Example for Enabling a Private IPv4 User to Traverse the IPv6 Network for Accessing an IPv4 Internet Server
This section provides an example for configuring DS-Lite NAT.
Context
As shown in Figure 1, the carrier MAN is an IPv6 network, requiring that private IPv4 users under the CPE can traverse the carrier's IPv6 network to access IPv4 Internet servers.
To meet the preceding requirements, both the CPE and CGN need to support the IPv4/IPv6 dual stack, and a IPv4 over IPv6 tunnel need to be established between them to ensure that the private IPv4 packets from PC1 can traverse the carrier's IPv6 network and reach the CGN. A DS-Lite NAT policy needs to be deployed on the CGN to translate a private IPv4 IP address to a public IP address, enabling Internet access.
Item |
Data |
Remarks |
|
|---|---|---|---|
CPE |
GE0/0/2 Trust |
IPv4 address: 192.168.1.1/24 |
Interface that is connected to the IPv4 network |
GigabitEthernet 0/0/1 Untrust |
IPv6 address: 3000::1/64 |
Interface that is connected to the IPv6 network |
|
Tunnel1 Untrust |
Tunnel type: ipv4-ipv6 Source address: 3000::1 Destination address: 3000::2 IPv4 address of the tunnel interface: 10.10.10.1/24 |
Interface that is used to establish a DS-Lite tunnel to the CGN |
|
CGN |
GE0/0/2 Untrust |
IPv4 address: 2.1.1.1/24 |
Interface that is connected to the Internet. Assume that the address of the next-hop interface is 2.1.1.2/24. |
GigabitEthernet 0/0/1 Trust |
IPv6 address: 3000::2/64 |
Interface that is connected to the IPv6 network |
|
Tunnel1 Trust |
Tunnel type: ipv4-ipv6 ds-lite Source address: 3000::2 IPv4 address of the tunnel interface: 10.10.10.2/24 |
Interface that is used to establish a DS-Lite tunnel to the CPE |
|
Address pool |
The following three address pools are available: |
- |
|
PC1 |
Private IPv4 address: 192.168.1.2/24 |
- |
|
Internet Server |
Public IPv4 address: 2.1.3.1/32 |
- |
|
Configuration Roadmap
The procedure for configuring an interzone NAT policy in the DS-Lite scenario is as follows:
- Establish a DS-Lite tunnel between the CPE and the CGN. The IPv4 over IPv6 tunnel connects the CPE and CGN and uses IPv6 headers to encapsulate IPv4 packets for forwarding in the single-stack IPv6 network.
- Configure a DS-lite NAT policy on the CGN to translate the private addresses of users into public IPv4 addresses.
Procedure
- Configure the CPE ().
- Configure CGN.
- Configure the hash—based CPU selection mode to be oriented to source IP address.
<sysname> system-view [sysname] sysname CGN [CGN] firewall hash-mode source-only
The modified hash mode takes effect only after the device is restarted.
- Configure the hash—based CPU selection mode to be oriented to source IP address.
- Configure the Internet server.
Generally, Internet servers are configured by ISPs. The following part briefs the configuration tasks that are related to this example:
- Configure the IP address of the server to 2.1.3.1/32.
- The server must maintain a route to an address in the address pool on the CGN.
- Configure PC1 on the intranet.
Configure the gateway for PC1 on the intranet to 192.168.1.1.
Verification
# After the configuration, ping the IP address of the server from PC1.
C:\Documents and Settings\Administrator>ping 2.1.3.1
Pinging 2.1.3.1 with 32 bytes of data:
Reply from 2.1.3.1: bytes=32 time=9ms TTL=253
Reply from 2.1.3.1: bytes=32 time<1ms TTL=253
Reply from 2.1.3.1: bytes=32 time<1ms TTL=253
Reply from 2.1.3.1: bytes=32 time<1ms TTL=253
Ping statistics for 2.1.3.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 9ms, Average = 2ms
Configuration Scripts
The CPE configuration script is as follows:
# sysname CPE # ipv6 # interface GigabitEthernet0/0/2 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 3000::1/64 # interface Tunnel1 ip address 10.10.10.1 255.255.255.0 tunnel-protocol ipv4-ipv6 source 3000::1 destination 3000::2 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 add interface Tunnel1 # ip route-static 0.0.0.0 0.0.0.0 Tunnel1 # security-policy rule name policy_sec_1 source-zone trust destination-zone untrust source-address 192.168.1.0 24 action permit # return
The CGN configuration script is as follows:
# sysname CGN # ipv6 # firewall hash-mode source-only # interface GigabitEthernet0/0/2 ip address 2.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 3000::2/64 # interface Tunnel1 ip address 10.10.10.2 255.255.255.0 tunnel-protocol ipv4-ipv6 ds-lite source 3000::2 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 add interface Tunnel1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ip route-static 2.1.3.1 255.255.255.0 2.1.1.2 # nat address-group address_1 mode full-cone global route enable section 0 2.1.2.1 2.1.2.3 section 1 2.1.2.5 2.1.2.7 section 2 2.1.2.9 2.1.2.11 # security-policy rule name policy_sec_1 source-zone trust destination-zone local source-address 3000::64 action permit # nat-policy rule name policy_nat_1 nat-type ds-lite source-zone trust destination-zone untrust source-address 3000:: 64 action source-nat address-group address_1 # return