6to4 nat question

Tom tom at f-i-ts.net
Thu Apr 30 13:47:52 CEST 2009 

Hello,

I've got an ipv6 nat problem, perhaps someone here on the list
might have an idea what's wrong with my configuration:

We operate our own AS including ipv6. Now I wanted to provide
a "carrier grade" ipv4 => ipv6 nat gateway for our whole ipv4 network
(a /19).

This is the relevant configuration on the 7200 router:

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!
interface Loopback0
 ipv6 address 2A02:C00:FFFA::16/128
!
interface Loopback1
 ip address 212.34.78.1 255.255.255.0
 ipv6 nat
!
interface Tunnel2
 no ip address
 ipv6 address 2A02:C00:FFFF::5/126
 ipv6 enable
 ipv6 nat
 tunnel source 212.114.207.18
 tunnel destination 78.46.*.*
 tunnel mode ipv6ip
!
ipv6 nat v6v4 source list v6v4global pool v6pool
ipv6 nat v6v4 pool v6pool 212.34.78.9 212.34.78.14 prefix-length 29
ipv6 nat prefix 2A02:C00:0:FFFF:FFFF::/96 v4-mapped v6v4global
!
ipv6 access-list v6v4global
 sequence 20 permit ipv6 any 2A02:C00:0:FFFF:FFFF::/96
 permit ipv6 2A02:C00:0:FFFF:FFFF::/96 any
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

>From a linux server outside our AS using a tunnel (Tunnel2 on the
backbone router), which has the ipv6 address 2A02:C00:FFFF::6
I can reach our ipv6 net, eg:

% ping6 2A02:C00:FFFA::16
PING 2A02:C00:FFFA::16(2a02:c00:fffa::16) 56 data bytes
64 bytes from 2a02:c00:fffa::16: icmp_seq=1 ttl=64 time=2.34 ms
64 bytes from 2a02:c00:fffa::16: icmp_seq=2 ttl=64 time=1.84 ms

--- 2A02:C00:FFFA::16 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.844/2.094/2.345/0.254 ms

But if I want to reach an ipv6-mapped destination within our net
I get no response from the nat router:

% ping6 2a02:c00:0:ffff:ffff:0:d422:41ba
PING 2a02:c00:0:ffff:ffff:0:d422:41ba(2a02:c00:0:ffff:ffff:0:d422:41ba) 56 data bytes

--- 2a02:c00:0:ffff:ffff:0:d422:41ba ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3002ms

The address 2a02:c00:0:ffff:ffff:0:d422:41ba is the mapped ipv4
address 212.34.65.186. On that router I receive the natted icmp packet
and it sends a response, which also can be seen on the nat router:

Apr 30 11:25:48: ICMP: echo reply rcvd, src 212.34.65.186, dst 212.34.78.9

I also see, that the nat router natted correctly the packet:

Apr 30 11:11:42: IPv6 NAT: ipv6nat_find_entry_v4tov6:
         ref_count = 1,
                                usecount = 0, flags = 260, rt_flags = 0,
                                more_flags = 0
Apr 30 11:11:42: IPv6 NAT: icmp src (2A02:C00:FFFF::6) -> (212.34.78.9),
                           dst (2A02:C00:0:FFFF:FFFF:0:D422:41BA) -> (212.34.65.186)
Apr 30 11:11:42: IPv6 NAT:v4tov6 entry not found

And 'sh ipv6 nat translations' shows the nat session:

icmp  212.34.78.9,64005        2A02:C00:FFFF::6,64005
      212.34.65.186,64005      2A02:C00:0:FFFF:FFFF:0:D422:41BA,64005


But it didn't nat the answer packet back to ipv6.


Has anyone an idea what's wrong?

regards,
Tom

More information about the ipv6-ops mailing list