Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Cisco 831 and IPv6 Configuration...  (Read 9799 times)

josepena

  • Newbie
  • *
  • Posts: 5
Cisco 831 and IPv6 Configuration...
« on: May 02, 2011, 11:25:25 PM »

Hello everyone...
I got assigned IPv6 and I get the step to set my cisco 831, this is the configuration I have...

configure terminal
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 enable
 ipv6 address 2001:470:1f04:1c63::2/64
 tunnel source 70.70.70.70
 tunnel destination 72.52.104.74
 tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end

Can't ping the server ipv6: 2001:470:1f04:1c63::1/64? I already set
ipv6 unicast-routing

what else do I need to ping the server or any other IPv6 address.

Thanks in advance for your help.

Jos.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2742
Re: Cisco 831 and IPv6 Configuration...
« Reply #1 on: May 03, 2011, 07:24:42 AM »

You're not behind a NAT are you?
Logged

josepena

  • Newbie
  • *
  • Posts: 5
Re: Cisco 831 and IPv6 Configuration...
« Reply #2 on: May 03, 2011, 08:36:23 AM »

My cisco router is the font of the network, that one that it has the public IPv4, I'm doing ping from the cisco router. No, I'm not behind NAT.

Thanks.
Logged

adamfulcher2000

  • Newbie
  • *
  • Posts: 4
Re: Cisco 831 and IPv6 Configuration...
« Reply #3 on: May 04, 2011, 03:06:56 PM »

What firewall / access list rules do you have in place on the 831 ?
Logged

josepena

  • Newbie
  • *
  • Posts: 5
Re: Cisco 831 and IPv6 Configuration...
« Reply #4 on: May 04, 2011, 04:10:08 PM »

I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?

Thanks for your help.

Jos.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2742
Re: Cisco 831 and IPv6 Configuration...
« Reply #5 on: May 04, 2011, 07:25:40 PM »

I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?

Thanks for your help.

Jos.

Are you allowing protocol41?
Logged

adamfulcher2000

  • Newbie
  • *
  • Posts: 4
Re: Cisco 831 and IPv6 Configuration...
« Reply #6 on: May 05, 2011, 03:02:29 PM »

On my 831 I started with the defult firewall ruleset created by SDM, but I needed to add this statement to allow protocol 41 before the tunnel would work:

access-list 101 permit 41 any any

You should not need any rules to allow outgoing traffic from Tunnel0 although you will want some for incoming traffic, e.g.:

ipv6 access-list IN-ACL6
 permit icmp any any
 permit tcp any any established
 permit udp any any eq 546
 deny ipv6 any any

... etc.
Logged

josepena

  • Newbie
  • *
  • Posts: 5
Re: Cisco 831 and IPv6 Configuration...
« Reply #7 on: May 07, 2011, 08:41:44 PM »

adamfulcher2000:
the rule sampel you gave me: 101, that it should be a new one or the acl in WAN?
I copied acl given for HE to my router, do I have to add anything additional to them? 'cause we have the same router, may be I can get a little bit more help.
I have an acl for WAN where I allow specific traffic.

LATER:
ADAFULCHER.... Never mind about my previous questions... I added the permit 41 to one of my interfaces and it started to work... Other questions here are:

* I have an IPv6 IP to the tunnel... to deploy, do I have to set an IP to the WAN, LAN and each host in LAN? other questiosn is... In what interface I set the rules for IPv6... for example... I created some rules to allow specific traffic from Internet to my WAN, only the desired traffic. I have my web and mail server in LAN, where I set the rule to allow that traffic from IPv6 Internet to my internal server?

