As shown in Figure 1, configure DS-Lite tunneling and NAT to allow the DS-Lite host to access the IPv4 network over the IPv6 network.
This configuration example was created and verified on E8371 of the F5000-AI160 device.
Add DS-Lite tunnel interfaces to security zones, and allow traffic between zone pairs to pass through. In this example, Tunnel 2 is added to security zone IPv6Zone, and allow traffic between zones IPv6Zone and IPv4Zone.
Configure the AFTR:
# Create security zone IPv6Zone and IPv4Zone. Assign interfaces to related security zones and configure interzone policies. Make sure the network connections are available. (Details not shown.)
# Specify an IPv4 address for GigabitEthernet 1/0/1.
<AFTR> system-view
[AFTR] interface gigabitethernet 1/0/1
[AFTR-GigabitEthernet1/0/1] ip address 20.1.1.1 24
[AFTR-GigabitEthernet1/0/1] quit
# Specify an IPv6 address for GigabitEthernet 1/0/2.
[AFTR] interface gigabitethernet 1/0/2
[AFTR-GigabitEthernet1/0/2] ipv6 address 1::2 64
[AFTR-GigabitEthernet1/0/2] quit
# Create a tunnel interface on the AFTR.
[AFTR] interface tunnel 2 mode ds-lite-aftr
# Specify an IP address for the tunnel interface.
[AFTR-Tunnel2] ip address 30.1.2.2 255.255.255.0
# Specify GigabitEthernet 1/0/2 as the source interface for the tunnel.
[AFTR-Tunnel2] source gigabitethernet 1/0/2
[AFTR-Tunnel2] quit
# Add Tunnel2 to security zone IPv6Zone.
[Device] security-zone name IPv6Zone
[Device-security-zone-IPv6Zone] import interface Tunnel 2
[Device-security-zone-IPv6Zone] quit
# Enable DS-Lite tunneling on GigabitEthernet 1/0/1.
[AFTR] interface gigabitethernet 1/0/1
[AFTR-GigabitEthernet1/0/1] ds-lite enable
[AFTR-GigabitEthernet1/0/1] quit
# Create public address group 0.
[AFTR] nat address-group 0
# Add public IP addresses 20.1.1.11 and 20.1.1.12 to the NAT address group.
[AFTR-address-group-0] address 20.1.1.11 20.1.1.12
# Configure the port range as 1024 to 65535.
[AFTR-address-group-0] port-range 1024 65535
# Set the port block size to 300.
[AFTR-address-group-0] port-block block-size 300
[AFTR-address-group-0] quit
# Configure an IPv6 ACL to identify packets from subnet 1::/64.
[AFTR] acl ipv6 basic 2100
[AFTR-acl-ipv4-basic-2100] rule permit source 1::/64
[AFTR-acl-ipv4-basic-2100] quit
# Configure DS-Lite NAT444 on GigabitEthernet 1/0/1.
[AFTR] interface gigabitethernet 1/0/1
[AFTR-GigabitEthernet1/0/1] nat outbound ds-lite-b4 2100 address-group 0
[AFTR-GigabitEthernet1/0/1] quit
Configure the DS-Lite host:
# Configure the IPv4 and IPv6 addresses of the DS-Lite host as 10.0.0.1 and 1::1/64. (Details not shown.)
# Configure a static route to the destination IPv4 network. (Details not shown.)
# Use the display tunnel interface command to verify that the tunnel interface is up on the AFTR. (Details not shown.)
# Verify that the DS-Lite host can ping the IPv4 application server.
C:\> ping 20.1.1.2
Pinging 20.1.1.2 with 32 bytes of data:
Reply from 20.1.1.2: bytes=32 time=51ms TTL=255
Reply from 20.1.1.2: bytes=32 time=44ms TTL=255
Reply from 20.1.1.2: bytes=32 time=1ms TTL=255
Reply from 20.1.1.2: bytes=32 time=1ms TTL=255
Ping statistics for 20.1.1.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 51ms, Average = 24ms
# Verify that the DS-Lite NAT444 configuration is correct.
[AFTR] display nat outbound
NAT outbound information:
Totally 1 NAT outbound rules.
Interface: GigabitEthernet1/0/1
DS-Lite B4 ACL: 2100
Address group ID: 0
Port-preserved: N NO-PAT: N Reversible: N
Config status: Active
# Verify that the DS-Lite NAT444 configuration takes effect by checking the port block assignment.
[Device] display nat statistics
Total session entries: 1
Session creation rate: 0
Total EIM entries: 0
Total inbound NO-PAT entries: 0
Total outbound NO-PAT entries: 0
Total static port block entries: 0
Total dynamic port block entries: 430
Active static port block entries: 0
Active dynamic port block entries: 1
# Verify that a NAT444 mapping has been created for the DS-Lite host.
[Device] display nat port-block dynamic ds-lite-b4
Slot 1:
Local VPN DS-Lite B4 addr Global IP Port block Connections
--- 1::1 20.1.1.11 65224-65523 1
Total mappings found: 1
#
nat address-group 0
port-range 1024 65535
port-block block-size 300
address 20.1.1.11 20.1.1.12
#
interface GigabitEthernet1/0/1
ip address 20.1.1.1 255.255.255.0
nat outbound ds-lite-b4 2100 address-group 0
ds-lite enable
#
interface GigabitEthernet1/0/2
ipv6 address 1::2/64
#
interface Tunnel2 mode ds-lite-aftr
ip address 30.1.2.2 255.255.255.0
source GigabitEthernet1/0/2
#
security-zone name IPv4Zone
import interface GigabitEthernet1/0/1
#
security-zone name IPv6Zone
import interface GigabitEthernet1/0/2
import interface Tunnel2
#
acl ipv6 basic 2100
rule 0 permit source 1::/64
#
security-policy ip
rule 0 name IPv4Zone-IPv6Zone
action pass
source-zone IPv4Zone
destination-zone IPv6Zone
rule 1 name IPv6Zone-IPv4Zone
action pass
source-zone IPv6Zone
destination-zone IPv4Zone