NAT64 Translation is not working as expected.
search cancel

NAT64 Translation is not working as expected.

book

Article ID: 443238

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

External IPv6 clients are unable to reach an internal NSX IPv4 overlay VM via a public IPv6 NATed address using NAT64.

NAT64 is designed to allow IPv6-only clients to communicate with IPv4 servers over unicast UDP or TCP. When configuring NAT64 in NSX, questions arise regarding how destination IPv6 address mapping should be handled.

Example with generic notations:

-------------------------------------------------------------------------

Source IPv6 Client: A:A:A:A:A:A:A:A
Destination IPv6: B:B:B:B:B:B:D.D  <--destination ipv6 address embedded with destination ipv4 address in last 32 bit as hex value.( where D.D is the hex value of destination address d.d.d.d)
Internal IPv4 VM: d.d.d.d
Translated Source IPv4: c.c.c.c (Mapped from translated Pool)

Topology:
[source IPv6 Client A.A.A.A.A.A.A.A] ➔➔➔➔➔➔➔➔[Destination IPv6 B:B:B:B:B:B:D.D |NAT64] ➔➔➔➔➔➔➔➔➔ [ Internal IPv4 VM: d.d.d.d ]

 

The logical mapping diagram between the external IPv6 client and the internal IPv4 virtual machine as below:

 

#NAT64 rule realization:
get firewall <uuid> ruleset type nat64 rules
Rule count: 1
    Rule ID   : 536881232
    Rule      : in protocol tcp natpass from any to ip B:B:B:B:B:B:D.D/96 port 22 nat64 ip c.c.c.c with log
 
 
#NAT64 table on the active edge:
get firewall <uuid> connection raw 
0x0002707e681b47a0 af 28 ethertype 0x0000 proto tcp c.c.c.c:22 (A:A:A:A:A:A:A:A:56978) ->  d.d.d.d:22 (B:B:B:B:B:B:D.D:22) dir 1 50 0 1 0 state 2:0 f-0 n-536881232 flg:220000040000 if:uuid 5 age:3:25804274,
 
Here d.d.d.d(destination ipv4 address derived from last 32 bit D.D hex of the destination ipv6 address)
 
 
Example with ip-address notations:
-------------------------------------------------------------------------
Source IPv6 Client:  2001:DB8:###:##::20e2:c001
Destination IPv6:     2001:DB8:###:##:0:7:c0a8:000a
Translated Source IPv4: 172.16.0.10 (Mapped from translated Pool)
Destination  IPv4 VM:    192.168.0.10 -->  c0a8000a (HEX) , which is embedded in the destination ipv6 address in last 32 bits.
port:22
 
 
#NAT64 rule realization:
> get firewall <uuid> ruleset type nat64 rules
Rule count: 1
    Rule ID   : 536881232
    Rule      : in protocol tcp natpass from any to ip 2001:DB8:###:##:0:7:c0a8:000a:22/96 port 22 nat64 ip 172.16.0.10 with log
 
#NAT64 table on the active edge shows the destination ipv4 address is correctly derived from the last 32 bits of the destination ipv6 address and source ipv6 is translated to defined source iv4 in translated ip section:
> get firewall <uuid> connection raw
0x0002707e681b47a0 af 28 ethertype 0x0000 proto tcp   172.16.0.10:22 ( 2001:DB8:###:##::20e2:c001:56978) ->   192.168.0.10:22 (2001:DB8:###:##:0:7:c0a8:000a:22) dir 1 50 0 1 0 state 2:0 f-0 n-536881232 flg:220000040000 if:uuid age:3:25804274
 
 
 

Environment

VMware NSX

Cause

The connection fails because the NAT64 policy is misconfigured based on an incorrect assumption about destination translation.

  • The Misconfiguration: The administrator placed the IP address of the internal IPv4 overlay VM into the Translated IP field, assuming this would act as the destination translation mapping.

  • Translated IP Field: This field is strictly meant to translate the source IPv6 address to an IPv4 pool/IP.

  • How NAT64 Handles Destinations: NAT64 does not require explicit mapping for destination IPs. It automatically extracts the destination IPv4 address embedded within the incoming IPv6 destination address (embedded last 32 bits) and routes the traffic to the overlay VM.

Resolution

To resolve this issue, you must correct the NAT64 configuration to properly handle source translation and rely on the embedded address for destination routing.

  1. Modify the NAT64 Rule: Navigate to your NAT64 configuration and remove the internal IPv4 overlay VM's address from the Translated IP field.

  2. Configure Source Translation: Update the Translated IP field with the correct IPv4 address or IP pool that should be used to translate the source IPv6 address of the external client.

  3. Verify Destination Addressing: Ensure that the external IPv6 client is sending its traffic to the correct NAT64 prefix, with the internal overlay VM's IPv4 address properly embedded within that destination IPv6 address.

  4. Test Connectivity: Initiate traffic from the external IPv6 client and verify that the NAT gateway successfully extracts the destination IPv4 address and routes it to the overlay VM.

Additional Information

For comprehensive procedural context on configuring NAT64, see NSX NAT64 Broadcom Techdoc.

Powered by Wolken Software