Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: Setting up a tunnel on a Cisco 3700 series router  (Read 10969 times)

rsreese

  • Newbie
  • *
  • Posts: 16
Setting up a tunnel on a Cisco 3700 series router
« on: October 24, 2008, 10:58:07 PM »

interface Tunnel0
 description HE.net
 no ip address
 ipv6 address 2001:470:XXXX:XXX::2/64
 ipv6 enable
 tunnel source 68.156.61.48
 tunnel destination 209.51.161.14
 tunnel mode ipv6ip

My internal lan connection:

interface FastEthernet0/1.2
 description $FW_INSIDE$
 encapsulation dot1Q 2
 ip address 172.16.2.1 255.255.255.0
 ip access-group 101 in
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ipv6 address 2001:470:XXXX:XXX::/64 eui-64
 ipv6 enable
 crypto map CLIENTMAP


ipv6 route 2001:470:XXXX:XXX::/64 FastEthernet0/1.2
ipv6 route ::/0 Tunnel0

Sooo, what am I missing to be able to connect to the outside world?

#ping ipv6 ipv6.google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4860:0:2001::68, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Thanks in advance.
Logged

broquea

  • Sr. Network Engineer, HE.NET AS6939
  • Administrator
  • Hero Member
  • *****
  • Posts: 1722
Re: Setting up a tunnel on a Cisco 3700 series router
« Reply #1 on: October 25, 2008, 12:18:17 AM »

I cannot ping your IPv6 side of the tunnel, nor can I ping your IPv4 endpoint.
I've verified that the tunnel is indeed configured on the tunnel-server.

Do you have ACLs in place? http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml#ex

Code: [Select]
For example, this IPv4 ACL helps determine whether GRE, IPsec (ESP) and IPv6 tunneling (IP Protocol 41) need to be permitted.

    access-list 101 permit GRE any infrastructure_ips
    access-list 101 permit ESP any infrastructure_ips
    access-list 101 permit 41 any infrastructure_ips
    access-list 101 permit ip any infrastructure_ips log

Our tunnel would be Protocol 41.
Also on your sub-interface, you might want to give it the ::1 out of that routed /64 instead of the :: (0).
« Last Edit: October 25, 2008, 12:33:08 AM by broquea »
Logged

rsreese

  • Newbie
  • *
  • Posts: 16
Re: Setting up a tunnel on a Cisco 3700 series router
« Reply #2 on: October 25, 2008, 10:06:11 PM »

ACL's probably are the issue. If you wouldn't mind take a look. I added 41 as you mentioned but it may not be placed correctly.

ACL's for f0/0 or interface coming in from the internet:

Code: [Select]
access-list 110 remark SDM_ACL Category=1
access-list 110 permit udp host 205.152.132.23 eq domain any
access-list 110 permit udp host 205.152.144.23 eq domain any
access-list 110 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 110 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 110 permit ahp any any
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit 41 any any
access-list 110 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 110 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 110 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 110 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 110 permit udp any eq bootps any eq bootpc
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any unreachable
access-list 110 deny   icmp any any echo log
access-list 110 deny   icmp any any mask-request log
access-list 110 deny   icmp any any redirect log
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 110 deny   ip host 255.255.255.255 any log
access-list 110 deny   tcp any any range 6000 6063 log
access-list 110 deny   tcp any any eq 6667 log
access-list 110 deny   tcp any any range 12345 12346 log
access-list 110 deny   tcp any any eq 31337 log
access-list 110 deny   udp any any eq 2049 log
access-list 110 deny   udp any any eq 31337 log
access-list 110 deny   udp any any range 33400 34400 log
access-list 110 deny   ip any any log

Here's my ACL's for the subinterface connected to the rest of the network. I haven't added the '41' yet because I assumed I will be able to ping ipv6 from inside the router:

Code: [Select]
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   tcp any any range 1 chargen log
access-list 101 deny   tcp any any eq whois log
access-list 101 deny   tcp any any eq 93 log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any range exec 518 log
access-list 101 deny   tcp any any eq uucp log
access-list 101 permit ip any any
Logged

rsreese

  • Newbie
  • *
  • Posts: 16
Re: Setting up a tunnel on a Cisco 3700 series router
« Reply #3 on: November 11, 2008, 07:23:50 PM »

Cool, opening up the echo and 41 did it! My router can ping ipv6 destinations, great!
Logged