Good day. I have a question in reference to setting up the Tunnel
I have a small network consisting of several Cisco Switches and routers.
Of course some if these units don't support IPv6 which means I have to work around this problem.
The question is this. I have a Dlink unit which is attached to my small 6 Meg DSL connection. It is not IPv6 aware. Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router. Otherwise, need I run a dual stack router right up to my DSL modem?
Seeing I have never setup something like this before, I'd like a little insight as to how this should work.
I understand the dual stack concept as far as all devices running basically IPv4 and IPv6, but, the tunneling is something I am wondering how this happens.
Also, I gather edge routers are what is basically doing the tunneling but, in my situation I have a DLINK unit which I think is going the be the problem for my network.
Can someone confirm this please and maybe provide a solution.
Thanks much.
UltraZero
Quote
Knowing this, will I need to put something else in it's place to allow IPv6 to be tunneled in or can I simply let the tunnel process happen behind the DLINK unit on my Cisco router. Otherwise, need I run a dual stack router right up to my DSL modem?
Either/or. If you can pass protocol 41 to your cisco router, you can leave your Dlink in place. If you can't, you'll need to either replace it or put your Cisco router ahead of it in the chain.
Your tunnel would be 6in4...the device you host the tunnel on would just encapsulate ipv6 packets in ipv4 packets and send them to HE, would tears off the v4 stuff and sends the v6 traffic onwards.
Hope that makes sense...let me know if you need something clarified.
So, are we talking ISATAP??
::)
Um?
I'm not sure how we swiched from HE and 6in4 to ISATAP?
Sorry, just that's what i get for having 40 browser windows open. I was reading about the different type of ways to move IPv6 over or within IPv4.
I wasn't sure which one you were talking about. I didn't mean to throw the topic into a tail spin.
BTW - Isn't protocol 41 ISATAP?? so I wasn't too far off??
;D
FYI - I have been a sleep for mmmm 10 years and I have a lot of catching up to do.
Lately, I have been eatting, sleeping,drinking swtiches and routers..
What a meal. Can you say brain pain??
Proto 41 is 6in4. ISATAP is one way you could link IPv6 LANs when you only have IPv4 aware routers connecting the LANs. To me, that seems like way more pain than what it's worth. I'd just replace and/or upgrade the equipment to something that can do IPv6 natively.
As for your DLINK, you can either replace it with something that can do IPv6 so that the tunnel terminates on the edge, or you can terminate the tunnel to some internal device which can do 6in4, as long as the dlink will allow a protocol forward for IP protocol 41 to that device.
Well. I simply decided to rip out the whole thing and start from scratch.
I needed the practice anyway and thought I would rebuild the routers from scratch.
Instead of trying to get the modem side of my dsl connection to work on the DSL module in my Cisco router, I simply took the dlink out of the loop, put in a 3640 in it's place. Now, I am working on getting security in place from those pesky hackers out there on the net. I am new to this, funny to say, but, I really like working with hardware. believe it or not, I only started really getting into this about mmm 1 month ago.
Well if your new to securing internet facing IOS routers the guys over at Cymru have a rather nice template. It only covers IPv4 but securing both protocols is obviously important.
http://www.cymru.com/Documents/secure-ios-template.html
Not everything in the template will apply to every deployment scenario of course but the template is a useful place to start. When adding IPv6 to my router I basically just adapted the the template to IPv6 where appropriate.
! Source routing could let bad people use our router for nasty things so turn it off.
no ipv6 source-route
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
! We don't want bad people to try and SSH into our router over IPv6. (Please tell me your not using telnet.)
ipv6 traffic-filter Block-IPv6-SSH in
! Don't send redirects.
no ipv6 redirects
! Enable RPF verification, this prevents ping pong attacks against the LAN.
ipv6 verify unicast reverse-path
! We should drop traffic bound for IPv6 addresses that should never be on the public internet.
! First is the documentation prefix defined in RFC 3849.
ipv6 route 2001:DB8::/32 Null0
! Next is the unique local address range defined in RFC 4193.
ipv6 route FC00::/7 Null0
! Our SSH blocking ACL.
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any
Of course this only covers securing the router itself. Controlling and securing access to the LAN behind the router is an entirely different matter. Personally I would recommend an ASA series firewall for this purpose if you like Cisco gear. That way you can let your router do the tunneling and routing and let the ASA do the firewall and VPN work.
IPv6 security is something of a new field and I'm sure there are plenty of things that haven't been thought of or discovered yet. So we'll just have to try and secure things as best we can at the moment and see how things play out and make changes as needed.
Edit: Added RPF verification to the tunnel interface to prevent ping pong attacks against the LAN. (Especially useful if you are using a /64 on a point to point link to connect the router to a firewall.)
Newbie?? Can you say. Wake up, turn on the router and start working. time I go to bed?? 2:30ish am.
Telnet usage. Naaa. Figure out some time ago that one can get into trouble if you leave that road open.
SSH currently is all I am using, although I must say, trying to remember all of the cisco routing commands I have shoved my face into doesn't help remembering ssh. I am trying to deal with security /ACLs on cisco hardware and am getting my butt kicked. When implementing some of my ACLs, the router drops the connection. Sucks. I have consulted many people as to why and no one gives me a straight answer. I don't think they know. I keep myself in the trenches and I figure it out little by little. Keeps me practicing which is the way I look at it.
Re the Cisco ASA firewall. I actually was looking at an older PIX firewall just because of cost. I know it's a little out dated, but, a little firewall is better than none I would think. I have to move my router to another location behind my wall (garage) cause it's too loud. This move is not so bad in the since it will put this piece of equipment closer to my equipment rack.
