefix address-group address-group [ no-pat ]

·       Associate a NAT-PT prefix with an interface address:
natpt v6bound dynamic prefix
natpt-prefix interface interface-type interface-number

Configure any of the four types of dynamic mappings.

·       If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into an IPv4 address of the specified address pool.

·       If the source IPv6 address of an IPv6 packet matches the specified IPv6 ACL, the source IPv6 address will be translated into the IPv4 address of the specified interface.

·       If the destination IPv6 address of an IPv6 packet matches the specified NAT-PT prefix, the source IPv6 address will be translated into an IPv4 address of the specified address pool.

·       If the destination IPv6 address of an IPv6 packet matches the specified NAT-PT prefix, the source IPv6 address will be translated into the IPv4 address of the specified interface.

 

 

NOTE:

·       The NAT-PT prefix referenced in a natpt v6bound dynamic command must have been configured with the natpt prefix command.

·       If the no-pat keyword is specified, dynamic mapping policies are used for NAT-PT. If this keyword is not specified, the NAPT-PT mechanism is used to translate between IPv4 addresses and IPv6 addresses.

·       For more information about ACL, see ACL and QoS Configuration Guide.

 

Configuring IPv4/IPv6 address mappings on the IPv4 side

IPv4/IPv6 address mappings on the IPv4 side can be static or dynamic.

Configuring a static IPv4/IPv6 address mapping on the IPv4 side

A static IPv4/IPv6 address mapping on the IPv4 side shows the one-to-one correspondence between an IPv4 address and an IPv6 address.

·           If the source IPv4 address in a packet sent from an IPv4 host to an IPv6 host matches a static IPv4/IPv6 address mapping, the source IPv4 address is translated into the corresponding IPv6 address.

·           If the destination IPv6 address in a packet sent from an IPv6 host to an IPv4 host matches a static IPv4/IPv6 address mapping, the destination IPv6 address is translated into the corresponding IPv4 address.

To configure a static IPv4/IPv6 address mapping on the IPv4 side:

 

Step

Command

1.     Enter system view.

system-view

2.     Enter the NAT service interface view.

interface nat interface-number

3.     Configure a static IPv4/IPv6 address mapping on the IPv4 side.

natpt v4bound static ipv4-address ipv6-address

 

Configuring a dynamic IPv4/IPv6 address mapping policy on the IPv4 side

A dynamic IPv4/IPv6 address mapping policy on the IPv4 side is that if the source IPv4 address matches a specified ACL, the source IPv4 address is added with a NAT-PT prefix as the translated IPv6 address.

To configure a dynamic IPv4/IPv6 mapping policy on the IPv4 side:

 

Step

Command

1.     Enter system view.

system-view

2.     Enter the NAT service interface view.

interface nat interface-number

3.     Configure a dynamic IPv4/IPv6 source address mapping policy on the IPv4 side.

natpt v4bound dynamic acl number acl-number prefix natpt-prefix

 

 

NOTE:

·       Before configuring a dynamic IPv4/IPv6 mapping policy on the IPv4 side, you must use the natpt prefix command to specify the NAT-PT prefix for the natpt v6bound dynamic acl number command.

·       For more information about ACLs, see ACL and QoS Configuration Guide.

 

Setting the ToS field after NAT-PT translation

You can set the ToS field in IPv4 packets translated from IPv6 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used.

To set the ToS field in packets after NAT-PT translation:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the ToS field in IPv4 packets translated from IPv6 packets to 0.

natpt turn-off tos

By default, the value of the ToS field of IPv4 packets is the same as that of the Traffic Class field in corresponding IPv6 packets.

 

Setting the traffic class field after NAT-PT translation

You can set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0 or leave it unchanged. 0 indicates that the service priority of the translated packet is set to the lowest. Unchanged indicates that the existing service priority is used.

To set the Traffic Class field in packets after NAT-PT translation:

 

Step

Command

Remarks

1.     Enter system view.

system-view

N/A

2.     Set the Traffic Class field in IPv6 packets translated from IPv4 packets to 0.

natpt turn-off traffic-class

By default, the value of the Traffic Class field of IPv6 packets is the same as that of the ToS field in corresponding IPv4 packets.

