Courseiva
NATCCNA 200-301

NAT64 Translation Not Working for IPv6 Clients

Presenting Symptom

IPv6 clients cannot reach IPv4-only servers on the internet; NAT64 translations are not being created.

Network Context

A small branch office uses a Cisco ISR 4321 router running IOS XE 16.9. The router connects an IPv6-only internal network (2001:db8:1::/64) to an IPv4-only internet link. NAT64 is configured with a stateful NAT64 translation and a NAT64 prefix 2001:db8:64::/96. The router also runs DHCPv6 for client addressing.

Diagnostic Steps

1

Check NAT64 translation statistics

show nat64 translations
No output or only static entries; no dynamic entries for client traffic.

If no dynamic translations appear when clients try to reach IPv4 servers, NAT64 is not translating. This indicates a configuration or reachability issue.

2

Verify NAT64 configuration

show running-config | section nat64
nat64 enable
nat64 prefix 2001:db8:64::/96
interface GigabitEthernet0/0/0
 ipv6 address 2001:db8:1::1/64
 nat64 enable
interface GigabitEthernet0/0/1
 ip address 203.0.113.1 255.255.255.0
 nat64 enable

Ensure NAT64 is enabled on both the internal (IPv6) and external (IPv4) interfaces. Missing 'nat64 enable' on either interface will prevent translations.

3

Check NAT64 prefix reachability

show ipv6 route 2001:db8:64::/96
Routing entry for 2001:db8:64::/96
  Known via "connected", distance 0, metric 0 (connected, via interface Null0)
  Routing Descriptor Blocks:
  * directly connected, via Null0

The NAT64 prefix should appear as a connected route via Null0. If missing, the prefix is not configured or not active. Without this route, packets destined to the prefix are dropped.

4

Verify ACL for NAT64 traffic

show access-lists NAT64-ACL
Extended IP access list NAT64-ACL
    10 permit ipv6 2001:db8:1::/64 any

NAT64 requires an ACL to match IPv6 traffic to be translated. If the ACL is missing or does not permit the internal network, translations will not occur.

5

Check NAT64 state and errors

show nat64 statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces: GigabitEthernet0/0/1
Inside interfaces: GigabitEthernet0/0/0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list NAT64-ACL pool NAT64-POOL refcount 0
 pool NAT64-POOL: netmask 255.255.255.0
   start 203.0.113.100 end 203.0.113.200
   type generic, total addresses 101, allocated 0 (0%), misses 0

Look for 'misses' count. If misses are incrementing, packets are hitting the router but no translation is created, often due to missing pool or ACL issues.

Root Cause

The NAT64 translation pool is not configured. The ACL matches traffic, but there is no IPv4 address pool to allocate translated source addresses, so dynamic translations fail silently.

Resolution

Configure a NAT64 IPv4 address pool and apply it to the NAT64 mapping. Commands: 1. Create the pool: Router(config)# nat64 pool NAT64-POOL 203.0.113.100 203.0.113.200 prefix-length 24 2. Configure the NAT64 mapping referencing the ACL and pool: Router(config)# nat64 inside source list NAT64-ACL pool NAT64-POOL 3. Ensure the ACL exists: Router(config)# ipv6 access-list NAT64-ACL Router(config-ipv6-acl)# permit ipv6 2001:db8:1::/64 any

Verification

1. Run 'show nat64 translations' and verify dynamic translations appear when an IPv6 client pings an IPv4 address (e.g., ping 2001:db8:64::8.8.8.8). 2. Run 'show nat64 statistics' and confirm Hits and active translations increment. 3. From an IPv6 client, ping the NAT64 prefix with an embedded IPv4 address (e.g., ping 2001:db8:64::8.8.8.8) and verify success.

Prevention

1. Always configure a NAT64 pool with sufficient addresses for expected concurrent translations. 2. Use a consistent naming convention for ACLs and pools to simplify troubleshooting. 3. Verify NAT64 configuration with 'show running-config | section nat64' after initial setup.

CCNA Exam Relevance

On the CCNA 200-301 exam, NAT64 may appear in troubleshooting scenarios where IPv6 clients cannot reach IPv4 destinations. Expect multiple-choice questions asking to identify missing configuration elements (e.g., pool, ACL, interface enable). The exam tests understanding of stateful NAT64 components: prefix, ACL, pool, and interface enablement.

Exam Tips

1.

Remember that NAT64 requires an IPv4 address pool for dynamic translations; without it, translations fail.

2.

The NAT64 prefix must be a /96 prefix and appear as a connected route via Null0.

3.

Know that 'nat64 enable' must be configured on both inside (IPv6) and outside (IPv4) interfaces.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions