[T&C] Deploy NAT64 and DNS64 with Thunder CGN/CFW
siddharthaa
Member ✭
In this article, we will see how you can deploy NAT64 with DNS64 using Thunder CGN/CFW to enable IPv6 clients to access IPv4 resources.
Setup
Here is an overview of the setup and the overall functionality (DNS64 and NAT64):
Base configuration
Here we have the following base configuration on the Thunder device:
ip dns primary 8.8.8.8 ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! glm use-mgmt-port glm enable-requests ! interface ethernet 1 enable ipv6 address 2001:db8:1::1/64 ! interface ethernet 2 enable ip address 192.0.2.1 255.255.255.0 ! ip route 0.0.0.0 /0 192.0.2.254
Configure DNS64
To configure DNS64, we define a DNS64 virtual server VIP consisting of one or more DNS servers.
ip nat pool dns-nat-pool 192.0.2.2 192.0.2.2 netmask /32 ! cgnv6 server dnsserver1 192.0.2.102 port 53 udp ! cgnv6 service-group dns53 udp member dnsserver1 53 ! cgnv6 template dns dns64-template dns64 enable dns64 change-query ! cgnv6 dns64-virtualserver DNSVIP 2001:db8:1::2 port 53 dns-udp source-nat pool dns-nat-pool service-group dns53 template dns dns64-template
Under this DNS64 VIP we apply a DNS64 template:
- The command "dns64 enable" under this template is required.
- The command "dns64 change-query" is optional. With this option enabled, when the Thunder device receives an AAAA request from a client, it will forward only an A request on behalf of the client.
This DNS VIP address should be configured as the IPv6 DNS server address on the client machine.
Configure NAT64
class-list NAT64_CLIENTS ::/0 lsn-lid 1 ! interface ethernet 1 enable ipv6 address 2001:db8:1::1/64 ipv6 nat inside ! interface ethernet 2 enable ip address 192.0.2.1 255.255.255.0 ip nat outside ! cgnv6 nat pool pool1 203.0.113.1 203.0.113.1 netmask /32 ! cgnv6 lsn-lid 1 source-nat-pool pool1 ! cgnv6 nat64 inside source class-list NAT64_CLIENTS ! cgnv6 nat64 prefix 64:ff9b::/96
Enable "ipv6 nat inside" on the incoming IPv6 interface and "ip nat outside" on the outgoing IP4 interface.
Here we define the NAT64 prefix to be 64:ff9b::/96. You can choose a different prefix value as needed.
Optional: Enable ALGs for NAT64
Here we enable the following ALGs:
cgnv6 nat64 alg esp enable ! cgnv6 nat64 alg pptp enable ! cgnv6 nat64 alg rtsp enable ! cgnv6 nat64 alg sip enable ! cgnv6 nat64 alg h323 enable ! cgnv6 nat64 alg mgcp enable ! cgnv6 nat64 alg tftp enable
Note that ALG for FTP is enabled by default and hence does not need to be enabled explicitly.
Optional: Configure NAT64 logging
cgnv6 server CGN-LOG 192.0.2.101 port 514 udp ! cgnv6 service-group SG-CGN-LOG udp member CGN-LOG 514 ! cgnv6 template logging CGN-LOG-TEMPLATE log sessions service-group SG-CGN-LOG ! cgnv6 lsn logging default-template CGN-LOG-TEMPLATE
Verification
Initiate an IPv6 ping from the client to an IPv4 server.
For example, here we have a server www.a10tests.com with IPv4 address 192.0.2.100.
$ ping6 www.a10tests.com PING www.a10tests.com(64:ff9b::c000:264 (64:ff9b::c000:264)) 56 data bytes 64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=1 ttl=63 time=1.53 ms 64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=2 ttl=63 time=1.42 ms 64 bytes from 64:ff9b::c000:264 (64:ff9b::c000:264): icmp_seq=3 ttl=63 time=2.13 ms
$ nslookup www.a10tests.com Server: 2001:db8:1::2 Address: 2001:db8:1::2#53 Non-authoritative answer: Name: www.a10tests.com Address: 192.0.2.100 Name: www.a10tests.com Address: 64:ff9b::c000:264
From the above output, we can see the DNS name www.a10tests.com got synthesized to IPv6 address 64:ff9b::c000:264, which consists of the NAT64 prefix 64:ff9b::/96, and the hex equivalent of IPv4 address 192.0.2.100.
On the Thunder device we can see the following session entry:
vThunder#sh session
<snip>
Prot Forward Source Forward Dest Reverse Source Reverse Dest Age Hash Flags Type
---------------------------------------------------------------------------------------------------------------------------------------------------
Icmp [2001:db8:1::10]:791 [64:ff9b::c000:264] 192.0.2.100 203.0.113.1:13952 0 1 NSe0f0r0 LSN
Total Sessions: 1
From the above output, we can see the destination IPv6 address 64:ff9b::c000:264 has been translated to IPv4 address 192.0.2.1.100
Also, the source IPv6 address 2001:db8:1::10 has been translated to IPv4 address 203.0.113.1, an address in the CGNv6 NAT pool.
Complete Configuration
Here is the complete configuration for reference:
class-list NAT64_CLIENTS ::/0 lsn-lid 1 ! ip dns primary 8.8.8.8 ! timezone America/Los_Angeles ! ntp server time.google.com prefer ! glm use-mgmt-port glm enable-requests ! interface management ip address 10.64.4.138 255.255.255.0 ip default-gateway 10.64.4.1 enable ! interface ethernet 1 enable ipv6 address 2001:db8:1::1/64 ipv6 nat inside ! interface ethernet 2 enable ip address 192.0.2.1 255.255.255.0 ip nat outside ! ! ip nat pool dns-nat-pool 192.0.2.2 192.0.2.2 netmask /32 ! ip route 0.0.0.0 /0 192.0.2.254 ! cgnv6 server CGN-LOG 192.0.2.101 port 514 udp ! cgnv6 server dnsserver1 192.0.2.102 port 53 udp ! cgnv6 service-group SG-CGN-LOG udp member CGN-LOG 514 ! cgnv6 service-group dns53 udp member dnsserver1 53 ! cgnv6 template dns dns64-template dns64 enable dns64 change-query ! cgnv6 template logging CGN-LOG-TEMPLATE log sessions service-group SG-CGN-LOG ! cgnv6 nat pool pool1 203.0.113.1 203.0.113.1 netmask /32 ! cgnv6 lsn logging default-template CGN-LOG-TEMPLATE ! cgnv6 dns64-virtualserver DNSVIP 2001:db8:1::2 port 53 dns-udp source-nat pool dns-nat-pool service-group dns53 template dns dns64-template ! cgnv6 lsn-lid 1 source-nat-pool pool1 ! cgnv6 nat64 inside source class-list NAT64_CLIENTS ! cgnv6 nat64 alg esp enable ! cgnv6 nat64 alg pptp enable ! cgnv6 nat64 alg rtsp enable ! cgnv6 nat64 alg sip enable ! cgnv6 nat64 alg h323 enable ! cgnv6 nat64 alg mgcp enable ! cgnv6 nat64 alg tftp enable ! cgnv6 nat64 prefix 64:ff9b::/96 ! logging syslog information ! sflow setting local-collection ! sflow collector ip 127.0.0.1 6343 ! ! end !Current config commit point for partition 0 is 0 & config mode is classical-mode vThunder#