NAT of ip proto-41 to establish IPv6 6in4 tunnel

Discussion in 'Cisco' started by Valentin, Feb 2, 2010.

  1. Valentin

    Valentin Guest

    Hi,

    short intro:
    ------------
    we have got a Cisco 836. Unfortunately, we cant
    use the ADSL feature, because our ISP 'only' provides
    ADSL2+ and the C836 is not capable of ADSL2+.
    Nevertheless, with IOS 12.4 there comes an Ethernet 2
    interface which can be used for PPPoE with dynamic IPv4 address.
    This works perfectly ;-)

    challenge:
    ----------
    Our current challenge is to establish our IPv6 6in4 tunnel to SixXS.net
    via aiccu which should be located on an openwrt router one hop 'behind'
    the Cisco router.

    cf. https://www.sixxs.net/faq/connectivity/?faq=comparison (6in4-heartbeat)

    cf. footnote 1: "Unless the machine performing the NAT function is
    configured to forward protocol 41 to the actual endpoint or when the NAT
    supports proto-41 because it keeps state for outbound proto-41 packets
    and relies on that information."

    The 6in4-heartbeat tunnel uses IP protocol-41 and therefore has a very
    short tunnel overhead. (compared to AYIYA)

    question:
    ---------
    how to direct the proto-41 traffic to my openwrt router via NAT?

    I have read many docs on cisco.com but didn't find any hint for "NATing"
    a specific protocol only.

    Any help, comments etc is highly appreciated,

    Thanks in advance,

    Valentin

    keywords: Cisco, IOS, IPv6, OpenWRT, aiccu, sixXS.net, proto-41, AYIYA
    Valentin, Feb 2, 2010
    #1
    1. Advertising

  2. Valentin

    bod43 Guest

    On 2 Feb, 20:47, Valentin <> wrote:
    > Hi,
    >
    > short intro:
    > ------------
    > we have got a Cisco 836. Unfortunately, we cant
    > use the ADSL feature, because our ISP 'only' provides
    > ADSL2+ and the C836 is not capable of ADSL2+.
    > Nevertheless, with IOS 12.4 there comes an Ethernet 2
    > interface which can be used for PPPoE with dynamic IPv4 address.
    > This works perfectly ;-)
    >
    > challenge:
    > ----------
    > Our current challenge is to establish our IPv6 6in4 tunnel to SixXS.net
    > via aiccu which should be located on an openwrt router one hop 'behind'
    > the Cisco router.
    >
    > cf.https://www.sixxs.net/faq/connectivity/?faq=comparison(6in4-heartbeat)
    >
    > cf. footnote 1: "Unless the machine performing the NAT function is
    > configured to forward protocol 41 to the actual endpoint or when the NAT
    > supports proto-41 because it keeps state for outbound proto-41 packets
    > and relies on that information."
    >
    > The 6in4-heartbeat tunnel uses IP protocol-41 and therefore has a very
    > short tunnel overhead. (compared to AYIYA)
    >
    > question:
    > ---------
    > how to direct the proto-41 traffic to my openwrt router via NAT?
    >
    > I have read many docs on cisco.com but didn't find any hint for "NATing"
    > a specific protocol only.
    >
    > Any help, comments etc is highly appreciated,


    I would imagine that a static nat with route-map should
    work.

    Something like -

    ip nat inside source static 1.2.3.4 2.3.4.5 route-map RM.v6tunnel

    route map RM.v6tunnel
    match ip address ACL.RM.v6tunnel

    ip access-list extended ACL.RM.v6tunnel
    permit 41 host 1.2.3.4 host 2.3.4.5

    I believe that this will NAT only the protocol 41 traffic.
    bod43, Feb 3, 2010
    #2
    1. Advertising

  3. Valentin

    Valentin Guest

    bod43 wrote:
    > On 2 Feb, 20:47, Valentin <> wrote:
    > ...
    > I would imagine that a static nat with route-map should
    > work.
    >
    > Something like -
    >
    > ip nat inside source static 1.2.3.4 2.3.4.5 route-map RM.v6tunnel
    >
    > route map RM.v6tunnel
    > match ip address ACL.RM.v6tunnel
    >
    > ip access-list extended ACL.RM.v6tunnel
    > permit 41 host 1.2.3.4 host 2.3.4.5
    >
    > I believe that this will NAT only the protocol 41 traffic.


    Thanks!!

