+(65) 8344 4290 Ciscodumps.net@gmail.com Room 907, Block B, Baoneng Entrepreneurship Center, Guangrong Road, Hongqiao District, Tianjin

ThinkMo EDU Share – network 51.NAT64 configuration example

Jacky.K No Comments 11/16/2022

ThinkMo EDU Share – network 51.NAT64 configuration example

Experimental Requirements and Topology

The experimental topology diagram is as follows:

A very simple topology diagram. In the above scenario, PC1 is configured with an IPv4 address, and PC2 is configured with an IPv6 address. Now, a Huawei firewall device is used to configure NAT64 so that PC1 and PC2 can communicate with each other.

Note: In theory, Huawei series routers can also achieve similar functions, but there may be problems with eNSP, so a firewall is used here instead, and the principle is the same.

Experimental configuration commands

Next, I will paste the commands used in the experiment as follows:

  1. Ensure interoperability of basic configuration commands

In order to ensure that the PING function between the firewall and the two PCs is normal, security domains and security policies must be configured. Here, in order to demonstrate the most basic NAT64 functions, the simplest configuration method is adopted for these configurations:

firewall zone trust

add interface GigabitEthernet1/0/1

add interface GigabitEthernet1/0/2

security-policy

rule name 1

action permit

In addition, in order to ensure that the PING on the interface is normal, in addition to configuring the IP address, you also need to execute the command:

service-manage ping permit

In this way, after completing the configuration of the IP address on the interface and the above configuration, the two PCs should be able to PING through the IP address of the interface on the firewall, which is their gateway.

  1. Ensure IPv4 to IPv6 communication – NAT64 command

In NAT64 configuration, to ensure that IPv4 accesses IPv6, only one NAT64 policy needs to be configured:

nat64 static 2000::1 10.1.1.100

Also apply the NAT64 configuration on the interface:

interface GigabitEthernet1/0/2

nat64 enable

The above configuration command is to map the address of 2000::1 of PC2 to 10.1.1.100, so as to realize PC1’s access to PC2.

After configuring the above command, it should be able to achieve PC1PING through PC2.

  1. Guarantee IPv6 to IPv4 communication – NAT prefix and NAT policy commands

However, at this time, PC2PING cannot be achieved through PC1, because after the above configuration is completed, after the ICMP packet sent by PC1 passes through the firewall, the firewall converts the source address of the ICMP packet into a NAT64 private address. But when PC2 PING PC1, the firewall does not know what IP address to translate the source address of ICMP into.

In order to realize PC2 PING PC1, NAT prefix and NAT policy must be configured at this time. The configuration command is as follows:

nat address-group 1 0

mode pat

section 0 10.1.1.110 10.1.1.20

#

nat-policy

rule name 1

action source-nat address-group 1

#

nat64 prefix 3000::96

In the above configuration command, a NAT address range is configured, which defines the source IP address of the data packet from PC2 to PC1 after passing through the firewall, and 96 in the above NAT64 prefix configuration is specially designed for IPv6 area to access IPv4, so The 32-bit host address is reserved for the prefix of , and when PC2 wants to access PC1, it takes the NAT64 prefix, and then fills in the IPv4 address of PC1 in the following 24-bit reserved host IP.

Achieve effect

  1. PC1 and PC2 visit each other :

  1. Capture packets before configuring reverse NAT64
  1. View NAT64 results on the firewall :

Appendix – Firewall Configuration Commands

Finally, paste the entire firewall configuration in the experiment as follows (discard unnecessary configuration commands):

ipv6

#

nat64 prefix 3000::96

nat64 static 2000::1 10.1.1.100

#

interface GigabitEthernet1/0/1

undo shutdown

ip address 10.1.1.254 255.255.255.0

service-manage ping permit

#

interface GigabitEthernet1/0/2

undo shutdown

ipv6 enable

ipv6 address 2000::2/64

service-manage ping permit

nat64 enable

firewall zone trust

set priority 85

add interface GigabitEthernet0/0/0

add interface GigabitEthernet1/0/1

add interface GigabitEthernet1/0/2

security-policy

rule name 1

action permit

#

nat-policy

rule name 1

action source-nat address-group 1

nat address-group 1 0

mode pat

section 0 10.1.1.110 10.1.1.200

ThinkMo CCNA Dump exam information exchange group:

Telegram:https://t.me/ccie_ei_lab
WhatsApp:https://chat.whatsapp.com/GlyJ4H3q2YN7AO4NM70BiM

The complete EVE_NG file, free learning PDF and PPT that can be used directly, as well as video explaining the technical points are all here!

Leave a Reply

X