Login
- Table of Contents
-
- 06-Layer 3—IP Services Configuration Guide
- 00-Preface
- 01-ARP configuration
- 02-IP addressing configuration
- 03-DHCP configuration
- 04-DNS configuration
- 05-NAT configuration
- 06-NAT66 configuration
- 07-IP forwarding basics configuration
- 08-Fast forwarding configuration
- 09-Multi-CPU packet distribution configuration
- 10-Adjacency table configuration
- 11-IRDP configuration
- 12-IP performance optimization configuration
- 13-UDP helper configuration
- 14-IPv6 basics configuration
- 15-DHCPv6 configuration
- 16-IPv6 fast forwarding configuration
- 17-AFT configuration
- 18-Tunneling configuration
- 19-GRE configuration
- 20-ADVPN configuration
- 21-WAAS configuration
- 22-HTTP proxy configuration
- 23-STUN configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 06-NAT66 configuration | 118.33 KB |
Contents
IPv6 source prefix translation
IPv6 destination prefix translation
Configuring IPv6 source prefix translation
Configuring NAT66 source address translation with Easy IP
Configuring IPv6 destination prefix translation
Display and maintenance commands for NAT66
Example: Configuring outbound IPv6 source prefix translation
Example: Configuring inbound IPv6 source prefix translation
Example: Configuring IPv6 destination prefix translation
Configuring NAT66
Overview
IPv6-to-IPv6 Network Address Translation (NAT66) translates the internal IPv6 address in the IPv6 packet to an external IPv6 address and vice versa. In practical applications, NAT66 is mainly applied to the edge devices that connect two IPv6 networks, enabling internal users to access the external network and the external network to access some internal network resources (such as internal servers).
IPv6-to-IPv6 Network Prefix Translation (NPTv6), an implementation method of NAT66, translates the internal IPv6 prefix in the IPv6 packet header to an external IPv6 prefix and vice versa. NPTv6 provides the following translation methods:
· Source address translation—Applicable to internal-to-external access scenarios.
· Destination address translation—Applicable to scenarios where external users actively access services provided by the internal network.
IPv6 source prefix translation
NAT66 source address translation is applicable to the following scenarios:
· Single internal and external network—The NAT66 device is connected to an internal network and an external network. Hosts in the internal network uses locally routed IPv6 prefixes. When an internal host sends packets to access the external network, the NAT66 device translates the source IPv6 address prefix in the packets to a global unicast address prefix.
· Redundancy and load sharing—Multiple NAT66 devices are deployed between two IPv6 networks and they use ECMPs for load sharing. To allow any NAT66 device to process IPv6 traffic among different sites, configure the same source prefix mappings on these NAT66 devices.
· Multihoming—In a multihomed network, NAT66 devices are connected to an internal network and multiple external networks. One internal prefix is mapped to different external prefixes on the NAT66 devices, so that one internal address can be translated to multiple external addresses.
IPv6 destination prefix translation
To allow external users to access internal servers, such as Wed server or FTP server, configure IPv6 destination prefix mappings on the interface connected to the external network.
NAT66 ALG
NAT66 ALG (Application Level Gateway) translates address or port information in the application layer payloads to ensure connection establishment.
For example, an FTP application includes a data connection and a control connection. The IP address and port number for the data connection depend on the payload information of the control connection. This requires NAT66 ALG to translate the address and port information for data connection establishment.
NAT66 ALG supports the following protocol packets: FTP packets, SIP packets, H.323 packets, RTSP packets, DNS packets, and ICMP error messages.
Configuring IPv6 source prefix translation
Restrictions and guidelines
You can configure the global NAT policy to achieve IPv6 source prefix translation. For more information about global NAT policy, see "Configuring NAT."
This feature cannot perform translation on AH or ESP packets.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure an IPv6 prefix mapping for IPv6 source address translation.
nat66 prefix source original-ipv6-prefix original-prefix-length [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix translated-prefix-length [ vpn-instance translated-vpn-instance-name ] [ pat ] [ inbound ]
By default, no IPv6 prefix mappings are configured for IPv6 source address translation.
For information about the restrictions and guidelines for this command, see the command reference.
