Allowing an IPv6 Tunnel Broker to passthrough ASA
I am in the process of setting up an IPv6 Tunnel Broker on a 1811 router I have in my home lab so I can start working with IPv6 and getting access to IPv6 only websites and/or content. I believe that I have the 1811 setup correctly but am having problems getting the Tunnel Broker traffic (which is IPv4 based) to pass through my ASA. I know that I need to allow protocol 41 to come through from the outside but cant seem to find a way to get it to go through.
I am using 8.2.5 firmware on my 5505. I would prefer to not have to upgrade to 8.3 or 8.4 because of the way the NAT rules and some other things change. My ISP only offers me a single IP address. Would prefer not to have to upgrade to business service to get multiple ip addresses. I have been looking for docs on how to do this but so far havent found anything that points me in the right direction.
Ran a protocol capture and noticed this error in the ASDM log - 3Jan 18 2012 19:16:20209.51.181.2regular translation creation failed for protocol 41 src Inside:192.168.1.100 dst Outside:209.51.181.2
In looking at the rules, it appears that I need an access rule to allow the protocol 41 traffic to go outbound.
Added these lines to the ASA config -
object-group protocol IPV6inIP
protocol-object 41
access-list inside_access_in line 2 extended permit object-group IPV6inIP any any
Still getting the above error after putting the config lines just listed. Beginning to suspect that the 8.2.5 binary doesnt support protocol forwarding. I dont see the traffic leaving the ASA, so that would seem to indicate that 8.2.5 cant do protocol forwarding in the NAT rules.
Any suggestions/links appreciated,
Ron
Erik,
Thanks for your reply ...
I have upgraded the software on my ASA 5505 yesterday from 8.2 to 8.4, and I have to tell you ... I have never been so excited by an ASA upgrade ... anyway ... I triend to use a Cisco 3560G-PS-S as a tunnel endpoing on the inside of my network but appearently the software on this hardware does not support this command "tunnel mode ipv6ip" which makes it impossible to set up a tunnel ... I got the tunnel up but there is no way to ping the other site of the IPv6 tunnel ...
Anyway ... I discoveren what NAT rules / object groups / access-lists I need in order to create the NAT rule ... but there is something wlse that I don;t understand...
What IPv6 addresses have you configured on the inside/outside of your ASA?
And what IPv6 addresses have you configured on your iternal hosts on the "inside" of your network?
I recon that the "inside" hosts uses your Ipv6 endpoint device as a defaut gateway and that this tunnel endpoint uses the tunnel interface as a default gateway ... and that this device is also handing out the IPv6 addressesin your "inside" network right?
And what IPv6 address do you have configured on the outside/inside of the ASA? is that the /64 you get from the tunnel provider (Hurricane Electric or Sixxs) and I guess this traffic is routed to the tunnel endpoint device as well?
So IPv6 firewalling is not possible?
Let me know if I have it correct ...
Thanks,
Iwan
Similar Messages
-
After upgrading my time capsule to 7.6.3 I can no longer access my IPv6 tunnel broker.
My Hurrican Electric Tunnel Broker IPv6 Connection worked fine with 7.6.1, but after upgrading the firmware on my Time Capsule to 7.6.3 I get an error. "There was an error with the IPv6 tunnel endpoint. Wait for the service to be restored and try again. Contact your service provider if the problem persists." It worked before the upgrade. All settings verified. Now it doesn't work.
https://discussions.apple.com/thread/4787229?start=30&tstart=60
I cannot find the reference.. but the fix is clear.. return poste haste to 7.6.1
And wait for the next upgrade installment.. frankly I am amazed this hasn't been pulled. If this is what Apple consider tested firmware updates.. we are all down the tubes. -
Two separate L2L tunnels between same two ASA
I have a large MPLS fully meshed network with two main locations, both of which have an ASA with internet access as well as the MPLS access. I need to be able to provide a backup connection between the two main locations in the event one of the MPLS links to one or the other goes down.