 

Configuring static NAPT-PT mappings of IPv6 servers

Generally, a server such as the FTP server, Web server, or Telnet server on an IPv6 network provides services for IPv6 hosts only. To allow IPv4 hosts to access the IPv6 server, you can specify a static NAPT-PT mapping between the IPv6 address plus the port number and the IPv4 address plus the port number of the IPv6 server.

Upon receiving an access request to an IPv6 server from an IPv4 host, the NAT-PT router checks the destination address and port number of the packet against the static address/port mapping of the IPv6 server. If they match, the router translates the destination IPv4 address of the packet into the corresponding IPv6 address according to the IPv4/IPv6 address mapping on the IPv4 side, and translates the destination IPv4 address and port number in the request to the corresponding IPv6 address and port number according to the static address/port mapping of the IPv6 server.

When you configure a static address/port mapping of an IPv6 server, you must specify the following:

·           Protocol type, that is, the type of the transport layer protocol used by the server. It can be TCP or UDP.

·           IPv4 address and port number of the server. They are used by IPv4 hosts to access the server.

·           IPv6 address and port number of the server.

To configure a static NAPT-PT mapping for an IPv6 server:

 

Step

Command

1.     Enter system view.

system-view

2.     Enter the NAT service interface view.

interface nat interface-number

3.     Configure a static address and port number mapping for an IPv6 server.

natpt v4bound static v6server protocol protocol-type ipv4-address ipv4-port-number ipv6-address ipv6-port-number

 

Displaying and maintaining NAT-PT

 

Task

Command

Remarks

Display all NAT-PT configuration information.

display natpt all [ | { begin | exclude | include } regular-expression ]

Available in any view

Display NAT-PT address pool configuration information.

display natpt address-group [ | { begin | exclude | include } regular-expression ]

Available in any view

Display the static and dynamic NAT-PT address mappings.

display natpt address-mapping [ | { begin | exclude | include } regular-expression ]

Available in any view

Display NAT-PT statistics information.

display natpt statistics [ slot slot-number ] [ | { begin | exclude | include } regular-expression ]

Available in any view

Clear all NAT-PT statistics information.

reset natpt statistics [ slot slot-number ]

Available in user view

 

NAT-PT configuration examples

Configuring dynamic mapping on the IPv6 side

Network requirements

As shown in Figure 3, Router C with IPv6 address 2001::2/64 on an IPv6 network wants to access Router A with IPv4 address 8.0.0.2/24 on an IPv4 network, whereas Router A cannot actively access Router C.

Configure Router B that is deployed between the IPv4 network and IPv6 network as a NAT-PT router, and configure dynamic mapping policies on the IPv6 side on Router B so that IPv6 hosts can access IPv4 hosts but IPv4 hosts cannot access IPv6 hosts. On router B, slot number1 is installed with one of the following cards: SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II; slot number 4 is installed with an SPE card.

Figure 3 Network diagram

 

Configuration procedure

1.      Configure Router B (NAT-PT router):

# Configure interface addresses and enable NAT-PT on the interfaces.

<RouterB> system-view

[RouterB] ipv6

[RouterB] interface serial 4/1/9:0

[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0

[RouterB-Serial4/1/9:0] natpt enable

[RouterB-Serial4/1/9:0] quit

[RouterB] interface serial 4/1/9:1

[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64

[RouterB-Serial4/1/9:1] natpt enable

[RouterB-Serial4/1/9:1] quit

# Configure a NAT-PT prefix.

[RouterB] interface nat 1/0/1

[RouterB] natpt prefix 3001::

