• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Cisco Routing Issue

Started by VECTARE, April 20, 2011, 04:26:36 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

VECTARE

April 20, 2011, 04:26:36 PM
I have two routers in my network, R1 & R2.   R1 faces the public internet and has static IPv4 address.    We using NAT to port map to route to the server on R2.    We can route fine via IPv4 fine, however, IPv6 goes into a black hole and I am not sure where the issue is:     The sys admin says its on my router (R2), while I am thinking it is an issue on R1.    What information I do have is the following:

Any help would be appreciated. 



Internet ---->  R1   ----->  R2  ----> Server (192.168.64.16 or 2001:470:8:AAAA::4)


R1
* IPV4 Router Only
* Using NAT to translate outside global to inside address.

Excerpt of IOS Config 12.4T

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!
! R2 uses 192.168.64.0 domain through 192.168.1.16
!
ip route 192.168.64.0 255.255.255.0 192.168.1.16

ip nat inside source list 110 interface FastEthernet4 overload

!
! Since All I have is a web page, port 80 should be fine, correct??
!

ip nat inside source static tcp 192.168.64.16 80 184.XXX.XXX.XXX 80 extendable

!
! We tried permit IP any any, and didn't work.
!
access-list 110 permit 41 any host 184.XXX.XXX.XXX log


R2
* IPV4 & IPV6 Router with HE Tunnel
* Can Route via IPv4 to/from Internet fine.
* Cannot route IPv6 via tunnel
* Configuration for R2 is shown below:


Code Select
!
!
! R2
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IPV6TOV4
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!         
ip dhcp excluded-address 192.168.64.0 192.168.64.30
!
ip dhcp pool home
   network 192.168.64.0 255.255.255.0
   default-router 192.168.64.1
   dns-server 192.168.1.1
!
!
ip cef
!
ipv6 unicast-routing
ipv6 cef
!
multilink bundle-name authenticated
!
!
archive
log config
  hidekeys
!
!
!
interface Tunnel0
description Hurricane Electrice IPv6 tunnel
no ip address
ipv6 address 2001:470:7:AAAA::2/64
ipv6 enable
ipv6 mtu 1472
tunnel source FastEthernet 4
tunnel destination 216.66.XXX.XXX
tunnel mode ipv6ip
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Outbound WAN
ip address 192.168.1.16 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
!
interface Vlan1
ip address 192.168.64.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:8:AAAA::1/64
ipv6 enable
!
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
!
!
ip nat inside source list Out2In interface FastEthernet4 overload
!
!
ip access-list standard Out2In
permit any log
!
ipv6 route ::/0 Tunnel0
!
!
control-plane
!         
!
line con 0
no modem enable
line aux 0
line vty 0 4
login
!
scheduler max-task-time 5000
end




cholzhauer

#1
April 20, 2011, 06:16:02 PM
Is your MTU setting correct?

VECTARE

#2
April 21, 2011, 05:02:39 AM

The MTU is 1472.   Isn't that correct?

cholzhauer

#3
April 21, 2011, 05:03:57 AM
I don't know, that's why I was asking ;)

cconn

#4
April 21, 2011, 08:53:45 AM
you are behind NAT with R2, I doubt that R1 is going to NAT the tunnel correctly...

I would suggest also in both routers to not use "ip route 0.0.0.0 0.0.0.0 FastEthernet4" and instead specify the IP address of the next hop, to avoid having to use proxy-arp, which is generally not a good idea...

VECTARE

#5
April 21, 2011, 12:45:40 PM Last Edit: April 21, 2011, 01:24:59 PM by VECTARE
Thanks for the suggestion on the IP ROUTE.   After a bit of research, Cisco infact doesn't recommend using Interface on Static routes because of the size of ARP table it builds up.   Here is an article by Cisco on this exact point.  (See http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a00800ef7b2.shtml.    

R2 New Static Route
ip route 0.0.0.0 0.0.0.0 192.168.1.1

However, this didn't solve the problem.   I am still able to route via IPV4 from the server out and in.   But cannot route IPv6 out.    I can only ping up to the tunnel0 interface [2001:470:7:XXXX::2], but after that, the packets go into the ether.     So you  think it might be the NAT problem?     Is specifically with protocol 41?   I can do everything else via NAT using IPV4 without any issues.   (Thought -  What about the IP addresses in the tunnels - Will changing the source address make a difference instead of using interface?)   Let me try that?



