Are you using a DSL Connection??

[UltraZero]

I hear  ya. 

For me, I am trying to work with what I have. I have done several modifications to my network to get my primary cisco router out of my bedroom.

That 3640 is loud.  Not to mention, I have another one in here (only use it when i am working on something.  I have connections running all over my house. I've got well over 5  active network segments and I am really not interested in having a new network connection to be installed.  No 1, I would not know where to put it.  No to mention, I just don't like having strangers come into my house and seeing things the might want to have their friend pick  up for.  Get my drift.  Given, I do have a big Rottweiler who likes meat.

Anyway, If I could solve my issue with what I have, then I would be happy. I could close up the walls for the existing changes i have made and life would be good.  Nice to have been in construction so punching holes isn't a problem.  I can easily fix them. 

Back to networking... I am looking at a Dlink 520B which is a straight modem.  Has a firewall, but maybe it can be disabled.   I am thinking of running a Pix firewall, but, I am having concerns about IPv6 and the firewall.  Finding a Pix with a higher version of the IOS is a task unto itself.

[UltraZero]

Can  you even still purchase Cisco IOS for a Pix Firewall??

[antillie]

If you have an active service contract with Cisco you can still download firmware updates for the PIX series firewalls. However Cisco stopped releasing new firmware updates for the PIX line several years ago. If you want something that is still actively supported by Cisco you will need to get an ASA. I made a post about IPv6 support on the PIX/ASA series firewalls here.

[chenson]

Antillie is correct. PIX is no longer available for sell directly from Cisco. You can still buy FWSM but I don't think that's the direction you want to go. :) The ASA comes in models all the way down to a 5505 and they all support IPv6.

Your ipconfig was what I wanted to see. With Win7, if you are directly connected to your Internet and have a public IPv4 address (with a generic OS install) the OS will attempt to dynamically build an IPv6 tunnel. So you would see the Teredo interface or an IPv6 interface with an IPv6 address on it. Since you don't see either I'm thinking that the tunnel was unable to successfully establish.

Anyone correct me if I'm wrong here....

[UltraZero]

So, I guess I should sell my car in order to pay for an ASA5510?  Can ou tell me if an ASA5505 has enough processing power to keep up with a small network??  I don't want any lag from the firewall.  Not to mention, I am going to increase my connection speed and possibly put up a webserver that will generate some traffic. 

I need and OC3 to my house.. Too many things I want to do that generate a lot of traffic. LOL

I know, sounds crazy but, remember, we were using a 1200bps modem at one time and though a 9600 was way too fast and look at us now..


Back to routing.....  Bought a new modem last night.  Was up til 1:00 trying to set the stupid thing up..

If course the weather didn't help.  Winds, gusts were around 60 MPH Id say.   Link kept droppnig.. Was unstable.  I was able to connect to the net with a laptop and did some test to check out my speed, but, that was a joke.  Speeds were around 1 meg up and .15 down. Then I lost the connection til now. 

Hmm.  This morning, seeing the connection is back online, I'll try again..
Nice to know the inconsistencies of 1 mfg terminology vs another.  Hopefully I can get the new modem in place so I can test with the tunnel.

[cholzhauer]

A 5505 is plenty.  I'm running a DR center with one and have had no problems.  If you need gigabit speeds though, you're better off using a layer 3 switch attached to your 5505 and use it to VLAN.

[UltraZero]

So.. what you mean is that little box can handle the job?? (reworded)

I thought that little box was for small networks. (That's what I get for not reading up on it)
I thought it was pretty pricey at that.  How man users would you say that box can handle heavy users..

Thanks

[cholzhauer]

lol good call on the re-wording.

The number of users doesn't matter as much as the traffic.  If you have 50 users only doing web traffic, you won't have an issues.  

Now, if you have 50 users moving 15gb files around all day, you might see a problem.

What are you planning on putting behind it?  If you're only using this for your house, go for it.  I wouldn't have a problem using it for a 50 user dental office.

[chenson]

A 5505 is plenty for the home. Unless you are running Japanese Internet speeds at home. I flipped to Charter yesterday as mentioned. I am running a DOCSIS3 modem into an 1841 ISR. The ISR feeds into an ASA 5505. I was getting 30Mbps + on speedtest. That doesn't guarantee anything in itself but the ASA will not hurt you. Even with multiple VPNs and IPv6 and IPv6 running across it.

As for my previous adventure with AT&T, I have an update. Although I ripped AT&Ts crappy 3Mbps DSL from the house, I still have it in my lab at the office. I am up and running with IPv6.

First: Learning curve. I was completely confusing "6to4" with "6in4". From my AT&T DSL it doesn't not appear that AT&T supports 6to4 which involves using the 192.88.99.1 anycast that would be managed by the carrier. However, AT&T does support (at least for me) 6in4 which utilizes protocol 41 and requires both endpoints to be defined. This is what is used by HE for their setup. I apologize to everyone who I may have previously confused with my posts. Thanks to Packetmail and some additional reading I managed to get my wires straight.

So, as stated, I am up and running with my tunnel to HE over AT&T. Once I got my wires straight it was pretty simple.


UltraZero,
      Now that I have a better picture on what I was doing wrong, where are you at with your effort? Any progress? If not, what symptoms are you seeing with the new modem?

[UltraZero]

Hi. I am back online with the new modem.  I can't seem to get the new modem to work with my network.

If it's not one thing, it is another.

I am about to try to see if I can get my Windows 7 machine to establish the tunnel.

