• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Cisco 831 and IPv6 Configuration...

Started by josepena, May 02, 2011, 11:25:25 PM

Previous topic - Next topic

josepena

Hello everyone...
I got assigned IPv6 and I get the step to set my cisco 831, this is the configuration I have...

configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f04:1c63::2/64
tunnel source 70.70.70.70
tunnel destination 72.52.104.74
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end

Can't ping the server ipv6: 2001:470:1f04:1c63::1/64? I already set
ipv6 unicast-routing

what else do I need to ping the server or any other IPv6 address.

Thanks in advance for your help.

Jos.

cholzhauer


josepena

My cisco router is the font of the network, that one that it has the public IPv4, I'm doing ping from the cisco router. No, I'm not behind NAT.

Thanks.

adamfulcher2000

What firewall / access list rules do you have in place on the 831 ?

josepena

I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?

Thanks for your help.

Jos.

cholzhauer

Quote from: josepena on May 04, 2011, 04:10:08 PM
I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?

Thanks for your help.

Jos.

Are you allowing protocol41?

adamfulcher2000

On my 831 I started with the defult firewall ruleset created by SDM, but I needed to add this statement to allow protocol 41 before the tunnel would work:

access-list 101 permit 41 any any

You should not need any rules to allow outgoing traffic from Tunnel0 although you will want some for incoming traffic, e.g.:

ipv6 access-list IN-ACL6
permit icmp any any
permit tcp any any established
permit udp any any eq 546
deny ipv6 any any

... etc.

josepena

#7
adamfulcher2000:
the rule sampel you gave me: 101, that it should be a new one or the acl in WAN?
I copied acl given for HE to my router, do I have to add anything additional to them? 'cause we have the same router, may be I can get a little bit more help.
I have an acl for WAN where I allow specific traffic.

LATER:
ADAFULCHER.... Never mind about my previous questions... I added the permit 41 to one of my interfaces and it started to work... Other questions here are:

* I have an IPv6 IP to the tunnel... to deploy, do I have to set an IP to the WAN, LAN and each host in LAN? other questiosn is... In what interface I set the rules for IPv6... for example... I created some rules to allow specific traffic from Internet to my WAN, only the desired traffic. I have my web and mail server in LAN, where I set the rule to allow that traffic from IPv6 Internet to my internal server?

Regards

regards.

adamfulcher2000

What I did was to associate the routed /64 provided by HE with interface Ethernet0, so that any IPV6 capable clients attached to interfaces FastEthernet1-4 will acquire a V6 address via stateless autoconfiguration. I associated the firewall rules for V6 with interface Tunnel0 only. This may not be the only (or even the correct) way of doing things, but it worked for me:

ipv6 unicast-routing
!
interface Tunnel0
no ip address
ipv6 address 2001:470:1F08:1728::2/64
ipv6 enable
ipv6 traffic-filter IN-ACL6 in
tunnel source xxx.xxx.xxx.xxx
tunnel destination 216.66.80.26
tunnel mode ipv6ip
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F09:1728::/64
ipv6 enable
!
interface Ethernet1
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id Ethernet1
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
!
ipv6 access-list IN-ACL6
permit icmp any any
permit tcp any any established
permit udp any any eq 546
deny ipv6 any any
!

antillie

Here is how I setup my 2621xm running IOS 12.4 to work with the tunnel to HE:

cerberus#sho run
Building configuration...

Current configuration : 5981 bytes
!
! Last configuration change at 11:54:38 CST Mon Sep 12 2011 by antillie
! NVRAM config last updated at 21:19:57 CST Mon Aug 22 2011 by antillie
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 X
!
aaa new-model
!
aaa group server radius AD-RADIUS
server 192.168.100.8 auth-port 1812 acct-port 1813
!
aaa authentication login userauth local
aaa authentication login ssh-access group AD-RADIUS enable
aaa authorization exec default group AD-RADIUS if-authenticated
aaa authorization network groupauth local
!
aaa session-id common
clock timezone CST -6
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
no ip bootp server
ip domain name local.lan
ip name-server 192.168.100.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
!
username antillie secret 5 X
username kandrida secret 5 X
!
ip ssh version 2
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F0E:6CA::2/64
ipv6 enable
ipv6 traffic-filter Block-IPv6-SSH in
no ipv6 redirects
ipv6 verify unicast reverse-path
tunnel source 70.114.48.211
tunnel destination 216.218.224.42
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache flow
duplex auto
speed auto
ipv6 address 2001:470:B98A:1::/64 eui-64
ipv6 mtu 1480
ipv6 nd prefix 2001:470:B98A:1::/64
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache flow
duplex auto
speed auto
!
router eigrp 150
redistribute connected
redistribute static
passive-interface FastEthernet0/1
passive-interface Tunnel0
network 10.1.1.0 0.0.0.3
no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 2000 interface FastEthernet0/1 overload
!
ip radius source-interface FastEthernet0/0
access-list 2000 permit ip any any
no cdp run
ipv6 route 2001:470:B98A::/48 FastEthernet0/0 FE80::21F:9EFF:FE45:2422
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0
ipv6 route ::/0 2001:470:1F0E:6CA::1
!
radius-server host 192.168.100.8 auth-port 1812 acct-port 1813 key 7 X
!
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login authentication ssh-access
transport input ssh
line vty 5 15
exec-timeout 0 0
login authentication ssh-access
transport input ssh
!
ntp clock-period 17180108
ntp server 206.246.118.250
ntp server 64.236.96.53
ntp server 68.216.79.113
!
end


You should be able to use this as a template for almost any fairly modern version of IOS to get basic IPv6 connectivity working via an HE.net tunnel.