Regards

regards.
« Last Edit: May 07, 2011, 11:31:27 PM by josepena »
Logged

adamfulcher2000

  • Newbie
  • *
  • Posts: 4
Re: Cisco 831 and IPv6 Configuration...
« Reply #8 on: May 08, 2011, 03:11:55 PM »

What I did was to associate the routed /64 provided by HE with interface Ethernet0, so that any IPV6 capable clients attached to interfaces FastEthernet1-4 will acquire a V6 address via stateless autoconfiguration. I associated the firewall rules for V6 with interface Tunnel0 only. This may not be the only (or even the correct) way of doing things, but it worked for me:

ipv6 unicast-routing
!
interface Tunnel0
 no ip address
 ipv6 address 2001:470:1F08:1728::2/64
 ipv6 enable
 ipv6 traffic-filter IN-ACL6 in
 tunnel source xxx.xxx.xxx.xxx
 tunnel destination 216.66.80.26
 tunnel mode ipv6ip
!
interface Ethernet0
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 ipv6 address 2001:470:1F09:1728::/64
 ipv6 enable
!
interface Ethernet1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id Ethernet1
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 duplex auto
!
ipv6 access-list IN-ACL6
 permit icmp any any
 permit tcp any any established
 permit udp any any eq 546
 deny ipv6 any any
!
Logged

antillie

  • Full Member
  • ***
  • Posts: 104
Re: Cisco 831 and IPv6 Configuration...
« Reply #9 on: September 12, 2011, 07:20:28 PM »

Here is how I setup my 2621xm running IOS 12.4 to work with the tunnel to HE:
Code: [Select]
cerberus#sho run
Building configuration...

Current configuration : 5981 bytes
!
! Last configuration change at 11:54:38 CST Mon Sep 12 2011 by antillie
! NVRAM config last updated at 21:19:57 CST Mon Aug 22 2011 by antillie
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 X
!
aaa new-model
!
aaa group server radius AD-RADIUS
 server 192.168.100.8 auth-port 1812 acct-port 1813
!
aaa authentication login userauth local
aaa authentication login ssh-access group AD-RADIUS enable
aaa authorization exec default group AD-RADIUS if-authenticated
aaa authorization network groupauth local
!
aaa session-id common
clock timezone CST -6
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
no ip bootp server
ip domain name local.lan
ip name-server 192.168.100.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
!
username antillie secret 5 X
username kandrida secret 5 X
!
ip ssh version 2
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:1F0E:6CA::2/64
 ipv6 enable
 ipv6 traffic-filter Block-IPv6-SSH in
 no ipv6 redirects
 ipv6 verify unicast reverse-path
 tunnel source 70.114.48.211
 tunnel destination 216.218.224.42
 tunnel mode ipv6ip
!
interface FastEthernet0/0
 ip address 10.1.1.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 duplex auto
 speed auto
 ipv6 address 2001:470:B98A:1::/64 eui-64
 ipv6 mtu 1480
 ipv6 nd prefix 2001:470:B98A:1::/64
!
interface Serial0/0
 no ip address
 shutdown
!
interface FastEthernet0/1
 ip address dhcp
 no ip redirects
 no ip unreachables
 ip nat outside
 ip virtual-reassembly
 ip route-cache same-interface
 ip route-cache flow
 duplex auto
 speed auto
!
router eigrp 150
 redistribute connected
 redistribute static
 passive-interface FastEthernet0/1
 passive-interface Tunnel0
 network 10.1.1.0 0.0.0.3
 no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 2000 interface FastEthernet0/1 overload
!
ip radius source-interface FastEthernet0/0
access-list 2000 permit ip any any
no cdp run
ipv6 route 2001:470:B98A::/48 FastEthernet0/0 FE80::21F:9EFF:FE45:2422
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0
ipv6 route ::/0 2001:470:1F0E:6CA::1
!
radius-server host 192.168.100.8 auth-port 1812 acct-port 1813 key 7 X
!
ipv6 access-list Block-IPv6-SSH
 deny tcp any any eq 22
 permit ipv6 any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 0 0
 login authentication ssh-access
 transport input ssh
line vty 5 15
 exec-timeout 0 0
 login authentication ssh-access
 transport input ssh
!
ntp clock-period 17180108
ntp server 206.246.118.250
ntp server 64.236.96.53
ntp server 68.216.79.113
!
end

You should be able to use this as a template for almost any fairly modern version of IOS to get basic IPv6 connectivity working via an HE.net tunnel.
Logged