I am considering using a L2L IPSEC tunnel between the two ASA's but the interesting traffic for the tunnel is different depending on which of the links is down and there fore I would need two different tunnels. I have my servers and remote desktop servers at one of the main sites and the other main site has another organization attached to it externally that the servers must be able to access.
Is there a way of creating two separate L2L tunnels between the two ASA's? Could I perhaps assign two public IP addresses to each of the ASA's and then create the tunnels between different endpoints on each ASA?
Does anyone have another possible solution to the problem?
GeneYou should be able to do what you want using IP SLA. Please see this excellent blog post which documents one way to accomplish it.
Hope this helps. -
Static and dynamic multipoint ipv6 tunnel
Hi everybody.
How is everyone doing?
My book says " the dynamic forwarding logic requires more work per packet as compared to point-point tunnels which is one of the main reason multipoint tunnels are best used for less frequent traffic while point-to-point tunnels are best suited for more frequent traffic"
In case of multipoint ipv6 tunnel, router has to drive the tunnel destination ip which is encoded in ipv6 address . What other work is performed on a packet when it comes to multipoint ipv6 tunnel which is not performed in case of static ipv6 over ip tunnel ?
thanks and have a great dayHi Sarah,
Apart from "extracting" the embedded IPv4 address from the IPv6 address and placing it into a newly constructed IPv4 encapsulating header, I do not think there is any more significant work involved for multipoint tunnels. It is true that with static point-to-point tunnels, you can already have that header prepared beforehand in memory for all packets - you just use it again and again. With dynamic tunnels, you have first to derive the destination IPv4 address and then place it into a new IPv4 header but even this can be done in software so that the difference in the amount of work is negligible.
Best regards,
Peter -
Configuration of sshd to allow port forwarding (tunneling)?
I'm having a tough time setting up my sshd daemon to allow me to tunnel. I use the following to connect and get these bind errors as shown below:
$ ssh bigbox -D 7000
bind: Address already in use
channel_setup_fwd_listener: cannot listen to port: 7000
Could not request local forwarding.
Can someone advise me what I need to enable to allow tunneling/forwarding? Here is my server's /etc/ssh/sshd_config
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
ListenAddress 0.0.0.0
Protocol 2
ChallengeResponseAuthentication no
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts yes
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
PermitTunnel yes
#ChrootDirectory none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
DenyUsers root
Last edited by graysky (2010-01-23 19:48:20)Here my functional sshd_config that I use as a socks proxy -- keep in mind this is using key authentication, so don't lock yourself out by accident! Notice you have to define the port you are using -- make sure first it's not being used by another application, which could also result in the error message you saw.
I setup the socks proxy on the client machine by: ssh -fND <localport> -l <login> -p <server port> <location>
so if you have sshd running on port 7000 on your server: ssh -fND 7000 -l graysky -p 7000 bigbox.
(although without the -l and -p if bigbox is defined in .ssh/config)
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 7000
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
UsePAM yes
Good luck!
Scott -
EA3500 IPV6 tunnel resets to automatic--Youtube won't work
Hi
This problem description pops up quite often when searching the net but I,ve never seen a resolution.
I have to go back into settings and deactivate the IPV6 tunnel daily to keep access to youtube. My provider does not support IPV6. Saving changes has no effect
Is there a way to ensure that the IPV6 tunnel remains deactivated?I have firmware version 1.0.30 build 126544 2011-12-24. Firmware update function says I got the latest version.
Thanks for any hintbatiscan wrote:
Thanks for the tip.
Would that mean that I'd have Toset up an account with the Cisco connect cloud? Isn't there another solution?
I believe upgrading to the Linksys Smart Wifi firmware would be the best thing you can do to resolve the issue.
