• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

tunnel questions on win7

Started by dan731028, September 30, 2010, 11:56:09 AM

Previous topic - Next topic

dan731028

Hey guys,
I'm trying to set up a tunnel and i'm not having much luck.  I am connecting through a cisco ASA, but I assigned my pc a public IP and I have an ip any any statement in the ACL.  I've read on here that you need to assign an IP address to the Wlocal area connection.  What do I use for the default gateway?  My tunnel ips are something like 2001:470:4::1 and my client addresses are 2001:470:5::/64.  I assigned 2001:470:5::1/64 but the computer complains when I assign 2001:470:4::1 or 2001:470:4::2 as my default gateway.

Also, how do I remove the netsh statements I was advised to put into the pc at the bottom of the tunnel details page?  I'm wanting to start over fresh and would like to clear those settings out as well.

Thanks,
Dan

cholzhauer

#1
OK, so your PC has a public IP address?

Good.

Make sure you're forwarding all protocol 41 traffic to it; since you can't explicitly do that on an ASA, you need to forward all IP traffic to it.

Is your tunnel-hosting-device behind the firewall (the last line assumes it is)?

You really don't have to assign an ipv6 address to the ASA because you're not going to be routing any traffic through it (again, assuming you're on the same network)

I think a diagram of your network would help me explain more clearly

EDIT:

You can do a


netsh interface ipv6 delete interface "interface"


A "netsh int ipv6 reset" might take care of those statements you entered...there's another command too that I'll go look up

dan731028

#2
Thanks, that netsh command removed the tunnel interface.  

Here is a crude 10 second drawing of my connection:
REMOVED

The black is IPv4, the red is the IPv6 tunnel.  The v6 IPs are the server and client IP addresses.  With my access list statement, shouldn't the ASA pass the protocol 41 traffic?

I'm assuming I need to assign my local area connection an IP address from the "Routed /64" network.  If I use 2001:470:1f07:b8d::1/64, what would I then use for a default gateway?

Thanks!

cholzhauer

#3
That's a lot better than my crude drawings in paint

Ok, the diagram helps.

Yes, your access list looks correct.

Quote
I'm assuming I need to assign my local area connection an IP address from the "Routed /64" network.

Mostly correct (most people never figure that out even after I tell them)  You will want to request a /48 from HE because you have multiple networks though... then I wouldn't worry about using the routed /64.

So, if your /48 is 2001:0db8:1234, you'd do something like this

DMZ= 2001:0db8:1234:1::
Inside=2001:0db8:1234:2::
ect

How are you going to be assigning IPv6 addresses?  If you use RA (and that's the easiest way), tell your ASA to do RA on the inside interface.  On the DMZ side, have your tunnel box do RA (although I don't know how to do it on Windows)  Otherwise, your could assign your addresses manually and use the Ipv6 address of your ipv6 router as the gateway.  (RA takes care of assigning the gateway IP address)

dan731028

Im still in testing so the tunnel is going to be up between the pc running windows 7 and tunnel broker.  The traffic has to pass through my ASA to get to the outside world, but no devices on that ASA (other than this one pc) will be using the tunnel.  To put it another way, I'm trying to set up the tunnel and access IPv6 resources on the tunnel client machine, but the traffic has to go through the ASA to be routed to the outside world.

dan731028

I think I found the issue.  My access list statement was permit tcp any not permit ip any.  I removed everything from my tunnel settings ,and local area connection, changed the firewall statement, re-ran the netsh commands from the tunnel and I can now ping ipv6.google.com!!

I'm doing this through a production ASA system, but now I'm wondering if I could use a cisco 3560 as my tunnel end point and then use the /64 to get clients (one or two other pcs) out to the ipv6 world.  That may be something for next week.  Too close to the weekend  ;)

Thanks for all the help!