Cisco ASR 1002-X router with NAT64 configurations
Today I am going to talk about the configuration of NAT64 on ASR routers. I will take an sample topology and will show how to configure NAT64 on ASR router.
We are taking an example topology where we have Cisco 2900 as NDNA_R1; Cisco ASR 1002-X as NDNA_R2 and Cisco 2900 as NDNA_R3. The routers are configured as :
NDNA_R1: Cisco ISR 2900 --> IPv4 Addressing
NDNA_R2 : Cisco ASR 1002-X ---> NAT64 configuration
NDNA_R3 : Cisco ISR 2900 --> IPv6 addressing
So what I mean to say that we are going to configure IPv4 addressing on NDNA_R1 while IPv6 will be configure on NDNA_R3 and all NAT64 configuration will be done on Cisco ASR 1002-X which is labelled as NDNA_R2.
Below is the basic topology showing the connectivity between these 3 devices as :
Fig 1.1- NAT64 Configuration Topology |
So in the above topology, the Router NDNA_R1 is connected to Router NDNA_R2 via interface F0/0 and Gi0/0/0 respectively and similarly the router NDNA_R2 is connected to Router NDNA_R3 via Gi0/0/1 and Fa0/0 respectively. The IP addresses used in the scenario is for only demo purposes and has no relevance with any of the enterprise networks.
Let's talk about the configuration one by one on all the three routers as below.
Configuration on NDNA_R1 : Cisco 2900 ISR router
!
ip cef
!
interface FastEthernet0/0
ip address 179.60.213.13 255.255.255.25
!
ip route 179.60.213.128 255.255.255.128 179.60.213.14
!
Configuration on NDNA_R2 : Cisco ASR 1002-X router
!
ipv6 unicast-routing
ipv6 cef
!
interface GigabitEthernet0/0/0
ip address 179.60.213.14 255.255.255.252
nat64 enable
cdp enable
!
interface GigabitEthernet0/0/1
ipv6 address 2803:1500:F00::1/127
nat64 enable
cdp enable
!
ipv6 access-list allow-access-v6to4
permit ipv6 2803:1500:F00::/40 any
nat64 prefix stateful 2800:1503:2000:1:1::/96
nat64 v4 pool poolipv4 179.60.213.240 179.60.213.250
nat64 v6v4 list allow-access-v6to4 pool poolipv4
!
Configuration on NDNAR3 : Cisco 2900 ISR router
!
ipv6 unicast-routing
ipv6 cef
!
interface fa0/0
ipv6 address 2803:1500:F00::0/127
ipv6 route 2800:1503:2000:1:1::/96 2803:1500:F00::1
!
Note that in this case we defined the traffic allowed for NAT64 to be the network 2803:1500:F00:: which happens to be the interface directly connected to the GigabitEthernet 0/0/1. If the traffic we wanted to NAT was on a net behind, for example we have the following on the IPv6 Only router:
!
interface Loopback 200
no ip address
ipv6 address 2803:1500:D00::1/127
!
The access list on the ASR only needs this network to be permitted like this
!
sh access-lists
IPv6 access list match-dest-1
permit ipv6 any 2803:1500:D00::/40 sequence 10
!
since we are using static routing don’t forget to add the route on the ASR so it knows how to reach that network
!
ipv6 route 2803:1500:D00::/40 2803:1500:F00::
!
ping 2800:1503:2000:1:1::B33C:D50D source loopback 200
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2800:1503:2000:1:1:0:B33C:D50D, timeout is 2 seconds:
Packet sent with a source address of 2803:1500:D00::1
!!!!!