CLI: Example for Enabling an IPv4 Internet User to Traverse the IPv6 Network for Accessing an Intranet Server
This section provides an example for configuring the DS-Lite NAT server.
Networking Requirements
As shown in Figure 1, the CPE and the CGN are connected through an IPv6 network. Public network user PC1 (2.1.3.1/32) on the Internet need to access the FTP server (192.168.1.2/24) on the intranet over the IPv6 network.
To meet the preceding requirements, both the CPE and the CGN need to support the dual stacks, and a DS-Lite tunnel need to be established between them to ensure that the IPv4 packets can be transmitted over the IPv6 network. To enable access from public IP addresses to private IP addresses, you also need to configure the NAT server function in the DS-Lite scenario on the CGN.
Data Planning
Item |
Data |
Remarks |
|
|---|---|---|---|
CPE |
GE0/0/2 Trust |
IPv4 address: 192.168.1.1/24 |
Interface that is connected to the IPv4 network |
GigabitEthernet 0/0/1 Untrust |
IPv6 address: 3000::1/64 |
Interface that is connected to the IPv6 network |
|
Tunnel1 Untrust |
Tunnel type: ipv4-ipv6 Source address: 3000::1 Destination address: 3000::2 IPv4 address of the tunnel interface: 10.10.10.1/24 |
Interface that is used to establish a DS-Lite tunnel to the CGN |
|
CGN |
GE0/0/2 Untrust |
IPv4 address: 2.1.1.1/24 |
Interface that is connected to the Internet. Assume that the next-hop address of this address is 2.1.1.2/24. |
GigabitEthernet 0/0/1 Trust |
IPv6 address: 3000::2/64 |
Interface that is connected to the IPv6 network |
|
Tunnel1 Trust |
Tunnel type: ipv4-ipv6 ds-lite Source address: 3000::2 IPv4 address of the tunnel interface: 10.10.10.2/24 |
Interface that is used to establish a DS-Lite tunnel to the CPE |
|
The global address of the NAT server is 2.1.2.12. The inside address of the NAT server is 192.168.1.2. The CPE address of the NAT server is 3000::1. The tunnel interface of the NAT server is Tunnel1. |
- |
- |
|
PC1 |
Public IPv4 address: 2.1.3.1/32 |
- |
|
FTP Server |
Private IPv4 address: 192.168.1.2/24 |
- |
|
Configuration Roadmap
The procedure for configuring an interzone NAT policy in the DS-Lite scenario is as follows:
- Establish a DS-Lite tunnel between the CPE and the CGN. The IPv4 over IPv6 tunnel connects the CPE and CGN and uses IPv6 headers to encapsulate IPv4 packets for forwarding in the single-stack IPv6 network.
- Configure the DS-lite NAT server function on the CGN to map intranet FTP servers.
Procedure
- Configure the CPE.
- Configure CGN.
- Configure PC1 on the Internet.
- A route should be configured on PC1 to the global address of the CGN.
- Configure the FTP server on the intranet.
Configure the gateway for the FTP server on the intranet to 192.168.1.1.
Verification
# After the configuration, PC1 on the Internet can access the FTP server on the intranet.
C:\Documents and Settings\Administrator>ftp 2.1.2.12 Connected to 2.1.2.12. 220 FTP service ready. User (2.1.2.12:(none)): admin 331 Password required for admin. Password: 230 User logged in. ftp>
# Run the display firewall server-map command in any view of the CGN to view server map entries.
<CGN> display firewall server-map
Type: DS-Lite Nat Server , ANY -> 2.1.2.12:21[192.168.1.2:21], Zone:---
Protocol: tcp(Appro: ftp), To CPE: 3000::1, Tunnel Id: 1, Left-Time:---
Type: DS-Lite Nat Server Reverse, 192.168.1.2[2.1.2.12] -> ANY, Zone:---
Protocol: tcp(Appro: ftp), From CPE: 3000::1, Tunnel Id: 1, Left-Time:---, counter: 3
Configuration Scripts
The CPE configuration script is as follows:
# sysname CPE # ipv6 # interface GigabitEthernet0/0/2 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 3000::1/64 # interface Tunnel1 ip address 10.10.10.1 255.255.255.0 tunnel-protocol ipv4-ipv6 source 3000::1 destination 3000::2 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/2 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 add interface Tunnel1 # ip route-static 0.0.0.0 0.0.0.0 Tunnel1 # security-policy rule name policy_sec_1 source-zone untrust destination-zone trust destination-address 192.168.1.0 24 action permit # return
The CGN configuration script is as follows:
# sysname CGN # ipv6 # firewall hash-mode source-only # interface GigabitEthernet0/0/2 ip address 2.1.1.1 255.255.255.0 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 3000::2/64 # interface Tunnel1 ip address 10.10.10.2 255.255.255.0 tunnel-protocol ipv4-ipv6 ds-lite source 3000::2 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/1 add interface Tunnel1 # firewall zone untrust set priority 5 add interface GigabitEthernet0/0/2 # ip route-static 2.1.3.1 255.255.255.0 2.1.1.2 # nat-dslite server protocol tcp global 2.1.2.12 ftp inside 192.168.1.2 ftp unr-route cpe 3000::1 tunnel 1 # security-policy rule name policy_sec_1 source-zone trust destination-zone local source-address 3000::64 action permit rule name policy_sec_2 source-zone trust destination-zone untrust source-address 192.168.1.2 0 destination-address 2.1.2.12 0 action permit # return