Deploy NAT64 and DNS64 with Thunder CGN/CFW

siddharthaasiddharthaa Member, Moderator mod
edited May 13 in Tips

In this article, we will see how you can deploy NAT64 with DNS64 using Thunder CGN/CFW to enable IPv6 clients to access IPv4 resources.


Setup

Here is an overview of the setup and the overall functionality (DNS64 and NAT64):




Base configuration

Here we have the following base configuration on the Thunder device:

ip dns primary 8.8.8.8
!
timezone America/Los_Angeles
!
ntp server time.google.com
  prefer
!
glm use-mgmt-port
glm enable-requests
!
interface ethernet 1
  enable
  ipv6 address 2001:db8:1::1/64
!
interface ethernet 2
  enable
  ip address 192.0.2.1 255.255.255.0
!
ip route 0.0.0.0 /0 192.0.2.254


Configure DNS64

To configure DNS64, we define a DNS64 virtual server VIP consisting of one or more DNS servers.

ip nat pool dns-nat-pool 192.0.2.2 192.0.2.2 netmask /32
!
cgnv6 server dnsserver1 192.0.2.102
 port 53 udp
!
cgnv6 service-group dns53 udp
 member dnsserver1 53
!
cgnv6 template dns dns64-template
 dns64 enable
 dns64 change-query
!
cgnv6 dns64-virtualserver DNSVIP 2001:db8:1::2
 port 53 dns-udp
  source-nat pool dns-nat-pool
  service-group dns53
  template dns dns64-template


Under this DNS64 VIP we apply a DNS64 template:

  • The command "dns64 enable" under this template is required.
  • The command "dns64 change-query" is optional. With this option enabled, when the Thunder device receives an AAAA request from a client, it will forward only an A request on behalf of the client.


This DNS VIP address should be configured as the IPv6 DNS server address on the client machine.


Configure NAT64

class-list NAT64_CLIENTS
 ::/0 lsn-lid 1
!
interface ethernet 1
 enable
 ipv6 address 2001:db8:1::1/64
 ipv6 nat inside
!
interface ethernet 2
 enable
 ip address 192.0.2.1 255.255.255.0
 ip nat outside
!
cgnv6 nat pool pool1 203.0.113.1 203.0.113.1 netmask /32
!
cgnv6 lsn-lid 1
 source-nat-pool pool1
!
cgnv6 nat64 inside source class-list NAT64_CLIENTS
!
cgnv6 nat64 prefix 64:ff9b::/96


Enable "ipv6 nat inside" on the incoming IPv6 interface and "ip nat outside" on the outgoing IP4 interface.

Here we define the NAT64 prefix to be 64:ff9b::/96. You can choose a different prefix value as needed.


Optional: Enable ALGs for NAT64

Here we enable the following ALGs:

cgnv6 nat64 alg esp enable
!
cgnv6 nat64 alg pptp enable
!
cgnv6 nat64 alg rtsp enable
!
cgnv6 nat64 alg sip enable
!
cgnv6 nat64 alg h323 enable
!
cgnv6 nat64 alg mgcp enable
!
cgnv6 nat64 alg tftp enable


Note that ALG for FTP is enabled by default and hence does not need to be enabled explicitly.


Optional: Configure NAT64 logging


cgnv6 server CGN-LOG 192.0.2.101
  port 514 udp
!
cgnv6 service-group SG-CGN-LOG udp
  member CGN-LOG 514
!
cgnv6 template logging CGN-LOG-TEMPLATE
  log sessions
  service-group SG-CGN-LOG
!
cgnv6 lsn logging default-template CGN-LOG-TEMPLATE


Verification

Initiate an IPv6 ping from the client to an IPv4 server.

For example, here we have a server www.a10tests.com with IPv4 address 192.0.2.100.