I have spent some time on the net (articles and you tube) re hacking and I don't see much about hacking throught firewalls like Cisco ASA or PIX, so, maybe that is a good thing, or maybe the less I hear, the more people are doing it,but, just not in the open.
Kinda getting scary out there. People are doing stupid things for information. Man.. What a world.
Using an old PIX 515 running 7.x or even 8.x code would work too. I only prefer the ASA line as they are still receiving updates from Cisco and are quite a bit more powerful. Unfortunately the PIX 501 will never be able to do IPv6 since it doesn't have enough RAM to run 7.x code.
The PIX 506 also lacks the required RAM to run 7.x code as well so it is also stuck in IPv4 forever. However I believe that is is possible to modify some PIX 506's to accept more RAM and thus run 7.x code but I don't have any experience with that.
Or you could just use a Linux box as a firewall. I think pfSense is starting to add IPv6 support as well.
Re Pix, I as thinking about a 515e. I was looking for a 520 but, too old.
A 525 or 535 would be nice seeing is they process alot more packets and have more support for interfaces.
If you get a 515e get one that has at least 64 megs of RAM. Any less and you can't run 7.x code which is needed for IPv6 support.
I think I remember having this conversation with someone on here before, but I can't remember whom
We used to have a 515 and a 515e here at work and while both of them were running 7.x code, neither supported IPv6.
I don't know what the old PIX cost anymore, but I know a ASA 5505 is under $400
That's kinda odd. Since Cisco's own data sheet on PIX 7.0 seems to suggest otherwise.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps2030/product_data_sheet0900aecd80225ae1.html
Hmm. Re Pix 515. I think I can pick one up for under 200 dollars. Getting the correct IOS is an issue.
I think the 525s go for around $400. I did see one recently for $20.00. the said it didn't power up. I wanted it,but, I didn't want a large paper weight if it wasn't just the power supply.
Well, I am setting up the tunnel. Got the ipv4 side working I think, but no go on the IPv6 side. I'm sure I am missing something. (brain, brain cells, eye sight all that good stuff) ;D ;D
If you are considering spending $400 on a PIX 525 you might as well just buy an ASA 5505 (http://www.futurepowerpc.com/scripts/product.asp?PRDCODE=1682-ASA5505-BUN-K9-RF&REFID=FR) for $150 less.
The ASA is much more powerful, has a more mature/complete IPv6 implementation, and still receives updates from Cisco. The only major drawback is that the "10-User Bundle" only allows you to have 10 hosts behind the firewall talk to the outside world at any given time. But if you are using this for your home network or a lab that probably won't be an issue. But the ASA's IPv6 implementation does have a number of important and annoying limitations (http://www.tunnelbroker.net/forums/index.php?topic=278.msg6323#msg6323) that also apply to the PIX as well. (This might be good reason to go with something like Vyatta or pfSense.)
There are other restrictions on the "10-User Bundle" 5505 that don't apply to say, the "Unlimited User Bundle" or the "Security Plus Bundle" 5505. All of them are the exact same piece of hardware, the only difference between them is the activation key stored in flash that tells the OS what features to enable and disable. Cisco outlines this pretty well here:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html#~mid-range
Since the only difference is a software activation key upgrading to a higher feature set later is pretty easy. The ASA is also guaranteed to already be running an IPv6 capable IOS image right out of the box so you won't have to worry about trying to find an IOS image for it on some shady torrent site.
Still, a PIX 515 for under $200 with the right amount of ram and the proper IOS image isn't a bad deal. Especially for a small LAN or lab where the higher capacity of the ASA 5505 just isn't needed.
What do you consider a small lan for home??? :o :o :o ;D
Hmm. The Cisco 525 isn't that expensive. Not to mention, you can pick up both a base unit
and a roller over unit for around 300. I'm sorry but, the 10 user license won't work for me. Lets
just say, I have way more users than that.. ::) ::)
Quote from: UltraZero on January 27, 2011, 04:37:03 PM
What do you consider a small lan for home??? :o :o :o ;D
A LAN with less than 10 hosts. ;) Even if you have say, two desktops, two laptops, two Netflix capable blue ray players, two wifi enabled smart phones, and a game console thats still only 9 hosts. Things like the family printer, your wifi APs, and managed switches don't need to talk to the internet anyway. Besides you can still remotely access them over a client VPN. ;)
Quote from: UltraZero on January 27, 2011, 04:37:03 PM
Hmm. The Cisco 525 isn't that expensive. Not to mention, you can pick up both a base unit
and a roller over unit for around 300. I'm sorry but, the 10 user license won't work for me. Lets
just say, I have way more users than that.. ::) ::)
If you can get a 525 with an IPv6 capable IOS image for less than the cost of a 5505 then by all means go for it. It may be old but the 525 is still a very capable firewall.
Well, would you say a home network that consists of over 20 subnets with machines on all is considered a lan??? Darn... I missed the Pix firewall. It sold for 75 dollars. Wouldn't you know it. I clicked to buy it, and there was a large pause in my network connection. Maybe that means something like I should not have tried to buy it.
Hey. Back to the setup...
I am still having trouble trying to get attached to the tunnel.
I a have spoken to ATT and they are basically clueless. The people who know the answers are locked away in a big building in the Doublin, Ca and they don't let them out much.. AT ALL. They throw meat into their cages and only feed when the company needs something. I tried to find out if protocol 41 is being blocked and I can't the answer to this question to help me proceed.
That being said... I am trying to get my connection to work. I can't ping the tunnel. All access lists are disabled (At least prior to me writing this)
Normal pings from the IP address work,but, I can't ping the destination. I can ping myself though.
Any thoughts???
Has anyone gotten a Cisco router to connect without a problem??
So Far, I guess I will have to build another machine with windows 7 in order to test the link. (If I can get that working)