josepena
Newbie
Posts: 5
|
 |
« on: May 02, 2011, 11:25:25 pm » |
|
Hello everyone...
I got assigned IPv6 and I get the step to set my cisco 831, this is the configuration I have...
configure terminal
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 enable
ipv6 address 2001:470:1f04:1c63::2/64
tunnel source 70.70.70.70
tunnel destination 72.52.104.74
tunnel mode ipv6ip
ipv6 route ::/0 Tunnel0
end
Can't ping the server ipv6: 2001:470:1f04:1c63::1/64? I already set
ipv6 unicast-routing
what else do I need to ping the server or any other IPv6 address.
Thanks in advance for your help.
Jos.
|
|
|
|
|
Logged
|
|
|
|
|
cholzhauer
|
 |
« Reply #1 on: May 03, 2011, 07:24:42 am » |
|
You're not behind a NAT are you?
|
|
|
|
|
Logged
|
|
|
|
josepena
Newbie
Posts: 5
|
|
« Reply #2 on: May 03, 2011, 08:36:23 am » |
|
My cisco router is the font of the network, that one that it has the public IPv4, I'm doing ping from the cisco router. No, I'm not behind NAT.
Thanks.
|
|
|
|
|
Logged
|
|
|
|
adamfulcher2000
Newbie
Posts: 4
|
|
« Reply #3 on: May 04, 2011, 03:06:56 pm » |
|
What firewall / access list rules do you have in place on the 831 ?
|
|
|
|
|
Logged
|
|
|
|
josepena
Newbie
Posts: 5
|
|
« Reply #4 on: May 04, 2011, 04:10:08 pm » |
|
I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?
Thanks for your help.
Jos.
|
|
|
|
|
Logged
|
|
|
|
|
cholzhauer
|
|
« Reply #5 on: May 04, 2011, 07:25:40 pm » |
|
I allow all outgoing traffic, and allow specific traffic for incoming: http, https, dns, ports for remote access basically.
Do I have to add a rule to allow any outgoing traffic from tunnel0?
or
do I have to create acl or rules for tunnel0?
Thanks for your help.
Jos.
Are you allowing protocol41? |
|
|
|
|
Logged
|
|
|
|
adamfulcher2000
Newbie
Posts: 4
|
|
« Reply #6 on: May 05, 2011, 03:02:29 pm » |
|
On my 831 I started with the defult firewall ruleset created by SDM, but I needed to add this statement to allow protocol 41 before the tunnel would work:
access-list 101 permit 41 any any
You should not need any rules to allow outgoing traffic from Tunnel0 although you will want some for incoming traffic, e.g.:
ipv6 access-list IN-ACL6
permit icmp any any
permit tcp any any established
permit udp any any eq 546
deny ipv6 any any
... etc.
|
|
|
|
|
Logged
|
|
|
|
josepena
Newbie
Posts: 5
|
|
« Reply #7 on: May 07, 2011, 08:41:44 pm » |
|
adamfulcher2000:
the rule sampel you gave me: 101, that it should be a new one or the acl in WAN?
I copied acl given for HE to my router, do I have to add anything additional to them? 'cause we have the same router, may be I can get a little bit more help.
I have an acl for WAN where I allow specific traffic.
LATER:
ADAFULCHER.... Never mind about my previous questions... I added the permit 41 to one of my interfaces and it started to work... Other questions here are:
* I have an IPv6 IP to the tunnel... to deploy, do I have to set an IP to the WAN, LAN and each host in LAN? other questiosn is... In what interface I set the rules for IPv6... for example... I created some rules to allow specific traffic from Internet to my WAN, only the desired traffic. I have my web and mail server in LAN, where I set the rule to allow that traffic from IPv6 Internet to my internal server?