How to manually upgrade the firmware of the Linksys Smart Wi-Fi Routers
Linksys Smart Wi-Fi Frequently Asked Questions
Benefits of using a Linksys Smart Wi-Fi Account? -
I posted in the zone forum, so forgive the cross post, but I thought I'd try this question with some networking experts here.
Is it possible to have the below type of configuration in a zone. I have a system with several zones using shared-IP in IPv4. But I want to create a tunnel within each zone to an IPv6 network.
ifconfig ip.tun0 inet6 plumb
ifconfig ip.tun0 inet6 tsrc 10.1.1.1100 tdst 30.1.1.1 up
ifconfig ip.tun0 inet6 addif 2001:DB8:C003::2/64 2001:DB8:C003::1/64 upWhat are my options to get IPv6 tunnels in zones?
Thanks,
GregYes, you need to dedicate a NIC (or VLAN) to the zone. There's quite a bit of documentation explaining how to do this, as well as an example in the zonecfg man page. With OpenSolaris, you can create VNICs (virtual NICs) for this purpose.
-
IPv6 Tunnel Input Wedged on 15.1(4)M4/M5
Hi,
I have a problem with an IPv6 tunnel (ipv6ip) on a Cisco 1841 runnining 15.1(4)M4 or 15.1(4)M5.
It appears that a bug was introduced into 15.1(4)M4 and it is related to IPv6 tunnels and IP SLA.
interface Tunnel64
description IPv6 Tunnel to x.x.x.x
ipv6 address 2001:XXXX:XXXX:XXXX::2/64
tunnel source ATM0/1/0.1
tunnel mode ipv6ip
tunnel destination x.x.x.x
After reloading the router, I can see the size of the input queue slowly increasing "Input queue: 30/75/0/0". It appears that specific packets are getting stuck in the input queue while still processing the majority of IPv6 packets. After a short period of time the input queue gets wedged "Input queue: 76/75/0/0" and it stops working for IPv6 unless I reload the router.
Tunnel64 is up, line protocol is up
Hardware is Tunnel
Description: IPv6 Tunnel to x.x.x.x
MTU 17920 bytes, BW 100 Kbit/sec, DLY 50000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source x.x.x.x (ATM0/1/0.1), destination x.x.x.x
Tunnel Subblocks:
src-track:
Tunnel64 source tracking subblock associated with ATM0/1/0.1
Set of tunnels with source ATM0/1/0.1, 1 member (includes iterators), on interface <OK>
Tunnel protocol/transport IPv6/IP
Tunnel TTL 255
Tunnel transport MTU 1480 bytes
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Last input 00:00:15, output 00:00:15, output hang never
Last clearing of "show interface" counters never
Input queue: 76/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
30 second input rate 0 bits/sec, 0 packets/sec
30 second output rate 0 bits/sec, 0 packets/sec
2253 packets input, 1691254 bytes, 0 no buffer
Received 0 broadcasts (0 IP multicasts)
0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
1844 packets output, 730645 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 unknown protocol drops
0 output buffer failures, 0 output buffers swapped out
I also have an IP SLA probe on the router to verify if connectivity is working over the IPv6 tunnel:
ip sla 10
icmp-echo 2001:XXXX:XXXX:XXXX::1
ip sla schedule 10 life forever start-time now
It appears that IP SLA return packets are getting stuck in the input queue as the input queue increments every time I receive a response to my IP SLA probe (every 60 seconds). I have tried to change the values in the probe (packet size, tos, etc) without any luck. I am able to ping the same IPv6 address normally from the command line without seeing this behaviour.
Can I deduce that this is a potential buffer leak - I can't find anything on Bug Toolkit relating to this.
Has anyone come across this issue before and know any workarounds?
Thanks in advance,
Chrisi have got exactly the same issue... how did you solved ? (if you did) running M3 ?