Configuring NAT66 source address translation with Easy IP
About this task
NAT66 with Easy IP allows the device to use the IPv6 address of the output interface as the IPv6 address after address translation. It also translates the source port numbers of packets from the private network.
NAT66 with Easy IP can operate correctly even if the IP address of the interface is dynamically assigned. For example, the device accesses the network through dial-up and dynamically obtains its public IPv6 address. To use only the dynamically obtained public IPv6 address for address translation, configure NAT66 with Easy IP. Even if the public IPv6 address of the output interface changes, the device can still perform effective address translation based on the latest public IPv6 address.
Restrictions and guidelines
Execute the nat66 source easy-ip command on the interface connected to the external network on the NAT66 device, and follow these restrictions and guidelines:
· If the interface has multiple IPv6 addresses, NAT66 with Easy IP works as follows:
a. Automatically compares the next-hop IPv6 address of packets with all the IPv6 addresses of the interface.
b. Selects the IPv6 address that has the longest matching prefix with the next-hop IPv6 address.
c. Uses the IPv6 address as the source IPv6 address after translation.
· If the interface does not have any IPv6 address, the device discards that packets passing through the interface.
· If the ACL rule specified for the NAT66 with Easy IP configuration does not take effect, the NAT66 with Easy IP configuration does not take effect either.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure NAT66 source address translation with Easy IP.
nat66 source [ acl { ipv6-acl-number | name ipv6-acl-name } ] easy-ip
By default, NAT66 source address translation with Easy IP is not configured.
Configuring IPv6 destination prefix translation
Restrictions and guidelines
You can configure the global NAT policy to achieve IPv6 destination prefix translation. For more information about global NAT policy, see "Configuring NAT."
This feature cannot perform translation on AH or ESP packets.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure an IPv6 prefix mapping for IPv6 destination address translation.
Syntax 1:
nat66 prefix destination original-ipv6-prefix prefix-length [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix prefix-length [ vpn-instance translated-vpn-instance-name ]
Syntax 2:
nat66 prefix destination protocol pro-type original-ipv6-prefix original-prefix-length [ global-port ] [ vpn-instance original-vpn-instance-name ] translated-ipv6-prefix translated-prefix-length [ local-port ] [ vpn-instance translated-vpn-instance-name ]
By default, no IPv6 prefix mappings are configured for IPv6 destination address translation.
For information about the restrictions and guidelines for this command, see the command reference.
Display and maintenance commands for NAT66
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display all NAT66 configurations. |
display nat66 all |
|
Display NAT66 sessions. |
In standalone mode: display nat66 session [ verbose ] In IRF mode: display nat66 session [ slot slot-number ] [ verbose ] |
|
Display NAT66 statistics. |
In standalone mode: display nat66 statistics [ summary ] In IRF mode: display nat66 statistics [ summary ] [ slot slot-number ] |
|
Delete NAT66 sessions. |
In standalone mode: In IRF mode: reset nat66 session [ slot slot-number ] |
NAT configuration examples
Example: Configuring outbound IPv6 source prefix translation
Network configuration
As shown in Figure 1, internal users use IPv6 prefix FD01:0203:0405::/48 and the internal IPv6 addresses are not routable on the Internet. For internal users to access the FTP server on the Internet, configure IPv6 source prefix translation to translate the internal IPv6 prefix FD01:0203:0405::/48 to external prefix 2001:0DF8:0001::/48.
Procedure
# Assign IPv6 addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)
# Configure an IPv6 source prefix mapping from FD01:0203:0405::/48 to FD01:0203:0405::/48.
<Device> system-view
[Device] interface gigabitethernet 2/0
[Device-GigabitEthernet2/0] nat66 prefix source fd01:0203:0405:: 48 2001:0df8:0001:: 48
[Device-GigabitEthernet2/0] quit
Verifying the configuration
# Verify that internal hosts can access the FTP server. (Details not shown.)
# Verify NAT66 configurations.
[Device] display nat66 all
NAT66 source information:
Totally 1 source rules.
