Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Configuring NAT 6-4

The following figure shows a NAT 6-4 configuration example. In this example, Host1, a host that resides in an external IPv6 network, sends requests to Host2, a host that resides in an internal IPv4 network. The request enters the router through the dp0p3p1 data plane interface for which NAT 6-4 translation is enabled.

Figure 1. NAT 6-4 configuration example

To configure NAT 6-4 as shown in this figure, perform the following steps in configuration mode. NAT 6-4 configuration involves the following steps:

  • Creating a NAT 6-4 rule.
  • Specifying the IPv6 routing prefix of the destination IPv4 addresses.
  • Specifying the data plane interface through which the inbound IPv6 request packets pass.
  • Specifying the IPv6 routing prefix of the source IPv6 addresses.
Table 1. Configuring NAT 6-4

Step

Command

On R1, specify 1 as the IPv6-to-IPv4 NAT rule and specify 2001:db9::/32 as the routing prefix for destination addresses.

vyatta@R1# set service nat ipv6-to-ipv4 rule 1 destination prefix 2001:db9::/32

For rule 1, specify the inbound interface.

vyatta@R1# set service nat ipv6-to-ipv4 rule 1 inbound-interface dp0p3p1

For rule 1, specify the routing prefix for source addresses.

vyatta@R1# set service nat ipv6-to-ipv4 rule 1 source prefix 2001:db8::/32

Run the show service nat command.

vyatta@R1# show service nat
nat {
  ipv6-to-ipv4 {
    rule 100 {
      destination {
        prefix 2001:db9::/32
      }
    inbound-interface dp0p3p1
    source {
       prefix 2001:db8::/32
    }
   }
  }
}

To verify that your NAT 6-4 setup works, ping Host2 from Host1.

vyatta@host1# run ping 2001:db9:c612:05c8::
PING 2001:db9:c612:05c8::(2001:db9:c612:5c8::) 56 data bytes
64 bytes from 2001:db9:c612:5c8::: icmp_seq=1 ttl=63 time=0.950 ms

On Host2, run the following command to capture the ping traffic on the eth1 interface.

vyatta@host2:~$ sudo tshark -i eth1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
 0.000000 198.18.4.200 -> 198.18.5.200 ICMP Echo (ping) request
 0.000025 198.18.5.200 -> 198.18.4.200 ICMP Echo (ping) reply

For a TCP-based flow (SSH from Host1 to Host2), run the following command:

vyatta@host1# ssh vyatta@2001:db9:c612:05c8::

Welcome to Vyatta
vyatta@2001:db9:c612:05c8::'s password:
Welcome to Vyatta
Version: 999.daisyse.12170009
Description: 999.daisyse.12170009
Copyright: 2006-2013 Vyatta, Inc.
Last login: Wed Sep 24 23:07:35 2014 from 192.168.122.1
vyatta@host2:~$

On Host2, run the following command to capture the SSH traffic on the eth1 interface.

vyatta@host2:~$ sudo tshark -i eth1
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
 73.000922 198.18.4.200 -> 198.18.5.200 TCP 46468 > ssh [SYN] Seq=0
Win=14400 Len=0 MSS=1440 TSV=2698800 TSER=0 WS=7
 73.000959 198.18.5.200 -> 198.18.4.200 TCP ssh > 46468 [SYN, ACK] Seq=0
Ack=1 Win=14480 Len=0 MSS=1460 TSV=2698617 TSER=2698800 WS=7
 73.002098 198.18.4.200 -> 198.18.5.200 TCP 46468 > ssh [ACK] Seq=1 Ack=1
Win=14464 Len=0 TSV=2698800 TSER=2698617
 73.006947 198.18.5.200 -> 198.18.4.200 SSH Server Protocol:
SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3\r

Both flows create sessions on DUT, as shown in the following example.

vyatta@vyatta# run show session-table
TCP state codes: SS - SYN SENT, SR - SYN RECEIVED, ES - ESTABLISHED,
                 FW - FIN WAIT, CW - CLOSE WAIT, LA - LAST ACK,
                 TW - TIME WAIT, CL - CLOSE, LI - LISTEN

CONNID Source               Destination      Protocol  TIMEOUTIntf   Parent
5      198.18.4.200:46468   198.18.5.200:22  tcp [6]   TW 237        dp0p4p10
6      198.18.4.200         198.18.5.200     icmp [1]  28            dp0p4p10