Gateway#sh int tun 0 | i queue
Input queue: 76/75/100/0 (size/max/drops/flushes); Total output drops: 0
Output queue: 0/0 (size/max)
Gateway#sh buffers old
Header DataArea Pool Rcnt Size Link Enc Flags Input Output
664C15C0 EEA06EA4 Middl 1 96 79 31 200 Tu0 Tu0
664C1A7C EEA071E4 Middl 1 96 79 31 200 Tu0 Tu0
664C1F38 EEA07524 Middl 1 96 79 31 200 Tu0 Tu0
664C23F4 EEA07864 Middl 1 96 79 31 200 Tu0 Tu0
664C28B0 EEA07BA4 Middl 1 96 79 31 200 Tu0 Tu0
664C2D6C EEA07EE4 Middl 1 96 79 31 200 Tu0 Tu0
664C3228 EEA08224 Middl 1 96 79 31 200 Tu0 Tu0
664C36E4 EEA08564 Middl 1 96 79 31 200 Tu0 Tu0
664C3BA0 EEA088A4 Middl 1 96 79 31 200 Tu0 Tu0
664C405C EEA08BE4 Middl 1 96 79 31 200 Tu0 Tu0
664C4518 EEA08F24 Middl 1 96 79 31 200 Tu0 Tu0
664C49D4 EEA09264 Middl 1 96 79 31 200 Tu0 Tu0
664C4E90 EEA095A4 Middl 1 96 79 31 200 Tu0 Tu0
664C534C EEA098E4 Middl 1 96 79 31 200 Tu0 Tu0
664C5808 EEA09C24 Middl 1 96 79 31 200 Tu0 Tu0
66F2BECC EEE92304 Middl 1 96 79 31 200 Tu0 Tu0
66F2C388 EEE92644 Middl 1 96 79 31 200 Tu0 Tu0
66F2D530 EEE90C44 Middl 1 96 79 31 200 Tu0 Tu0
66F40880 EEE8F8C4 Middl 1 96 79 31 200 Tu0 Tu0
6758A5A0 EEE26C64 Middl 1 96 79 31 200 Tu0 Tu0
6758AA5C EEE26FA4 Middl 1 96 79 31 200 Tu0 Tu0
6758AF18 EEE272E4 Middl 1 96 79 31 200 Tu0 Tu0
6758B3D4 EEE27624 Middl 1 96 79 31 200 Tu0 Tu0
6758B890 EEE27964 Middl 1 96 79 31 200 Tu0 Tu0
6758BD4C EEE27CA4 Middl 1 96 79 31 200 Tu0 Tu0
6758C6C4 EEE28324 Middl 1 96 79 31 200 Tu0 Tu0
6758CB80 EEE28664 Middl 1 96 79 31 200 Tu0 Tu0
6758D03C EEE289A4 Middl 1 96 79 31 200 Tu0 Tu0
676597C4 EEE8CB44 Middl 1 96 79 31 200 Tu0 Tu0
6765A13C EEE8D1C4 Middl 1 96 79 31 200 Tu0 Tu0
6765A5F8 EEE8D504 Middl 1 96 79 31 200 Tu0 Tu0
6784118C EEE94A04 Middl 1 96 79 31 200 Tu0 Tu0
67841648 EEE97444 Middl 1 96 79 31 200 Tu0 Tu0
679D2250 EEE8C804 Middl 1 96 79 31 200 Tu0 Tu0
679D2BC8 EEE8DB84 Middl 1 96 79 31 200 Tu0 Tu0
679D3084 EEE8DEC4 Middl 1 96 79 31 200 Tu0 Tu0
679D3540 EEE8E204 Middl 1 96 79 31 200 Tu0 Tu0
68194A08 EEE91C84 Middl 1 96 79 31 200 Tu0 Tu0
6851CBB8 EEE905C4 Middl 1 96 79 31 200 Tu0 Tu0
68520AC0 EEE91944 Middl 1 96 79 31 200 Tu0 Tu0
68526180 EEE91FC4 Middl 1 96 79 31 200 Tu0 Tu0
68528034 EEEAE644 Middl 1 96 79 31 200 Tu0 Tu0
68529800 EEE90F84 Middl 1 96 79 31 200 Tu0 Tu0
6856A69C EEE97784 Middl 1 96 79 31 200 Tu0 Tu0
6856AB58 EEE98B04 Middl 1 96 79 31 200 Tu0 Tu0
685B4A7C EEEAF344 Middl 1 96 79 31 200 Tu0 Tu0
