[6bone] Cisco, NAT-PT : establish connection from IPv6 to IPv4

Jerome Wenzel jwenzel@netline.lu
Wed, 11 Jun 2003 15:24:33 +0200
Previous message: [6bone] 2001:260::/35 ghost route
Next message: [6bone] 6bone pTLA 3FFE:4018::/32 allocated to CBR-TPSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,

First I would like to thanks Joao for his help.
But now, I have a new problem when trying to map the DNS server, or any devices which is not in the directly connected network of the router.

I apologize if I'm on the wrong mailing-list to ask for help, if somebody have good web sites or other information sources about Cisco and NAT-PT, these informations are welcome ! I don't gather a lot of useful tips on Cisco web site ...

I want to access the IPv4 network and internet from the IPv6-only computer PC1, using the ip addresses, I'll try later with names.
There are below the network scheme, an extract of the Cisco 7200 router configuration file, and the results of the tests (using ping) I  performed. I think that the router block some traffic from PC1, I give further information below with the tests and results.
NAT-PT is configured on the router, with static mappings.

PC1's OS is Win 2k Pro SP1, it's configuration is done with :
ipv6 adu 3/2002:1:1::2
ipv6 rtu 2002:1:1::/48 3
ipv6 rtu 2002:1:2::/96 3/2002:1:1::1

>From PC1, I can access the IPv4 network A.B.1.0/24, which is directly connected to the router, but I can't reach the other IPv4 addresses with nat translations, even with a static mapping configured (for example to the DNS server).

The first question is, because I have a doubt : Can NAT-PT work in a such network topology ? 
If yes, I think it's a routing problem or a command missing on the router, but I don't find the matter.
I check the rules on the firewall, it shouldn't block my traffic.

Thanks.
Jérôme
											------------
											|DNS Server|
							     			 	------------
                                             			   A.B.2.9  |
							     	      			|
   -----             --------        -----     ----------     ----------------   -----------------
   |PC1|------- f0/0 |Router| f0/1 --|hub|-----|firewall|-----| IPV4 network |---| IPv4 Internet |
   -----             --------        -----     ----------     ----------------   -----------------
2002:1:1::2  2002:1:1::1   A.B.1.2     |    A.B.1.1  A.B.3.1         |
				               |		    	 	         |
			                   -----			       -----
			                   |PC2|			       |PC3|
			                   -----			       -----
                                    A.B.1.3			      A.B.4.5


Router#sh run
Building configuration...

!
hostname Router
!
boot system flash c7200-js-mz.122-15.T1.bin
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 ipv6 address 2002:1:1::1/48
 ipv6 nat
!
interface FastEthernet0/1
 ip address A.B.1.2 255.255.255.0
 duplex auto
 speed auto
 ipv6 nat
!
ip classless
ip route 0.0.0.0 0.0.0.0 A.B.1.1
no ip http server
!
!
!
ipv6 nat v4v6 source A.B.2.9 2002:1:2::A.B.2.9
ipv6 nat v4v6 source A.B.1.1 2002:1:2::A.B.1.1
ipv6 nat v6v4 source 2002:1:1::2 A.B.1.4
ipv6 nat prefix 2002:1:2::/96
!


On the router :
ping ipv4 A.B.1.1 is successful
ping ipv4 A.B.2.9 is successful

On PC1 :
ping ipv6 2002:1:2::A.B.1.1 is successful
ping ipv6 2002:1:2::A.B.2.9 -> request timed out

The command "debug ipv6 nat" on the router shows :
IPv6 NAT: icmp src (2002:1:1::2) -> (A.B.1.4), dst (2002:1:2::A.B.2.9) -> (A.B.2.9)
But there is no reply ...

I use a frame analyser (Ethereal) on PC2, to see the outgoing traffic of the router :
I only see broadcast ARP requests from the router : "who has A.B.2.9 ? Tell A.B.1.2"
When I ping ipv4 A.B.2.9 from router or ping ipv6 2002:1:2::A.B.1.1 from PC1, I capture both request and reply ICMP packets with PC2.

I've pinged PC1 from PC3, it udpates the ipv6 nat translation table, and with "debug ipv6 nat" I can see both requests and replies   packets :
IPv6 NAT: icmp src (A.B.4.5) -> (2002:1:2::A.B.4.5), dst (A.B.1.4) -> (2002:1:1::2)
IPv6 NAT: icmp src (2002:1:1::2) -> (A.B.1.4), dst (2002:1:2::A.B.4.5) -> (A.B.4.5)
Using Ethereal on PC1, I also see the ICMP requests and replies. 
So, PC1 is responding.
When I capture frames with PC2, I see the ICMP requests from PC3 A.B.4.5 to PC1 A.B.1.4, but I don't see the ICMP replies, and I see broadcast ARP requests from  the router : "who has A.B.4.5 ? Tell A.B.1.2"
On the router, the command ping A.B.4.5 is successful.

So, the packets from PC1 seemed to be lost in a black hole somewhere in the router ...

With the command "show ip traffic", I've seen that each time I perform a command like ping ipv6 2002:1:2::A.B.2.9 on PC1 or ping A.B.1.4 on  PC3, it increases the number X in the following counter : "Drop : X encapsulation failed ...".
Encapsulation failed because the router doesn't know where to send the packet ? Or the router doesn't send the packet because  encapsulation has failed for an unknown reason ?
I sometimes wonder that in this case, the router doesn't use the defined "ip route 0.0.0.0 0.0.0.0 A.B.1.1", and so doesn't know where to  send the packets.

The commands "show ipv6 nat" and "show ip packet" displays this :
Ping PC3 from PC1 :
03:09:36: IPv6 NAT: icmp src (2002:1:1::2) -> (A.B.1.4), dst (2002:1:2::A.B.4.5) -> (A.B.4.5)
03:09:37: IP: s=A.B.1.4 (local), d=A.B.4.5 (FastEthernet0/1), len 60, sending
03:09:37: IP: s=A.B.1.4 (local), d=A.B.4.5 (FastEthernet0/1), len 60, encapsulation failed

Ping PC2 from PC1 :
03:10:31: IPv6 NAT: icmp src (A.B.1.3) -> (2002:1:2::A.B.1.3), dst (A.B.1.4) -> (2002:1:1::2)
03:10:32: IP: s=A.B.1.4 (local), d=A.B.1.3 (FastEthernet0/1), len 60, sending

Ping PC3 from router :
03:15:09: IP: s=A.B.4.5 (FastEthernet0/1), d=A.B.1.2 (FastEthernet0/1), len 100, rcvd 3
03:15:09: IP: s=A.B.1.2 (local), d=A.B.4.5 (FastEthernet0/1), len 100, sending
Previous message: [6bone] 2001:260::/35 ghost route
Next message: [6bone] 6bone pTLA 3FFE:4018::/32 allocated to CBR-TPSA
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]