• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Setting up a tunnel on a Cisco 3700 series router

Started by rsreese, October 24, 2008, 10:58:07 PM

Previous topic - Next topic

rsreese

interface Tunnel0
description HE.net
no ip address
ipv6 address 2001:470:XXXX:XXX::2/64
ipv6 enable
tunnel source 68.156.61.48
tunnel destination 209.51.161.14
tunnel mode ipv6ip

My internal lan connection:

interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 address 2001:470:XXXX:XXX::/64 eui-64
ipv6 enable
crypto map CLIENTMAP


ipv6 route 2001:470:XXXX:XXX::/64 FastEthernet0/1.2
ipv6 route ::/0 Tunnel0

Sooo, what am I missing to be able to connect to the outside world?

#ping ipv6 ipv6.google.com

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4860:0:2001::68, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Thanks in advance.

broquea

#1
I cannot ping your IPv6 side of the tunnel, nor can I ping your IPv4 endpoint.
I've verified that the tunnel is indeed configured on the tunnel-server.

Do you have ACLs in place? http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml#ex

For example, this IPv4 ACL helps determine whether GRE, IPsec (ESP) and IPv6 tunneling (IP Protocol 41) need to be permitted.

    access-list 101 permit GRE any infrastructure_ips
    access-list 101 permit ESP any infrastructure_ips
    access-list 101 permit 41 any infrastructure_ips
    access-list 101 permit ip any infrastructure_ips log


Our tunnel would be Protocol 41.
Also on your sub-interface, you might want to give it the ::1 out of that routed /64 instead of the :: (0).

rsreese

ACL's probably are the issue. If you wouldn't mind take a look. I added 41 as you mentioned but it may not be placed correctly.

ACL's for f0/0 or interface coming in from the internet:


access-list 110 remark SDM_ACL Category=1
access-list 110 permit udp host 205.152.132.23 eq domain any
access-list 110 permit udp host 205.152.144.23 eq domain any
access-list 110 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 110 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 110 permit ahp any any
access-list 110 permit esp any any
access-list 110 permit udp any any eq isakmp
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit 41 any any
access-list 110 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 110 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 110 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 110 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 110 permit udp any eq bootps any eq bootpc
access-list 110 permit icmp any any echo-reply
access-list 110 permit icmp any any time-exceeded
access-list 110 permit icmp any any unreachable
access-list 110 deny   icmp any any echo log
access-list 110 deny   icmp any any mask-request log
access-list 110 deny   icmp any any redirect log
access-list 110 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 110 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 110 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 110 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 110 deny   ip host 255.255.255.255 any log
access-list 110 deny   tcp any any range 6000 6063 log
access-list 110 deny   tcp any any eq 6667 log
access-list 110 deny   tcp any any range 12345 12346 log
access-list 110 deny   tcp any any eq 31337 log
access-list 110 deny   udp any any eq 2049 log
access-list 110 deny   udp any any eq 31337 log
access-list 110 deny   udp any any range 33400 34400 log
access-list 110 deny   ip any any log


Here's my ACL's for the subinterface connected to the rest of the network. I haven't added the '41' yet because I assumed I will be able to ping ipv6 from inside the router:


access-list 101 remark SDM_ACL Category=1
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   tcp any any range 1 chargen log
access-list 101 deny   tcp any any eq whois log
access-list 101 deny   tcp any any eq 93 log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any range exec 518 log
access-list 101 deny   tcp any any eq uucp log
access-list 101 permit ip any any

rsreese

Cool, opening up the echo and 41 did it! My router can ping ipv6 destinations, great!