685B53F4 EEEAF9C4 Middl 1 96 79 31 200 Tu0 Tu0
685B6834 EEEB0A04 Middl 1 96 79 31 200 Tu0 Tu0
685B83AC EEE960C4 Middl 1 96 79 31 200 Tu0 Tu0
685B8868 EEE96404 Middl 1 96 79 31 200 Tu0 Tu0
685B8D24 EEE96744 Middl 1 96 79 31 200 Tu0 Tu0
685B969C EEE96DC4 Middl 1 96 79 31 200 Tu0 Tu0
685BA7D4 EEEAFD04 Middl 1 96 79 31 200 Tu0 Tu0
685BC61C EEE92CC4 Middl 1 96 79 31 200 Tu0 Tu0
685BCAD8 EEE93004 Middl 1 96 79 31 200 Tu0 Tu0
685BCF94 EEE93344 Middl 1 96 79 31 200 Tu0 Tu0
685BD450 EEE93684 Middl 1 96 79 31 200 Tu0 Tu0
685C6D74 EEE953C4 Middl 1 96 79 31 200 Tu0 Tu0
685C7230 EEE95704 Middl 1 96 79 31 200 Tu0 Tu0
685C7BA8 EEE95D84 Middl 1 96 79 31 200 Tu0 Tu0
687C2104 EEE92984 Middl 1 96 79 31 200 Tu0 Tu0
687C2A7C EEE97AC4 Middl 1 96 79 31 200 Tu0 Tu0
687C2F38 EEE97E04 Middl 1 96 79 31 200 Tu0 Tu0
687C33F4 EEE98144 Middl 1 96 79 31 200 Tu0 Tu0
6888076C EEEAE984 Middl 1 96 79 31 200 Tu0 Tu0
688E3164 EEE8F244 Middl 1 96 79 31 200 Tu0 Tu0
689C4684 EEE939C4 Middl 1 96 79 31 200 Tu0 Tu0
689C4B40 EEE93D04 Middl 1 96 79 31 200 Tu0 Tu0
689C54B8 EEE94384 Middl 1 96 79 31 200 Tu0 Tu0
689C5974 EEE946C4 Middl 1 96 79 31 200 Tu0 Tu0
689DAA24 EEE8E544 Middl 1 96 79 31 200 Tu0 Tu0
689DAEE0 EEE8E884 Middl 1 96 79 31 200 Tu0 Tu0
689DB39C EEE8EBC4 Middl 1 96 79 31 200 Tu0 Tu0
689DB858 EEE8EF04 Middl 1 96 79 31 200 Tu0 Tu0
68AE11F4 EEE8F584 Middl 1 96 79 31 200 Tu0 Tu0
68AE2358 EEE8FF44 Middl 1 96 79 31 200 Tu0 Tu0
Header DataArea Pool Rcnt Size Original Flags caller_pc
Public particle pools: -
How can we allow internal users to access internet through ASA firewall?
Hello,
I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
does switch 2 port needs internet access through router?
what configuration required on ASA to allow users behind the firewall to access internet?
any help on this would be much appreciated.
thanks,Hi,
Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
Just try something like this:-
ping 4.2.2.2 .. Does this work ?
If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
Thanks and Regards,
Vibhor Amrodia -
Tunnel Problem from New ASA to Working ASA
I have a working asa at the home office with 56 tunnels out to satellite stations. We recently acquired another office and trying to get a tunnel working back to the home office. The tunnel will not come up nor do I see any traffic on it using the debug isakmp or debug ipsec commands.