Interface(outbound): GigabitEthernet2/0
Original prefix/prefix-length: FD01:203:405::/48
Translated prefix/prefix-length: 2001:DF8:1::/48
# Verify that NAT66 sessions are established.
<Device> display nat66 session verbose
Slot 1:
Initiator:
Source IP/port: FD01:203:405::1/56002
Destination IP/port: 2001:DC8:1::100/21
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0
Responder:
Source IP/port: 2001:DC8:1::100/21
Destination IP/port: 2001:DF8:1:D50F::1/56002
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0
State: TCP_ESTABLISHED
Application: FTP
Rule ID: 1
Rule name: 1
Start time: 2018-12-06 14:48:31 TTL: 3597s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Example: Configuring inbound IPv6 source prefix translation
Network configuration
As shown in Figure 2, a company uses FD01:0203:0405::/48 as the prefix of internal IPv6 addresses. After the company was acquired, the parent company allocated IPv6 addresses with prefix 2001:0DF8:0001::/48 to the subsidiary. For the subsidiary to access the parent company’s FTP server, configure inbound IPv6 source prefix translation to translate internal IPv6 prefix FD01:0203:0405::/48 to external prefix 2001:0DF8:0001::/48.
Procedure
# Assign IPv6 addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)
# Configure an inbound IPv6 source prefix mapping from FD01:0203:0405::/48 to 2001:0DF8:0001::/48.
<Device> system-view
[Device] interface gigabitethernet 1/0
[Device-GigabitEthernet1/0] nat66 prefix source fd01:0203:0405:: 48 2001:0df8:0001:: 48 inbound
[Device-GigabitEthernet1/0] quit
Verifying the configuration
# Verify that internal hosts can access the FTP server. (Details not shown.)
# Verify NAT66 configurations.
[Device] display nat66 all
NAT66 source information:
Totally 1 source rules.
Interface(inbound): GigabitEthernet1/0
Original prefix/prefix-length: FD01:203:405::/48
Translated prefix/prefix-length: 2001:DF8:1::/48
# Verify that NAT66 sessions are established.
[Device] display nat66 session verbose
Slot 1:
Initiator:
Source IP/port: FD01:203:405::1/56002
Destination IP/port: 2001:DC8:1::100/21
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0
Responder:
Source IP/port: 2001:DC8:1::100/21
Destination IP/port: 2001:DF8:1:D50F::1/56002
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0
State: TCP_ESTABLISHED
Application: FTP
Rule ID: 1
Rule name: 1
Start time: 2025-07-10 14:48:31 TTL: 3597s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1
Example: Configuring IPv6 destination prefix translation
Network configuration
As shown in Figure 3, the internal IPv6 address of FTP server is FD01:0203:0405::100/48. The internal prefix is FD01:0203:0405::/48. Configure destination IPv6 prefix translation to allow the FTP server to use IPv6 address 2001:AB01:0001::1 to provide services for external users.
Procedure
# Assign IPv6 addresses to interfaces and configure routes. Make sure the network connections are available. (Details not shown.)
# Configure an IPv6 destination prefix mapping from 2001:AB01:0001::1/128 to FD01:0203:0405::100/128.
<Device> system-view
[Device] interface gigabitethernet 2/0
[Device-GigabitEthernet2/0] nat66 prefix destination 2001:ab01:1::1 128 fd01:203:405::100 128
[Device-GigabitEthernet2/0] quit
Verifying the configuration
# Verify that external hosts can access the FTP server. (Details not shown.)
# Verify NAT66 configurations.
[Device] display nat66 all
NAT66 destination information:
Totally 1 destination rules.
Interface(inbound): GigabitEthernet2/0
Original prefix/prefix-length: 2001:AB01:1::1/128
Translated prefix/prefix-length: FD01:203:405::100/128
# Verify that NAT66 sessions are established.
[Device] display nat66 session verbose
Slot 1:
Initiator:
Source IP/port: 2001:DC8:1::100/9025
Destination IP/port: 2001:AB01:1::1/21
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet2/0
Responder:
Source IP/port: FD01:203:405::100/21
Destination IP/port: 2001:DC8:1::100/9025
VPN instance/VLAN ID/Inline ID: -/-/-
Protocol: TCP(6)
Inbound interface: GigabitEthernet1/0
State: TCP_ESTABLISHED
Application: FTP
Rule ID: 1
Rule name: 1
Start time: 2018-12-06 14:56:03 TTL: 3579s
Initiator->Responder: 0 packets 0 bytes
Responder->Initiator: 0 packets 0 bytes
Total sessions found: 1