Re: Cisco 827 IPv6 Configuration Howto

Discussion in 'Cisco' started by Bob Goddard, Aug 1, 2005.

  1. Bob Goddard

    Bob Goddard Guest

    Mike Zanker wrote:

    > On 1/8/05 13:38, Bruce wrote:
    >
    >> I'll apologise in advance if this topic seems similar to a number of
    >> others on this group, but i have read through all the others, and get
    >> a
    >> limited amount of success in trying to set this up. I have a week
    >> off work, so thought this would be the ideal oppertunity to get this
    >> setup and working once and for all!

    >
    > Bruce came onto IRC and we got things going as far as we could. The
    > problem is that he has a PIX firewall between the router and his LAN
    > and is using a private IP range with NAT.
    >
    > IPv6 works as far as the router but it's unclear how to handle a
    > tunnel to the LAN. The PIX doesn't appear to support IPv6 (can't run
    > version 7 software) so a tunnel appears to be the only way forward but
    > I doubt that you can forward protocol 41 from the external interface
    > to the internal subnet.
    >
    > If anybody has any ideas then feel free to advise!


    Perhaps Walter or someother knowledgable PIX person can answer this?
    Followups set.
     
    Bob Goddard, Aug 1, 2005
    #1
    1. Advertising

  2. In article <>,
    Bob Goddard <> wrote:
    >Mike Zanker wrote:

    :> IPv6 works as far as the router but it's unclear how to handle a
    :> tunnel to the LAN. The PIX doesn't appear to support IPv6 (can't run
    :> version 7 software) so a tunnel appears to be the only way forward but
    :> I doubt that you can forward protocol 41 from the external interface
    :> to the internal subnet.

    I haven't seen the original thread, so I'm jumping in the middle here.

    On a PIX running 5.x or 6.x software, if you use a standard 'static'
    (no 'tcp' or 'udp' option), then -all- IPv4 unicast traffic will
    be forwarded (interface ACL permitting.) For example, the following
    is valid:

    static (inside,outside) 123.45.67.89 10.11.12.13 netmask 255.255.255.255
    access-list out2in permit 41 any host 123.45.67.89
    access-group out2in in interface outside

    --
    "[...] it's all part of one's right to be publicly stupid." -- Dave Smey
     
    Walter Roberson, Aug 1, 2005
    #2
    1. Advertising

  3. Bob Goddard

    Bob Goddard Guest

    Walter Roberson wrote:

    > In article <>,
    > Bob Goddard <> wrote:
    >>Mike Zanker wrote:

    > :> IPv6 works as far as the router but it's unclear how to handle a
    > :> tunnel to the LAN. The PIX doesn't appear to support IPv6 (can't
    > :> run version 7 software) so a tunnel appears to be the only way
    > :> forward but I doubt that you can forward protocol 41 from the
    > :> external interface to the internal subnet.
    >
    > I haven't seen the original thread, so I'm jumping in the middle here.
    >
    > On a PIX running 5.x or 6.x software, if you use a standard 'static'
    > (no 'tcp' or 'udp' option), then -all- IPv4 unicast traffic will
    > be forwarded (interface ACL permitting.) For example, the following
    > is valid:
    >
    > static (inside,outside) 123.45.67.89 10.11.12.13 netmask
    > 255.255.255.255 access-list out2in permit 41 any host 123.45.67.89
    > access-group out2in in interface outside


    A fill-in.

    The 827 runs IPv6 and has public IP addresses. The PIX NATs his
    private network. He wants IPv6 to be let through the PIX unaltered.


    B
     
    Bob Goddard, Aug 1, 2005
    #3
  4. In article <>,
    Bob Goddard <> wrote:
    :A fill-in.

    :The 827 runs IPv6 and has public IP addresses. The PIX NATs his
    :private network. He wants IPv6 to be let through the PIX unaltered.

    I have not worked with IPv6, so I might easily be missing something
    in the following.

    The OP asked about passing protocol 41 through. Protocol 41 is
    6to4, also known as IPv6 tunneling over IPv4. The protocol 41 packets
    thus have IPv4 headers on them (if I understand the RFCs correctly),
    and any IPv4 packet can be allowed through the PIX with an appropriate
    'static' and access-list / access-group statements.

    There isn't any way to let IPv6 through the PIX "unaltered" in PIX 5.x
    or PIX 6.x, as those are not able to understand IPv6 headers and will
    drop the packet. However, the protocol 41 that was asked about is
    an IPv4 encapsulating protocol wrapped around IPv6 packets, and the PIX
    can deal with that.


    If, for some reason, the OP wanted (say) TCP packets with source A
    and destination B to go through the NAT process at the PIX, but
    did not want protocol 41 packets *with the same apparent source
    and destination* to go through the NAT process, then there is a way
    to do that in PIX 5.2 onward:

    access-list nonat-acl permit 41 INSIDEIP INSIDEMASK OUTSIDEIP OUTSIDEMASK
    nat (inside) 0 access-list nonat-acl


    I suspect that isn't what the OP was wanting, but it could be done.
    Remember for this purpose that the IPv6 layer is -payload- in protocol 41
    packets, so all that would get NAT'd would be the wrapper layer, which
    is irrelevant.


    Now, what you -cannot- do is have PIX 5.x or PIX 6.x just let through
    all IPv6 packets... but IPv6 isn't protocol 41, it's a difference in
    the first nibble of the IP layer of the packet indicating the version number.
    --
    Oh, to be a Blobel!
     
    Walter Roberson, Aug 3, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Moti
    Replies:
    1
    Views:
    1,204
    jonathan fernandes
    Jul 16, 2003
  2. Peter Valdemar Morch

    Howto: Windows client - cisco 827 VPN? Possible?

    Peter Valdemar Morch, Dec 30, 2003, in forum: Cisco
    Replies:
    1
    Views:
    1,816
    scott enwright
    Dec 31, 2003
  3. Shawn
    Replies:
    0
    Views:
    3,871
    Shawn
    May 14, 2004
  4. Shawn
    Replies:
    0
    Views:
    1,160
    Shawn
    May 14, 2004
  5. Sergio Ioppolo

    howto: cisco 827-4v and SIP provider

    Sergio Ioppolo, Dec 7, 2004, in forum: VOIP
    Replies:
    1
    Views:
    1,181
    thanh
    Mar 6, 2007
Loading...

Share This Page