Cisco 827 IPv6 Configuration Howto

Hi All,

I'll apologise in advance if this topic seems similar to a number of others on this group, but i have read through all the others, and get a limited amount of success in trying to set this up. I have a week off work, so thought this would be the ideal oppertunity to get this setup and working once and for all!

I currently have a Cisco 827 Router:

gw#sh ver Cisco IOS Software, C820 Software (C820-SY6-M), Version 12.4(3), RELEASE SOFTWARE (fc2) Technical Support:

formatting link
Copyright (c) 1986-2005 by Cisco Systems, Inc. Compiled Fri 22-Jul-05 14:42 by hqluong

ROM: System Bootstrap, Version 12.2(1r)XE2, RELEASE SOFTWARE (fc1)

gw uptime is 1 hour, 50 minutes System returned to ROM by reload System image file is "flash:c820-sy6-mz.124-3.bin"

Cisco C827H (MPC855T) processor (revision 0x401) with 31744K/1024K bytes of memory. Processor board ID FOC062704DL (1280152087), with hardware revision F9C0 CPU rev number 5

1 Ethernet interface 1 ATM interface 128K bytes of NVRAM. 8192K bytes of processor board System flash (Read/Write) 2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102

The static IP of the ethernet interface of this router, is configured on my control panel to be the endpoint of the tunnel.

What i would like to setup is as follows:

1) The router above to be the end point of the tunnel.

I have a Cisco PIX 506 (with IP Protocol 41 forwarded to all my internal 192.168.250.x network.)

2) I would like to assign the ethernet interface of the router a static IPv6 address 3) I would then like to (manually because the pix is in the way) assign IPv6 addresses to my servers and workstations. If its possible to do this via autoconfig even with the PIX there then please let me know!

My IPv6 allocation is: 2001:8B0:27:1::/64

Please can someone assist with:

An example Tunnel 0 configuration based on the above allocation An example Ethernet 0 configuration also based on the above Any other ipv6 commands i need to enable on the Cisco Router Details of what i would need to do for the clients

If i have missed out any key information, please let me know. The Cisco PIX is doing NAT between my internal and external ranges.

Once i have managed to setup this up, i'll write a HowTo and post on the web for others to use...

Thanks in advance for your help...

Bruce

Reply to
Bruce
Loading thread data ...

Bruce came onto IRC and we got things going as far as we could. The problem is that he has a PIX firewall between the router and his LAN and is using a private IP range with NAT.

IPv6 works as far as the router but it's unclear how to handle a tunnel to the LAN. The PIX doesn't appear to support IPv6 (can't run version 7 software) so a tunnel appears to be the only way forward but I doubt that you can forward protocol 41 from the external interface to the internal subnet.

If anybody has any ideas then feel free to advise!

Mike.

Reply to
Mike Zanker

Perhaps Walter or someother knowledgable PIX person can answer this? Followups set.

Reply to
Bob Goddard

:> IPv6 works as far as the router but it's unclear how to handle a :> tunnel to the LAN. The PIX doesn't appear to support IPv6 (can't run :> version 7 software) so a tunnel appears to be the only way forward but :> I doubt that you can forward protocol 41 from the external interface :> to the internal subnet.

I haven't seen the original thread, so I'm jumping in the middle here.

On a PIX running 5.x or 6.x software, if you use a standard 'static' (no 'tcp' or 'udp' option), then -all- IPv4 unicast traffic will be forwarded (interface ACL permitting.) For example, the following is valid:

static (inside,outside) 123.45.67.89 10.11.12.13 netmask 255.255.255.255 access-list out2in permit 41 any host 123.45.67.89 access-group out2in in interface outside

Reply to
Walter Roberson

A fill-in.

The 827 runs IPv6 and has public IP addresses. The PIX NATs his private network. He wants IPv6 to be let through the PIX unaltered.

B
Reply to
Bob Goddard

In article , Bob Goddard wrote: :A fill-in.

:The 827 runs IPv6 and has public IP addresses. The PIX NATs his :private network. He wants IPv6 to be let through the PIX unaltered.

I have not worked with IPv6, so I might easily be missing something in the following.

The OP asked about passing protocol 41 through. Protocol 41 is

6to4, also known as IPv6 tunneling over IPv4. The protocol 41 packets thus have IPv4 headers on them (if I understand the RFCs correctly), and any IPv4 packet can be allowed through the PIX with an appropriate 'static' and access-list / access-group statements.

There isn't any way to let IPv6 through the PIX "unaltered" in PIX 5.x or PIX 6.x, as those are not able to understand IPv6 headers and will drop the packet. However, the protocol 41 that was asked about is an IPv4 encapsulating protocol wrapped around IPv6 packets, and the PIX can deal with that.

If, for some reason, the OP wanted (say) TCP packets with source A and destination B to go through the NAT process at the PIX, but did not want protocol 41 packets *with the same apparent source and destination* to go through the NAT process, then there is a way to do that in PIX 5.2 onward:

access-list nonat-acl permit 41 INSIDEIP INSIDEMASK OUTSIDEIP OUTSIDEMASK nat (inside) 0 access-list nonat-acl

I suspect that isn't what the OP was wanting, but it could be done. Remember for this purpose that the IPv6 layer is -payload- in protocol 41 packets, so all that would get NAT'd would be the wrapper layer, which is irrelevant.

Now, what you -cannot- do is have PIX 5.x or PIX 6.x just let through all IPv6 packets... but IPv6 isn't protocol 41, it's a difference in the first nibble of the IP layer of the packet indicating the version number.

Reply to
Walter Roberson

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.