Here are a few shows.    

SHOW IP ROUTE (R2)
Code Select

show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

C    192.168.64.0/24 is directly connected, Vlan1
C    192.168.1.0/24 is directly connected, FastEthernet4
S*   0.0.0.0/0 [1/0] via 192.168.1.1



SHOW IPV6 ROUTE (R2)
Code Select

show ipv6 route
IPv6 Routing Table - Default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
      R - RIP
      O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
      ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S   ::/0 [1/0]
    via Tunnel0, directly connected
C   2001:470:7:XXXX::/64 [0/0]
    via Tunnel0, directly connected
L   2001:470:7:XXXX::2/128 [0/0]
    via Tunnel0, receive
C   2001:470:8:XXXX::/64 [0/0]
    via Vlan1, directly connected
L   2001:470:8:XXXX::1/128 [0/0]
    via Vlan1, receive
L   FF00::/8 [0/0]
    via Null0, receive


SHOW IPV6 INTERFACE BRIEF (R2)
Quoteshow ipv6 inter brief
Dot11Radio0                [administratively down/down]
   unassigned
FastEthernet0              [up/down]
   unassigned
FastEthernet1              [down/down]
   unassigned
FastEthernet2              [up/down]
   unassigned
FastEthernet3              [up/up]
   unassigned
FastEthernet4              [up/up]
   unassigned
NVI0                       [up/up]
   unassigned
Tunnel0                    [up/up]
   FE80::C0A8:110
   2001:470:7:XXXX::2
Vlan1                      [up/up]
   FE80::EA04:62FF:FE2C:C6A7
   2001:470:8:XXXX::1

SHOW IP ROUTE (R1)
Code Select

show ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
      D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
      N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
      E1 - OSPF external type 1, E2 - OSPF external type 2
      i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
      ia - IS-IS inter area, * - candidate default, U - per-user static route
      o - ODR, P - periodic downloaded static route

Gateway of last resort is 184.XXX.XXX.XXX to network 0.0.0.0

    184.XXX.0.0/27 is subnetted, 1 subnets
C       184.XXX.XXX.XXX is directly connected, FastEthernet4
S    192.168.64.0/24 [1/0] via 192.168.1.16
C    192.168.1.0/24 is directly connected, Vlan1
S*   0.0.0.0/0 [1/0] via 184.XXX.XXX.XXX


VECTARE

#6
April 21, 2011, 05:08:03 PM
I am totally lost and going nuts over this.  I am sure it is a simple thing.     If I can route IPV4 traffic from Internet to R2 and back forth,   why wouldn't the tunnel route to HE and back & forth?

Internet -----> R1 -------> R2

R1 - doing static nat, IPv4 only.   
R2 - doing HE Tunnel

cconn

#7
April 22, 2011, 06:27:18 AM
how friendly are you with the admin or R1?  have him terminate the tunnel in R1, and run IPv6 between R1 and R2 so you can utilize the prefix on your network.

VECTARE

#8
April 22, 2011, 07:49:38 AM
You are right, the issue was with the NAT.   We did move the tunnel from R2 to R1 and everything is working fine (sort of..)   I was able to move up to the next level on HE Certification! 

So Cisco IOS does not NAT protocol 41.   But we would like to move the configuration off the router onto the test network. 

Question - Would route-map solve the problem?  (I still think its NAT'ing and will not work, but not sure)

Based off the config from http://www.velocityreviews.com/forums/t713705-nat-of-ip-proto-41-to-establish-ipv6-6in4-tunnel.html

Quote!
ip nat inside source static 192.168.64.16 184.XXX.XXX.XXX route-map IPV6Tunnel
!
route map IPV6Tunnel
   match ip address ACL.IPV6Tunnel
!
ip access-list extended ACL.IPV6Tunnel
    permit 41 host 192.168.64.16 host 184.XXX.XXX.XXX
!

cconn

#9
April 22, 2011, 09:10:35 AM
I have read about using route-maps to do this, perhaps it might work for you.  Yes it is still natting, however it is blindly forwarding all traffic (that you identify as protocol 41...) to the particular IP you define in the route map.

cholzhauer

#10
April 22, 2011, 09:53:27 AM
route maps used to work on the ASA too (doesn't run IOS) but with the new versions they released, you no longer have to use those.  I don't know if that's carried over to IOS, and if it has, what versions it's applicable to, but I just wanted to give you a heads up.
Print
Go Up Pages1
User actions