    Indeed, the three commands:
    ip nat inside source static 192.168.201.2 <PUBLIC IP> route-map
    RM.v6tunnel
    route map RM.v6tunnel
    match ip address ACL.RM.v6tunnel
    ip access-list extended ACL.RM.v6tunnel
    permit 41 host 192.168.201.2 host <PUBLIC IP>

    do the job for a static PUBLIC IP. Unfortunately, we have
    got a dynamic PUBLIC IP by our ADSL-ISP.

    Therefore, I have tried
    ip nat inside source static 192.168.201.2 interface Dialer1
    (Dialer1 is the interface which performs PPPoE)
    But with this command *any* traffic is directed to our interior router.
    There is no possiblity to bound this rule by a route-map ;-(

    Perhaps,
    ip nat inside source route-map
    does the job? I tried it, but it didn't work :-|

    Any help/hints are welcome, thanks, Valentin
    Valentin, Feb 12, 2010
    #3
  4. Valentin

    bod43 Guest

    On 12 Feb, 15:08, Valentin <> wrote:
    > bod43 wrote:
    > > On 2 Feb, 20:47, Valentin <> wrote:
    > > ...
    > > I would imagine that a static nat with route-map should
    > > work.

    >
    > > Something like -

    >
    > > ip nat inside source static 1.2.3.4 2.3.4.5 route-map RM.v6tunnel

    >
    > > route map RM.v6tunnel
    > >   match ip address ACL.RM.v6tunnel

    >
    > > ip access-list extended ACL.RM.v6tunnel
    > >   permit 41 host 1.2.3.4 host 2.3.4.5

    >
    > > I believe that this will NAT only the protocol 41 traffic.

    >
    > Thanks!!
    >
    > Indeed, the three commands:
    >   ip nat inside source static 192.168.201.2 <PUBLIC IP> route-map
    > RM.v6tunnel
    >   route map RM.v6tunnel
    >     match ip address ACL.RM.v6tunnel
    >   ip access-list extended ACL.RM.v6tunnel
    >     permit 41 host 192.168.201.2 host <PUBLIC IP>
    >
    > do the job for a static PUBLIC IP. Unfortunately, we have
    > got a dynamic PUBLIC IP by our ADSL-ISP.
    >
    > Therefore, I have tried
    >   ip nat inside source static 192.168.201.2 interface Dialer1
    > (Dialer1 is the interface which performs PPPoE)
    > But with this command *any* traffic is directed to our interior router.
    > There is no possiblity to bound this rule by a route-map ;-(


    I have the idea that I have seen a fix for the fancy nat with
    dynamic IP problem on this group but I could be
    mistaken. I might have a look:)

    I would think you could resolve it with the new
    event manager stuff but it might be a bit tough to
    figure out how to do it.

    The idea would be that you run an event when the
    dialer comes up which changes the config to match the
    address. No idea if it is even possible.

    An example:-
    event manager applet CLIaccounting
    event cli pattern ".*" sync no skip no
    action 1.0 syslog priority informational msg "$_cli_msg"
    set 2.0 _exit_status 1

    This logs all commands used to the log.

    Maybe you can watch the log for specific messages
    to detect the dialer coming up.

    There was a large event manager example posted
    here the other day.

    Random links.
    http://www.cisco.com/en/US/prod/col...sco_integrated_services_router_platforms..htm

    l
    Embedded Event Manager
    EEM Tool Command Language (TCL)

    http://cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide0918

    6a008041231a.html
    Writing Embedded Event Manager Policies

    http://cisco.com/en/US/products/sw/..._feature_guide09186a008041231a.html#wp1049672
    • Writing EEM Policies Using TCL

    www.cisco.com/go/ioscommercial

    ############
    Another example

    event manager environment mybackuploc tftp://192.168.200.11/
    event manager environment myfilename cr-u1-cfgbkp
    event manager environment myfilenameext .txt
    event manager environment dash -
    event manager applet bkp_when_changed trap
    event cli pattern "wr" sync no skip no
    action 1.0 cli command "enable"
    action 2.0 cli command "config t"
    action 3.0 cli command "file prompt quiet"
    action 4.0 cli command "end"
    action 5.0 cli command "copy running
    $mybackuploc$myfilename$myfilenameext"
    action 6.0 cli command "config t"
    action 7.0 cli command "no file prompt quiet"
    action 8.0 cli command "end"
    bod43, Feb 12, 2010
    #4
  5. Valentin

    Valentin Guest

    bod43 wrote:
    > On 12 Feb, 15:08, Valentin <> wrote:
    >> bod43 wrote:
    >>> On 2 Feb, 20:47, Valentin <> wrote:
    >>> ...
    >>> I would imagine that a static nat with route-map should
    >>> work.
    >>> Something like -
    >>> ip nat inside source static 1.2.3.4 2.3.4.5 route-map RM.v6tunnel
    >>> route map RM.v6tunnel
    >>> match ip address ACL.RM.v6tunnel
    >>> ip access-list extended ACL.RM.v6tunnel
    >>> permit 41 host 1.2.3.4 host 2.3.4.5
    >>> I believe that this will NAT only the protocol 41 traffic.

