• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

New to IPv6

Started by PayableOnDeath, April 28, 2009, 01:06:35 PM

Previous topic - Next topic

PayableOnDeath

Hi

I am fairly new to IPv6, still learning lots about it (any one got any good links to sites with good info on it regarding IPv6 let me know :) )

I am wrong in thinking I cant setup IPv6 like IPv4?

At the moment I have a public IPv4 address with some ports forwarding to private IPv4 address's
EG (X = public IP)
X.X.X.X Port 80 to 192.168.0.50
X.X.X.X Port 8080 to 192.168.51
etc

This is the sort of thing I wanted to do with IPv6 but I couldnt seem to get it to work.
I have cisco 877W setup with a IPv6 Tunnel to HE
At first I just had a /64 address which was setup on the tunnel, I then enabled IPv6 on the vlan and my PC's inside picked up a link-local address and was able to do IPv6 traffic between them, but I could get them to route out to the internet via the router, after reading some posts and trying things it wouldnt work.
so I got a /48 and after looking back on some posts with other people with cisco routers and now my PC's get Public IPv6 address's on the /48, however this opens up my PC's on internet as they have public IP's now.

is there a way I can set it up to have it like I have on IPv4?

Here is my IPv6 related config (2001:X... is /64 2001:Y... is /48 )


ipv6 unicast-routing
ipv6 cef

interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:XXX:XXX:XXX::2/64
ipv6 enable
tunnel source X.X.X.X
tunnel destination X.X.X.X
tunnel mode ipv6ip
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ipv6 address 2001:YYY:YYY::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:YYY:YYY::/64
!
ipv6 route ::/0 Tunnel0




Hope someone can help me with this

Thanks

David





PayableOnDeath

ok I guess I cant do that then sice there is no reply's, can anyone help with ipv6 firewalling on a cisco 877?

snarked

Your question doesn't make sense.  That's why there's no replies.

On IPv4, you have NAT going on, with port forwarding/redirection into a private network.

With IPv6, there is no such thing as private address space, and no use for NAT.

PayableOnDeath

I see
I guess that why it doesn't make much sense like I said I was new to IPv6 ;)

Do you have any advise for firewalling IPv6 on on a 877W?
I don't want any ports open inbound from the internet apart from a couple of ports.

Regards

David

rfc1180

David,

You will want to read up on access-lists and IOS Firewall;

I am not familiar with the Cisco 877W, but you can add IPv6 access-lists.

(Going from memory)

ipv6 access-list ipv6-in
permit tcp any any established
deny ipv6 any any log

interface tunnelx (x being the tunnel number)
ipv6 traffic-filter ipv6-in in

you will want to modify to your needs.

you can also get down and dirty with ipv6 inspect commands for stateful inspection,
but ACLs should suffice.

good luck.

Billy