• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 and NAT-PT

Started by rfc1180, July 27, 2009, 09:50:03 PM

Previous topic - Next topic

rfc1180

Has anyone successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well?
If so, maybe can you please share your config on the NAT-PT portion?


Any help would be appreciated

-billy


markspenser

#1
Hi Billy,

I have successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well before a long time but i didn't remember that configuration. At a same time i am trying to remember that configuration... I will put up detailed configuration soon as i have good memory :)

regards,
mark

petergrace

#2
Quote from: markspenser on August 17, 2009, 12:22:32 AM
Hi Billy,

I have successfully configured NAT-PT on a Cisco running IOS with DNS-ALG functioning as well before a long time but i didn't remember that configuration. At a same time i am trying to remember that configuration... I will put up detailed configuration soon as i have good memory :)

regards,
mark

I know that certain versions of IOS (namely mine  :( ) have a buggy NAT-PT implementation.  I use ptrtd/totd instead, which has it's own set of issues.  I have yet to find a really good implementation of this.

maestroevolution

All,

I'm using NAT-PT on a Juniper 5gt with totd for DNS and it's working very well for me.  I made one of the wireless SSID's IPv6 only and had no issues with it.

My only annoyance is that totd will only pass back one prefix;  I have multiple subnets in multiple security zones, and I need totd to pass back a different prefix based on the requesting subnet.  I have two solutions in mind to implement, but I haven't gotten around to implementing it yet: supposed to be reviewing for a CCIE written and all that

If you have only one subnet, it's no big deal.

Joel

jimb

maestro, I think the source for totd is available here.   ;D

maestroevolution

I'm toying with the idea of writing a quickie version of behave-dns64 (which is basically what totd is) in python, and adding that feature in there.  It's just DNS records with a few sleight-of-hands for A/AAAA and PTR records.  How hard can it be? **

I'll probably implement multiple instances of totd with either a) bind configured to use them as 'forwarding' dns servers which then forward back (with instances in bind based on source address), or b) play with IPtables and pat the port based on source prefix.

Both of those solutions should work today, unlike python code I haven't written yet.

Joel

** famous last words, I know. 

jimb

#6
Or perhaps you could write a python or perl script that sits in front of totd and lets totd do the heavy lifting while you just implement your prefix-rewrite on the replies from totd?  That'd be easier than reimplementing totd completely I think.

Yeah.  I also thought of using BIND as a front end to multiple instances of totd listening on different ports (the forwarders command lets you specify ports I believe).  You could match the source IPs of the clients using the bind "views" functionality, and then forward to the appropriate instance of totd.  That'd let you use one BIND server as a front end for everything.

As for ip6tables, you couldn't PAT it, since there is no NAT table for ip6tables AFAIK.  But it looks like that functionality is provided by the "mangle" table and the TPROXY target.  I've never tried that before though.  If this works as I suspect it does, it'd probably be the simplest solution.  Just match the source IPv6 range in a rule, and use the TPROXY target to change the destination port (and/or IP), sending the DNS request off to the appropriate instance of totd.

It's too bad the authors of totd don't provide a source-IP -> IPv6 prefix mapping functionality in totd.  I notice that it has some "scoped address" functionality, but it doesn't do what you're looking for.

Of course, perhaps this is the wrong approach to the problem?  Maybe this should be implemented using policy routing on your router(s) instead?

pauljay

Honestly Cisco sucks, and I have had problems galore using NAT-PT with it, I wouldn't bother...

bobmorton

I used also IPv6 and NAT-PT and the configuration was bit confusing. Anyway, I try to look for the site where you can get the process of doing it.