    >> Thanks!!
    >>
    >> Indeed, the three commands:
    >> ip nat inside source static 192.168.201.2 <PUBLIC IP> route-map
    >> RM.v6tunnel
    >> route map RM.v6tunnel
    >> match ip address ACL.RM.v6tunnel
    >> ip access-list extended ACL.RM.v6tunnel
    >> permit 41 host 192.168.201.2 host <PUBLIC IP>
    >>
    >> do the job for a static PUBLIC IP. Unfortunately, we have
    >> got a dynamic PUBLIC IP by our ADSL-ISP.
    >>
    >> Therefore, I have tried
    >> ip nat inside source static 192.168.201.2 interface Dialer1
    >> (Dialer1 is the interface which performs PPPoE)
    >> But with this command *any* traffic is directed to our interior router.
    >> There is no possiblity to bound this rule by a route-map ;-(

    >
    > I have the idea that I have seen a fix for the fancy nat with
    > dynamic IP problem on this group but I could be
    > mistaken. I might have a look:)
    >
    > I would think you could resolve it with the new
    > event manager stuff but it might be a bit tough to
    > figure out how to do it.
    >
    > The idea would be that you run an event when the
    > dialer comes up which changes the config to match the
    > address. No idea if it is even possible.
    >
    > An example:-
    > event manager applet CLIaccounting
    > event cli pattern ".*" sync no skip no
    > action 1.0 syslog priority informational msg "$_cli_msg"
    > set 2.0 _exit_status 1
    >
    > This logs all commands used to the log.
    >
    > Maybe you can watch the log for specific messages
    > to detect the dialer coming up.
    >
    > There was a large event manager example posted
    > here the other day.
    >
    > Random links.
    > http://www.cisco.com/en/US/prod/col...isco_integrated_services_router_platforms.htm
    >
    > l
    > Embedded Event Manager
    > EEM Tool Command Language (TCL)
    >
    > http://cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide0918
    >
    > 6a008041231a.html
    > Writing Embedded Event Manager Policies
    >
    > http://cisco.com/en/US/products/sw/..._feature_guide09186a008041231a.html#wp1049672
    > • Writing EEM Policies Using TCL
    >
    > www.cisco.com/go/ioscommercial
    >
    > ############
    > Another example
    >
    > event manager environment mybackuploc tftp://192.168.200.11/
    > event manager environment myfilename cr-u1-cfgbkp
    > event manager environment myfilenameext .txt
    > event manager environment dash -
    > event manager applet bkp_when_changed trap
    > event cli pattern "wr" sync no skip no
    > action 1.0 cli command "enable"
    > action 2.0 cli command "config t"
    > action 3.0 cli command "file prompt quiet"
    > action 4.0 cli command "end"
    > action 5.0 cli command "copy running
    > $mybackuploc$myfilename$myfilenameext"
    > action 6.0 cli command "config t"
    > action 7.0 cli command "no file prompt quiet"
    > action 8.0 cli command "end"
    >


    The event manager stuff reads very interesting. I think
    it would be very challenging to solve that kind of question
    with this technique. Unfortunately, I have
    Cisco IOS Software, C836 Software (C836-K9O3S8Y6-M), Version 12.4(25b),
    RELEASE SOFTWARE (fc1). In that IOS the event manager stuff
    in not included ;-(
    I have looked with the cisco feature navigator for an IOS for my C836
    with the event manager stuff included, but without success.

    The second research for the "fix for the fancy nat with dynamic IP".
    in this group wasn't successfull, either.

    I was wondering that some of the deep links to cisco.com you posted are
    not working?
    Valentin, Feb 18, 2010
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Martin Nowles
    Replies:
    0
    Views:
    1,012
    Martin Nowles
    Nov 10, 2003
  2. Hank Arnold
    Replies:
    0
    Views:
    701
    Hank Arnold
    Jan 15, 2004
  3. a.nonny mouse
    Replies:
    2
    Views:
    1,073
  4. Shane

    bittorrent proto (ping lawrence)

    Shane, Oct 19, 2005, in forum: NZ Computing
    Replies:
    0
    Views:
    425
    Shane
    Oct 19, 2005
  5. jmanjohn
    Replies:
    0
    Views:
    639
    jmanjohn
    Feb 9, 2010
Loading...

Share This Page