Forum Discussion
Sebastien_Paque
Nimbostratus
NimbostratusHelp configuring NAT64 on a BIG-IP LTM
Hi everyone,
I have been trying to implement NAT64 in our network in order for IPv6 only clients can reach our IPv4 only servers. Being relatively new to the product, I have had a bit of difficulty with the details in the configuration. I have got a setup where I can ping the Self IPs of the device but could not achieve any sort of translation. I have also found that to enable NAT64, a CG-NAT module is required on the BIG-IP which we do not have. My supervisor however said that they had done it before.
Any help would be greatly appreciated.
Thank you,
Sebastien
You may need to run packet captures at this point to determine why the page isn't loading:
tcpdump -nni 0.0:n -s0 host 2001:b3e:45f1:6121::7 (client side)
tcpdump -nni 0.0:n -s0 host 192.168.1.7 (server side)
You can have pool members or virtual servers specifying all ports, but your pool member can't be monitored on all ports. The monitor must be specific to a certain protocol/port. If this is an HTTP connection only, then it's best to have your pool member configured with port 80.
What_Lies_Bene1Cirrostratus
I think I remember someone else having similar issues. I think it's easy to over complicate things. Is there a VS involved?
Cory_50405Noctilucent
We're doing IPv6 to IPv4 NAT on our LTMs. We have publicly accessible IPv6 addresses on our virtual servers, translating to pool members that are IPv4 (RFC1918 space). No CGNAT license is required, nor is NAT64.
Can you post your configurations that don't seem to be working?
Sebastien_PaqueThere is a VS involved, I put one on the IPv6 side and one on the IPv4 side. I have attached a diagram of what I am trying to achieve. I have replaced the IP addresses with example ones.
- What_Lies_Bene1
OK, so as Cory suggests, just setup the IPv6 VS and use a Pool with IPv4 members, it'll translate automatically. No need to tick that checkbox.
- Sebastien_Paque
But wouldn't that be 6-to-4 load balancing which is different ? And also, which checkbox are you talking about?
Thank you for your responses.
- Cory_50405
It looks like 6 to 4 load balancing is what you are doing based on the diagram above. Are you using SNAT on the LTM virtual server?
- Sebastien_Paque
Yes, I am using SNAT or at least trying to. It is the part I am confused about and don't really know how to configure it.
- Cory_50405
Here's an example sanitized config of one of our virtual servers taking IPv6 and converting to IPv4 on the back end:
ltm virtual www.company.com { destination 2600:1000:0::1.http ip-protocol tcp pool www.company.com_pool profiles { http { } tcp { } } source-address-translation { type automap } vs-index 668 }And the pool:
ltm pool www.company.com_pool { members { 10.1.1.1:http { address 10.1.1.1 session user-disabled state down } 10.2.2.2:http { address 10.2.2.2 session user-disabled state up } 10.3.3.3:http { address 10.3.3.3 session monitor-enabled state up } } monitor http }Have you tried just using SNAT automap?
- Sebastien_Paque
Thank you for your example, I will suggest it to my manager.
I have tried the SNAT Automap without any luck. I think I am getting confused with Pools and SNAT Pools. In your example, you don't need any SNATs?
Is there a way to test if the translation has been made? Or any way to test this in any way. And from the IPv6 client, when performing tests, I am trying to reach the network advertised by the virtual server, correct ?
Thank you for all your help so far.
- Cory_50405
No SNATs required, automap works for us.
You can run a tcpdump on the back end to see if the translation was made. Based on your diagram, that would be:
tcpdump -nni 0.0:n -s0 host 192.168.1.7
This should show you in the capture what virtual server the traffic is being translated through.
From the IPv6 client, the destination of your request should be the IPv6 address associated with your virtual server (2001:b3e:45f1:6121::3).