$ ping6 www.a10tests.com
PING www.a10tests.com(64:ff9b::c000:264 (64:ff9b::c000:264)) 56 data bytes
64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=1 ttl=63 time=1.53 ms
64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=2 ttl=63 time=1.42 ms
64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=3 ttl=63 time=2.13 ms


$ nslookup www.a10tests.com
Server:         2001:db8:1::2
Address:        2001:db8:1::2#53


Non-authoritative answer:
Name:   www.a10tests.com
Address: 192.0.2.100
Name:   www.a10tests.com
Address: 64:ff9b::c000:264


From the above output, we can see the DNS name www.a10tests.com got synthesized to IPv6 address 64:ff9b::c000:264, which consists of the NAT64 prefix 64:ff9b::/96, and the hex equivalent of IPv4 address 192.0.2.100.


On the Thunder device we can see the following session entry:


vThunder#sh session
     
                   <snip>
  
Prot Forward Source            Forward Dest              Reverse Source            Reverse Dest              Age   Hash Flags             Type
---------------------------------------------------------------------------------------------------------------------------------------------------
Icmp [2001:db8:1::10]:791      [64:ff9b::c000:264]       192.0.2.100               203.0.113.1:13952         0     1    NSe0f0r0          LSN
Total Sessions:  1

From the above output, we can see the destination IPv6 address 64:ff9b::c000:264 has been translated to IPv4 address 192.0.2.1.100

Also, the source IPv6 address 2001:db8:1::10 has been translated to IPv4 address 203.0.113.1, an address in the CGNv6 NAT pool.


Complete Configuration

Here is the complete configuration for reference:

class-list NAT64_CLIENTS
  ::/0 lsn-lid 1
!
ip dns primary 8.8.8.8
!
timezone America/Los_Angeles
!
ntp server time.google.com
  prefer
!
glm use-mgmt-port
glm enable-requests
!
interface management
  ip address 10.64.4.138 255.255.255.0
  ip default-gateway 10.64.4.1
  enable
!
interface ethernet 1
  enable
  ipv6 address 2001:db8:1::1/64
  ipv6 nat inside
!
interface ethernet 2
  enable
  ip address 192.0.2.1 255.255.255.0
  ip nat outside
!
!
ip nat pool dns-nat-pool 192.0.2.2 192.0.2.2 netmask /32
!
ip route 0.0.0.0 /0 192.0.2.254
!
cgnv6 server CGN-LOG 192.0.2.101
  port 514 udp
!
cgnv6 server dnsserver1 192.0.2.102
  port 53 udp
!
cgnv6 service-group SG-CGN-LOG udp
  member CGN-LOG 514
!
cgnv6 service-group dns53 udp
  member dnsserver1 53
!
cgnv6 template dns dns64-template
  dns64 enable
  dns64 change-query
!
cgnv6 template logging CGN-LOG-TEMPLATE
  log sessions
  service-group SG-CGN-LOG
!
cgnv6 nat pool pool1 203.0.113.1 203.0.113.1 netmask /32
!
cgnv6 lsn logging default-template CGN-LOG-TEMPLATE
!
cgnv6 dns64-virtualserver DNSVIP 2001:db8:1::2
  port 53 dns-udp
    source-nat pool dns-nat-pool
    service-group dns53
    template dns dns64-template
!
cgnv6 lsn-lid 1
  source-nat-pool pool1
!
cgnv6 nat64 inside source class-list NAT64_CLIENTS
!
cgnv6 nat64 alg esp enable
!
cgnv6 nat64 alg pptp enable
!
cgnv6 nat64 alg rtsp enable
!
cgnv6 nat64 alg sip enable
!
cgnv6 nat64 alg h323 enable
!
cgnv6 nat64 alg mgcp enable
!
cgnv6 nat64 alg tftp enable
!
cgnv6 nat64 prefix 64:ff9b::/96
!
logging syslog information
!
sflow setting local-collection
!
sflow collector ip 127.0.0.1 6343
!
!
end
!Current config commit point for partition 0 is 0 & config mode is classical-mode
vThunder#


Sign In or Register to comment.