Hurricane Electric's IPv6 Tunnel Broker Forums

General IPv6 Topics => IPv6 Basics & Questions & General Chatter => Topic started by: rfc1180 on July 27, 2009, 09:50:03 PM

Title: IPv6 and NAT-PT
Post by: rfc1180 on July 27, 2009, 09:50:03 PM
Has anyone successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well?
If so, maybe can you please share your config on the NAT-PT portion?


Any help would be appreciated

-billy

Title: Re: IPv6 and NAT-PT
Post by: markspenser on August 17, 2009, 12:22:32 AM
Hi Billy,

I have successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well before a long time but i didn't remember that configuration. At a same time i am trying to remember that configuration... I will put up detailed configuration soon as i have good memory :)

regards,
mark
Title: Re: IPv6 and NAT-PT
Post by: petergrace on September 11, 2009, 10:12:49 AM
Quote from: markspenser on August 17, 2009, 12:22:32 AM
Hi Billy,

I have successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well before a long time but i didn't remember that configuration. At a same time i am trying to remember that configuration... I will put up detailed configuration soon as i have good memory :)

regards,
mark

I know that certain versions of IOS (namely mine  :( ) have a buggy NAT-PT implementation.  I use ptrtd/totd instead, which has it's own set of issues.  I have yet to find a really good implementation of this.
Title: Re: IPv6 and NAT-PT
Post by: maestroevolution on September 11, 2009, 11:23:52 AM
All,

I'm using NAT-PT on a Juniper 5gt with totd for DNS and it's working very well for me.  I made one of the wireless SSID's IPv6 only and had no issues with it.

My only annoyance is that totd will only pass back one prefix;  I have multiple subnets in multiple security zones, and I need totd to pass back a different prefix based on the requesting subnet.  I have two solutions in mind to implement, but I haven't gotten around to implementing it yet: supposed to be reviewing for a CCIE written and all that

If you have only one subnet, it's no big deal.

Joel
Title: Re: IPv6 and NAT-PT
Post by: jimb on September 12, 2009, 03:08:14 PM
maestro, I think the source for totd is available here (http://www.vermicelli.pasta.cs.uit.no/software/totd.html).   ;D
Title: Re: IPv6 and NAT-PT
Post by: maestroevolution on September 15, 2009, 11:00:00 AM
I'm toying with the idea of writing a quickie version of behave-dns64 (which is basically what totd is) in python, and adding that feature in there.  It's just DNS records with a few sleight-of-hands for A/AAAA and PTR records.  How hard can it be? **

I'll probably implement multiple instances of totd with either a) bind configured to use them as 'forwarding' dns servers which then forward back (with instances in bind based on source address), or b) play with IPtables and pat the port based on source prefix.

Both of those solutions should work today, unlike python code I haven't written yet.

Joel

** famous last words, I know. 
Title: Re: IPv6 and NAT-PT
Post by: jimb on September 15, 2009, 01:35:12 PM
Or perhaps you could write a python or perl script that sits in front of totd and lets totd do the heavy lifting while you just implement your prefix-rewrite on the replies from totd?  That'd be easier than reimplementing totd completely I think.

Yeah.  I also thought of using BIND as a front end to multiple instances of totd listening on different ports (the forwarders command lets you specify ports I believe).  You could match the source IPs of the clients using the bind "views" functionality, and then forward to the appropriate instance of totd.  That'd let you use one BIND server as a front end for everything.

As for ip6tables, you couldn't PAT it, since there is no NAT table for ip6tables AFAIK.  But it looks like that functionality is provided by the "mangle" table and the TPROXY target.  I've never tried that before though.  If this works as I suspect it does, it'd probably be the simplest solution.  Just match the source IPv6 range in a rule, and use the TPROXY target to change the destination port (and/or IP), sending the DNS request off to the appropriate instance of totd.

It's too bad the authors of totd don't provide a source-IP -> IPv6 prefix mapping functionality in totd.  I notice that it has some "scoped address" functionality, but it doesn't do what you're looking for.

Of course, perhaps this is the wrong approach to the problem?  Maybe this should be implemented using policy routing on your router(s) instead?
Title: Re: IPv6 and NAT-PT
Post by: pauljay on May 07, 2010, 02:05:04 AM
Honestly Cisco sucks, and I have had problems galore using NAT-PT with it, I wouldn't bother...
Title: Re: IPv6 and NAT-PT
Post by: bobmorton on September 13, 2010, 10:48:30 PM
I used also IPv6 and NAT-PT and the configuration was bit confusing. Anyway, I try to look for the site where you can get the process of doing it.