[RouterB-NAT1/0/1] quit

# Configure a NAT-PT address pool.

[RouterB] natpt address-group 1 9.0.0.10 9.0.0.19

# Associate the prefix with the address pool for IPv6 hosts accessing IPv4 hosts.

[RouterB] interface nat 1/0/1

[RouterB-NAT1/0/1] natpt v6bound dynamic prefix 3001:: address-group 1

2.      Configure Router A on the IPv4 side:

# Configure a static route to subnet 9.0.0.0/24.

<RouterA> system-view

[RouterA] ip route-static 9.0.0.0 24 8.0.0.1

3.      Configure Router C on the IPv6 side:

# Enable IPv6.

<RouterC> system-view

[RouterC] ipv6

# Configure a static route to the subnet with the NAT-PT prefix.

[RouterC] ipv6 route-static 3001:: 16 2001::1

Verifying the configuration

If you carry out the ping ipv6 3001::0800:0002 command on Router C after completing the configurations above, response packets can be received.

Configuring static mappings on the IPv4 side and the IPv6 side

Network requirements

As shown in Figure 4, Router C with IPv6 address 2001::2/64 on an IPv6 network can communicate with Router A with IPv4 address 8.0.0.2/24 on an IPv4 network.

Configure Router B that is deployed between the IPv4 network and IPv6 network as a NAT-PT router, and configure static mappings on the IPv4 side and IPv6 side on Router B, so that Router A and Router C can communicate with each other. On router B, slot number1 is installed with one of the following cards: SPE-1010-II, SPE-1010-E-II, SPE-1020-II, and SPE-1020-E-II; slot number 4 is installed with an SPE card.

Figure 4 Network diagram

 

Configuration procedure

1.      Configure Router B (NAT-PT router):

# Configure interface addresses and enable NAT-PT on the interfaces.

<RouterB> system-view

[RouterB] ipv6

[RouterB] interface serial 4/1/9:0

[RouterB-Serial4/1/9:0] ip address 8.0.0.1 255.255.255.0

[RouterB-Serial4/1/9:0] natpt enable

[RouterB-Serial4/1/9:0] quit

[RouterB] interface serial 4/1/9:1

[RouterB-Serial4/1/9:1] ipv6 address 2001::1/64

[RouterB-Serial4/1/9:1] natpt enable

[RouterB-Serial4/1/9:1] quit

# Configure a NAT-PT prefix.

[RouterB] interface nat 1/0/1

[RouterB-NAT1/0/1] natpt prefix 3001::

# Configure a static IPv4/IPv6 mapping on the IPv4 side.

[RouterB-NAT1/0/1] natpt v4bound static 8.0.0.2 3001::5

# Configure a static IPv4/IPv6 mapping on the IPv6 side.

[RouterB-NAT1/0/1] natpt v6bound static 2001::2 9.0.0.5

2.      Configure Router A on the IPv4 side:

# Configure the IP address of Serial 4/1/9:0.

<RouterA> system-view

[RouterA] interface serial 4/1/9:0

[RouterA-Serial4/1/9:0] ip address 8.0.0.2 255.255.255.0

[RouterA-Serial4/1/9:0] quit

# Configure a static route to subnet 9.0.0.0/24.

[RouterA] ip route-static 9.0.0.0 24 8.0.0.1

3.      Configure Router C on the IPv6 side:

# Configure the IP address of Serial 4/1/9:0.

<RouterC> system-view

[RouterC] interface serial 4/1/9:0

[RouterC-Serial4/1/9:0] ipv6 address 2001::2/64

[RouterC-Serial4/1/9:0] quit

# Enable IPv6.

[RouterC] ipv6

# Configure a static route to the subnet with the NAT-PT prefix.

[RouterC] ipv6 route-static 3001:: 16 2001::1

Verifying the configuration

After the above configurations, using the ping 9.0.0.5 command on Router A and the ping ipv6 3001::5 command on Router C can receive response packets.

Troubleshooting NAT-PT

Symptom

NAT-PT fails when a session is initiated on the IPv6 side.

Solution

·           Enable debugging for NAT-PT and locate the fault according to the debugging information of the router.

·           During debugging, check whether the source address of a packet is translated successfully. If not, it is possible that the address pool has no sufficient IP addresses.

·           You can configure a larger address pool, or use NAPT-PT to perform NAT-PT.