Here's the working config. Assuming that the ASA in the home office is mirrored configuration for the tunnel, does anyone see anything wrong with this config?
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
shutdown
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 172.25.44.254 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 108.232.238.84 255.255.255.248
boot system disk0:/asa824-k8.bin
boot system disk0:/asa722-k8.bin
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 68.94.156.1
name-server 68.94.157.1
domain-name default.domain.invalid
access-list outside_access_in extended permit tcp any host 108.214.237.84 eq 11
access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
access-list outside_1_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.200.0 255.255.255.0
access-list outside_2_cryptomap extended permit ip 172.25.44.0 255.255.255.0 172.20.100.0 255.255.255.0
pager lines 24
logging enable
logging asdm errors
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-642.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 11 172.25.44.2 www netmask 255.255.255.255
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 108.214.237.86 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
nac-policy DfltGrpPolicy-nac-framework-create nac-framework
reval-period 36000
sq-period 300
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
http server enable
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set peer 84.212.62.34
crypto map outside_map 1 set transform-set myset
crypto map outside_map 2 match address outside_2_cryptomap
crypto map outside_map 2 set peer 84.212.60.2
crypto map outside_map 2 set transform-set ESP-3DES-MD5
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 30
ssh version 2
console timeout 0
management-access inside
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
group-policy DfltGrpPolicy attributes
vpn-idle-timeout none
webvpn
svc keepalive none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
customization value DfltCustomization
username admin password vbv/ec7dyKqeaH4R encrypted privilege 15
tunnel-group 84.212.62.34 type ipsec-l2l
tunnel-group 84.212.62.34 ipsec-attributes
pre-shared-key *****
tunnel-group 84.212.60.2 type ipsec-l2l
tunnel-group 84.212.60.2 ipsec-attributes
pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:cdf40c985104c7afc07a6dcdd36f27e0
: end
asdm image disk0:/asdm-642.bin
no asdm history enableThanks for the reply Ajay. It was actually the provider not placing the ASA's IP into the DMZ. The office uses a small business Uverse connection, and they need to provide a set of static IP's in a DMZ.
thanks, -
Help on establishing Ipsec tunnel btw 1941 and ASA
We are creating an Ipsec tunnel over the internet to another site but is not working, could someone help me on what could be happening?
My config:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname XXXX
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable XXXXX
enable password XXXXXX
no aaa new-model
no ipv6 cef
ip source-route
ip cef
ip domain name yourdomain.com
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
multilink bundle-name authenticated
password encryption aes
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-4075439344
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4075439344
revocation-check none
rsakeypair TP-self-signed-4075439344
crypto pki certificate chain TP-self-signed-4075439344
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34303735 34333933 3434301E 170D3131 30393139 30323236
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 30373534
33393334 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A35E B6AC0BE0 57A53B45 8CF23671 F91A18AC 09F29E6D AEC70F4D EF3BDCD6
269BFDED 44E26A98 7A1ABCAA DB756AFC 719C3D84 8B605C2A 7E99AF79 B72A84BC
89046B2D 967BB775 978EF14D A0BD8036 523B2AE1 1890EB38 BCA3333B 463D1267
22050A4F EAF4985A 7068024A A0425CE7 D3ADF5F5 C02B2941 67C9B654 6A7EF689
049B0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1408B59A 57733D6E 157876B3 72A91F28 F8D95BAB D2301D06
03551D0E 04160414 08B59A57 733D6E15 7876B372 A91F28F8 D95BABD2 300D0609
