6to4 nat question

Steve Bertrand steve at ibctech.ca
Thu Apr 30 15:01:25 CEST 2009 

Tom wrote:
> Hello,
> 
> I've got an ipv6 nat problem, perhaps someone here on the list
> might have an idea what's wrong with my configuration:
> 
> We operate our own AS including ipv6. Now I wanted to provide
> a "carrier grade" ipv4 => ipv6 nat gateway for our whole ipv4 network
> (a /19).
> 
> This is the relevant configuration on the 7200 router:
> 
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> !
> interface Loopback0
>  ipv6 address 2A02:C00:FFFA::16/128
> !
> interface Loopback1
>  ip address 212.34.78.1 255.255.255.0
>  ipv6 nat
> !
> interface Tunnel2
>  no ip address
>  ipv6 address 2A02:C00:FFFF::5/126
>  ipv6 enable
>  ipv6 nat
>  tunnel source 212.114.207.18
>  tunnel destination 78.46.*.*
>  tunnel mode ipv6ip
> !
> ipv6 nat v6v4 source list v6v4global pool v6pool
> ipv6 nat v6v4 pool v6pool 212.34.78.9 212.34.78.14 prefix-length 29
> ipv6 nat prefix 2A02:C00:0:FFFF:FFFF::/96 v4-mapped v6v4global
> !
> ipv6 access-list v6v4global
>  sequence 20 permit ipv6 any 2A02:C00:0:FFFF:FFFF::/96
>  permit ipv6 2A02:C00:0:FFFF:FFFF::/96 any
> !
> !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
> 
>>From a linux server outside our AS using a tunnel (Tunnel2 on the
> backbone router), which has the ipv6 address 2A02:C00:FFFF::6
> I can reach our ipv6 net, eg:
> 
> % ping6 2A02:C00:FFFA::16
> PING 2A02:C00:FFFA::16(2a02:c00:fffa::16) 56 data bytes
> 64 bytes from 2a02:c00:fffa::16: icmp_seq=1 ttl=64 time=2.34 ms
> 64 bytes from 2a02:c00:fffa::16: icmp_seq=2 ttl=64 time=1.84 ms
> 
> --- 2A02:C00:FFFA::16 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1002ms
> rtt min/avg/max/mdev = 1.844/2.094/2.345/0.254 ms
> 
> But if I want to reach an ipv6-mapped destination within our net
> I get no response from the nat router:
> 
> % ping6 2a02:c00:0:ffff:ffff:0:d422:41ba
> PING 2a02:c00:0:ffff:ffff:0:d422:41ba(2a02:c00:0:ffff:ffff:0:d422:41ba) 56 data bytes
> 
> --- 2a02:c00:0:ffff:ffff:0:d422:41ba ping statistics ---
> 4 packets transmitted, 0 received, 100% packet loss, time 3002ms
> 
> The address 2a02:c00:0:ffff:ffff:0:d422:41ba is the mapped ipv4
> address 212.34.65.186. On that router I receive the natted icmp packet
> and it sends a response, which also can be seen on the nat router:
> 
> Apr 30 11:25:48: ICMP: echo reply rcvd, src 212.34.65.186, dst 212.34.78.9
> 
> I also see, that the nat router natted correctly the packet:
> 
> Apr 30 11:11:42: IPv6 NAT: ipv6nat_find_entry_v4tov6:
>          ref_count = 1,
>                                 usecount = 0, flags = 260, rt_flags = 0,
>                                 more_flags = 0
> Apr 30 11:11:42: IPv6 NAT: icmp src (2A02:C00:FFFF::6) -> (212.34.78.9),
>                            dst (2A02:C00:0:FFFF:FFFF:0:D422:41BA) -> (212.34.65.186)
> Apr 30 11:11:42: IPv6 NAT:v4tov6 entry not found
> 
> And 'sh ipv6 nat translations' shows the nat session:
> 
> icmp  212.34.78.9,64005        2A02:C00:FFFF::6,64005
>       212.34.65.186,64005      2A02:C00:0:FFFF:FFFF:0:D422:41BA,64005
> 
> 
> But it didn't nat the answer packet back to ipv6.

Run a:

# tcpdump -n -i ethX ip6

...on the Linux box that you are expecting to see the return packet on.
Perhaps it does receive the response, but drops it before passing it up
to the ping application for some reason.

Steve

More information about the ipv6-ops mailing list