Regards
regards.
|
|
|
|
« Last Edit: May 07, 2011, 11:31:27 pm by josepena »
|
Logged
|
|
|
|
adamfulcher2000
Newbie
Posts: 4
|
|
« Reply #8 on: May 08, 2011, 03:11:55 pm » |
|
What I did was to associate the routed /64 provided by HE with interface Ethernet0, so that any IPV6 capable clients attached to interfaces FastEthernet1-4 will acquire a V6 address via stateless autoconfiguration. I associated the firewall rules for V6 with interface Tunnel0 only. This may not be the only (or even the correct) way of doing things, but it worked for me:
ipv6 unicast-routing
!
interface Tunnel0
no ip address
ipv6 address 2001:470:1F08:1728::2/64
ipv6 enable
ipv6 traffic-filter IN-ACL6 in
tunnel source xxx.xxx.xxx.xxx
tunnel destination 216.66.80.26
tunnel mode ipv6ip
!
interface Ethernet0
description $ETH-LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:1F09:1728::/64
ipv6 enable
!
interface Ethernet1
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id Ethernet1
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
duplex auto
!
ipv6 access-list IN-ACL6
permit icmp any any
permit tcp any any established
permit udp any any eq 546
deny ipv6 any any
!
|
|
|
|
|
Logged
|
|
|
|
|
antillie
|
|
« Reply #9 on: September 12, 2011, 07:20:28 pm » |
|
Here is how I setup my 2621xm running IOS 12.4 to work with the tunnel to HE: cerberus#sho run
Building configuration...
Current configuration : 5981 bytes
!
! Last configuration change at 11:54:38 CST Mon Sep 12 2011 by antillie
! NVRAM config last updated at 21:19:57 CST Mon Aug 22 2011 by antillie
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 X
!
aaa new-model
!
aaa group server radius AD-RADIUS
server 192.168.100.8 auth-port 1812 acct-port 1813
!
aaa authentication login userauth local
aaa authentication login ssh-access group AD-RADIUS enable
aaa authorization exec default group AD-RADIUS if-authenticated
aaa authorization network groupauth local
!
aaa session-id common
clock timezone CST -6
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
no ip bootp server
ip domain name local.lan
ip name-server 192.168.100.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
no ipv6 source-route
ipv6 cef
!
username antillie secret 5 X
username kandrida secret 5 X
!
ip ssh version 2
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F0E:6CA::2/64
ipv6 enable
ipv6 traffic-filter Block-IPv6-SSH in
no ipv6 redirects
ipv6 verify unicast reverse-path
tunnel source 70.114.48.211
tunnel destination 216.218.224.42
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache flow
duplex auto
speed auto
ipv6 address 2001:470:B98A:1::/64 eui-64
ipv6 mtu 1480
ipv6 nd prefix 2001:470:B98A:1::/64
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache same-interface
ip route-cache flow
duplex auto
speed auto
!
router eigrp 150
redistribute connected
redistribute static
passive-interface FastEthernet0/1
passive-interface Tunnel0
network 10.1.1.0 0.0.0.3
no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 2000 interface FastEthernet0/1 overload
!
ip radius source-interface FastEthernet0/0
access-list 2000 permit ip any any
no cdp run
ipv6 route 2001:470:B98A::/48 FastEthernet0/0 FE80::21F:9EFF:FE45:2422
ipv6 route 2001:DB8::/32 Null0
ipv6 route FC00::/7 Null0
ipv6 route ::/0 2001:470:1F0E:6CA::1
!
radius-server host 192.168.100.8 auth-port 1812 acct-port 1813 key 7 X
!
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
exec-timeout 0 0
login authentication ssh-access
transport input ssh
line vty 5 15
exec-timeout 0 0
login authentication ssh-access
transport input ssh
!
ntp clock-period 17180108
ntp server 206.246.118.250
ntp server 64.236.96.53
ntp server 68.216.79.113
!
end
You should be able to use this as a template for almost any fairly modern version of IOS to get basic IPv6 connectivity working via an HE.net tunnel. |
|
|
|
|
Logged
|
|
|
|
|