If I can't establish the tunnel with the new modem, then I am going to take the two of them out side,

use a nail gun and tack them on the fence, go back about 50 yards and take a cross bow to them both....  :o

Then, I'm going to call and get cable internet.  LOL..

[chenson]

WAIT! You have a crossbow?

:)

[antillie]

Well, although the 5505 won't terminate a 6in4 tunnel it will do full 100 mbps speed firewall duties at layers 3 and 4 in IPv4 and IPv6 just fine. Its also a nice hardware accelerated 100 mbps IPSec VPN device too.

As far as max users goes it depends on what license you purchase for it. The "base" model 5505 allows 10 hosts behind the firewall to talk to the outside world at a time. This is more than enough for a home or even a small branch office. There are 50 user and unlimited user licenses as well. But the 100 mpbs speed is available by default on all 5505s. The 5505 is technically capable of 150 mbps aggregate throughput between layer 3 interfaces but since its Ethernet interfaces are limited to 100 mbps you would need a network with at least three layer 3 segments to actually hit the throughput limit of the firewall. So if you just have "inside" and "outside" the 5505 is all you need for firewall duties at speeds up to 100 mbps.

I use a 5505 myself at home with a 2621xm on a cable modem. The 2621xm sits on the cable modem and handles PAT for IPv4 and the tunnel to HE.net while the 5505 is just behind the 2621xm and takes care of firewall duties in IPv4 and IPv6, it works great.

[UltraZero]

Crossbow??

Doesn't everyone??

Anyway, I'm back online.  Man.... What a morning.  Well, here is what happened.

Windows 7 just didn't happen. got some strange duplicate ID error in the Netsh command.  Never saw that one before.  Not to mention. Whenever I try to make a change, I get an ip address labeled 99.xxx.xxx.xxx from ATT and nothing works.  I switch back and I get my normal range of IP addresses.

Really funny.  Only does it when I put the new modem online. 

After trying to fall back to the ATT modem (didn't touch any of the configurations) I lost PPPoe..  No connection what so ever.   I had to call ATT, Got reconnected with the reconnect button in the modem (boy, I missed that BIG BLUE BUTTON) but, the modem would not hold a connection.  Finally forced the modem to stay up, then a super fast switch of the ethernet wire and a 5 minute wait for all of the routes to be upudated in the Cisco and here I am.

Hmm.  Where are my arrows..

So, I really want to rule out ATT before I move to another provider.  Don't really want to spend the money and then find out I'm the bonehead who missed something.

Now..

RE PIX.  I read the forwarded info about the Pix.  I think there was something that stated IOS version 6.x won't have any IPV6 support.  Need to to upgrade memory on the Pix units in order to support version s 7.x and 8.x which do support IPv6 somewhat.   I guess having the Pix as a firewall behind the router isn't too bad except that means dual stack needs to be run and if you are a straight IPv6 network, you can forget using the unit.  Bummer.  I read about the up grade about a month ago and figured I could upgrade the IOS via Cisco. I was hoping the upgrade cost would not be too much of a pain.  I guess that not going to happen.

Anyone looking for some old Cisco equipment?? LOL..

[UltraZero]

Antillie - Are you still running access list/firewall software on the cisco in order to protect it as well?

So.. If you were to run in a non dual stack mode, IPv6 only,  the 5505 would or would not work??

BTW - You wrote me a reply some time ago about my configuration. You said I didn't have any unicast address in my config.  That which you were talking about was just for the purposes of routing internally from subnet to subnet and out onto the tunnel.  Which wasn't the issue with fixing the not pinging issue. correct??

That was on feb 2.

Thanks

[chenson]

UltraZero you are seriously having an adventure over there. I'm not sure what to tell you. 99.x.x.x addressing? Dropping PPoE? I am not there so I'm not sure what approach to take. Obviously pulling all the gear out and starting just laptop to modem is your first start. Verifying IPv4. Yada yada. But it sounds like you've done that about 14 times and just getting things stable is a struggle. Do you live on a fault line?

ISPs are like NFL kickers. There is no loyalty to them. You are the coach. If he keeps going wide right... dump him. If he's on target most of the time... It might be worth it to keep him. That call is totally up to you. The arguments for DSL vs Cable can get pretty deep too. In the end. You just need to decide what you want. Personally, I would have dumped them. Just like I did yesterday.

As far as the home network. Once you get "stable" with the modem and laptop. Step one layer back. Just an IOS based router. No firewall. I honestly can't remember from this thread if you have an IOS router or not. I may be mixing you up with someone else. But if you do. Just go with the router. Get IPv4 setup with your dialer or FE interface. Then get your IOS NAT set up. Run a few speed tests. Make sure things look good. Once you are comfortable with everything. Go ahead and look into your tunneling setup for IPv6. I spent two days writing an elaborate config for my tunnel and then got lazy and just selected Cisco from the drop down menu on the HE website for my tunnel. Pretty darn nice setup they have. If you get the tunnel up and running and you've tested your "routable" /64 vs your "tunnel" /64, then move on to the PIX.

NOTE: I'm currently testing a PIX 525 with 7.2(4) code. I put a /80 behind the FW and tested. SLAC worked fine. Got an address on the test laptop. I was able to ping all the way thru to IPv6 addresses on the Internet. Oddly, even with properly configured IPv6 DNS I still had resolution issues. I'll be working on that over the next few days.

NOTE: I'm testing STRICT IPv6 right now. Not dual stacked networks so I'm not messing with DNS v6-v4 glue and whatnot yet. All in time.

FINAL NOTE: If you are well beyond my comments don't be offended. I'm just offering help.