Using NAT64 rules, an NSX Edge performs network address translation to allow traffic from external IPv6 subnetworks to internal IPv4 subnetworks.

NAT64 supports communications initiated by the IPv6-only node towards an IPv4-only node only.

NAT64 supports the following layer 4 protocols:
  • TCP
  • UDP
  • ICMP
    • ICMP echo request and reply only.
    • ICMPv4 errors are supported, ICMPv6 errors are not supported.
All other protocol type packets are discarded.

The translation of IPv4options, IPv6 routing headers, hop-by-hop extension headers, destination option headers, and source routing headers is not supported. FTP is not supported. Fragmented packets are not supported.

NSX Edge high availability is not supported with NAT64. NAT64 sessions are not synced between active and standby appliances, so if a failover occurs, connectivity is interrupted.

If you have dynamic routing protocols configured, IPv4 prefixes are redistributed.

The following timers apply to NAT64 traffic:
Table 1. NAT64 Timers
Protocol Timeout
TCP Incoming TCP-SYNC

6 seconds

TCP-ESTABLISHED

2 hours

TCP-Trans

4 minutes

UDP 5 minutes
ICMP 1 minute

Prerequisites

  • Configure an uplink interface of the Edge Services Gateway with an address on the IPv6 network.
  • Configure an internal interface of the Edge Services Gateway with an address on the IPv4 network.
  • Ensure that these addresses are not duplicated anywhere else in your environment.

Procedure

  1. In the vSphere Web Client, navigate to Networking & Security > NSX Edges.
  2. Double-click an NSX Edge.
  3. Click Manage > NAT.
  4. From the View drop-down menu, select NAT64.
  5. Click Add and enter the NAT64 parameters.
    Option Description
    Match IPv6 Destination Prefix

    Enter an IPv6 network prefix (network address) or a specific IPv6 address in CIDR notation.

    As NAT64 provides connectivity from IPv6 subnets to IPv4 subnets, in most situations, you might want to enter an IPv6 network prefix instead of a specific IPv6 address.

    NAT64 uses the IPv6 network prefix that you specify in this text box to map the IPv4 destination addresses to IPv6 destination addresses. Prefix length must be any one of the following: 32, 40, 48, 56, 64, or 96.

    For example, if you use the /96 network prefix, NAT64 appends the hexadecimal equivalent of the IPv4 destination address to the IPv6 network prefix. See the sample NAT64 rule after this procedure for an example.

    Note: You can use the well-known 64:ff9b::/96 prefix defined in RFC 6052, or use any other IPv6 prefix that is not already used in your environment.
    Translated IPv4 Source Prefix

    Optional: Enter an IPv4 network prefix (network address) or a specific IPv4 address in CIDR notation.

    Ensure that the IPv4 network prefix or the IPv4 address is not already used in your environment.

    As NAT64 provides connectivity from IPv6 subnets to IPv4 subnets, in most situations, you might want to enter an IPv4 network prefix instead of a specific IPv4 address.

    NAT64 uses an IP address from the IPv4 network prefix to translate the IPv6 source address to an IPv4 source address. See the sample NAT64 rule after this procedure for an example.

    Note:
    • The 100.64.0.0/16 IPv4 shared address space is reserved for NAT64. You can use this reserved address space.
    • If you keep this text box empty, NAT64 rule automatically uses the reserved address space when you publish the rule.
    Description Optional description for the rule.
    Enabled or Status Enable the NAT64 rule.
    Enable logging or Logging Enable logging for the NAT64 rule.
  6. Click Add to save the rule.
  7. Click Publish for the rule to take effect.

Example: Sample NAT64 Rule

You want the NSX Edge to allow traffic from Web 1 computer (2001::20/64) that is on an external IPv6 network to VM 1 (10.10.10.2/30), which is on the internal IPv4 subnet.


Diagram shows flow of traffic from a Web1 computer on an external IPv6 subnet to VM1 on the private IPv4 subnet.
The NAT64 rule in this example uses the following sample values:
  • Match IPv6 Destination Prefix: 64:ff90::/96
  • Translated IPv4 Source Prefix: 30.30.30.0/24

The following screen capture shows the published rule. The Rule ID is autogenerated and it might vary in your environment.

Figure 1. NAT64 Rule Definition

NAT64 rule definition uses 64:ff90:/96 as IPv6 Destination Prefix and 30.30.30.0/24 as IPv4 Source Prefix.

The NAT64 rule takes the hex equivalent of the destination IPv4 address (10.10.10.2) and appends it to the IPv6 network prefix (64:ff90::) to form the IPv6 destination address: 64:ff90::a0a:a02.

The rule picks up any IP address from the Translated IPv4 Source prefix (30.30.30.0/24). Let us say, the rule picks up 30.30.30.32. NAT64 uses this IPv4 source address to translate the 64:ff90::a0a:a02 destination address to the actual IPv4 destination address (10.10.10.2)

After the rule is published, do the following steps:
  1. Log in to the command prompt of Web1 computer and issue a ping command to the IPv6 destination address 64:ff90::a0a:a02. A nat64 session is established.
  2. Log in to the NSX Edge CLI and view the nat64 session by running the show nat64 sessions command.
    Protocol     IPv6-SA     IPv6-DA               SPort     DPort     IPv4_SA        IPv4-DA      SPort     DPort
    TCP          2001::20    64:ff90::a0a:a02      2055      22        30.30.30.32    10.10.10.2   2055      22