2A864886 F70D0101 05050003 81810094 ED574BFE 95868A5D B539A70F 228CC08C
E26591C2 16DF19AB 7A177688 D7BB1CCB 5CFE4CB6 25F0DDEB 640E6EFA 58636DC0
238750DD 1ACF8902 96BB39B5 5B2F6DEC CB97CF78 23510943 E09801AF 8EB54020
DF496E25 B787126F D1347022 58900537 844EF865 36CB8DBD 79918E4B 76D00196
DD9950CB A40FC91B 4BCDE0DC 1B217A
quit
license udi pid CISCO1941/K9 sn FTX1539816K
license boot module c1900 technology-package securityk9
username XXXXXXXXXXXXXX
redundancy
crypto isakmp policy 60
encr aes
authentication pre-share
group 2
crypto isakmp key XXXXXXX address XXX.XXX.XXX.XXX
crypto isakmp profile mode
keyring default
self-identity address
match identity host XXX.XXX.XXX.XXX
initiate mode aggressive
crypto ipsec transform-set VPNbrasil esp-aes esp-sha-hmac
crypto map outside 60 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set VPNbrasil
set pfs group2
match address vpnbrazil
interface Tunnel0
ip unnumbered GigabitEthernet0/1
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description WAN
ip address XXX.XXX.XXX.XXX 255.255.255.248
ip nat outside
no ip virtual-reassembly in
duplex full
speed 100
crypto map outside
interface GigabitEthernet0/1
description Intercon_LAN
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
crypto map outside
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX name Internet
ip access-list extended natvpnout
permit ip host XXX.XXX.XXX.XXX any
permit ip any any
ip access-list extended vpnbrazil
permit icmp XXX.XXX.XXX.XXX 0.0.0.255 any
permit icmp any XXX.XXX.XXX.XXX 0.0.0.255
permit ip any any
access-list 1 permit any
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.1 log
access-list 2 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 3 permit XXX.XXX.XXX.XXX
access-list 23 permit XXX.XXX.XXX.XXX 0.0.0.7
access-list 23 permit any log
control-plane
b!
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input all
telnet transparent
line vty 5
access-class 23 in
privilege level 15
login
transport input all
telnet transparent
line vty 6 15
access-class 23 in
access-class 23 out
privilege level 15
login local
transport input telnet ssh
transport output all
Could someone please help me on what could be wrong? and What tests should I do?
Rds,
Luiztry a simple configuration w/o isakmp proflies
have a look at this link:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00805e8c80.shtml -
Hey Guys,
I understand this implementation pretty well, I'm just having trouble understanding one important part. I understand that if you have R1<--->R2,
with IPv4 connectivity, and then R1 and R2 also each has an IPv6 network on the LAN side, you're address will be 2002::/48, but the bits after
2002:xxxx:xxxx will be the IPv4 source address of the tunnel in hexadecimal. I know you need a route saying to get to 2001:DEAD:BEEF::1/64
goto tunnel0 (etc etc). It will know how to get there automatically by going to 2002:303:303:x.y (Which I'm assuming is the IPv4 remote address in hex)
but how does it know to go to 2002:303:303: automatically........
Im assuming that R1 has physical IP going to R2 of 1.1.1.1 and R2 has a physical IP of 2.2.2.2 going to R1.In the classic 6to4 scenario, you would be depending on the existence of two additional 3rd party relay routers. The relay routers would be anycasting 192.88.99.0/24 on the v4 side and 2002::/16 on the v6 side. Typically the sending client would only have v4 connectivity, not v6. Some operating systems build in 6to4 tunneling, and some endpoints might be dual-stack, so the number of relays could be reduced.
Sender:
1. client v6 encapsulated-->192.88.99.1 via next hop R1
2. R1 -> dual stack relay A (advertising 192.88.99.0/24) via v4
3. relay A -> v6 destination via R2
4. R2 -> destination server (v6)
On the reply path,
5a dual-stack server with embedded 6to4 encapsulates reply directly to client IPv4 address via R2
or
5b IPv6-only server sends native v6 reply to relay B at 2002::/16 via R2 using IPv6
6a R2 forwards v4 packet toward final destination
6b R2 forwards v6 packet toward dual stack relay B (advertising 2002::/16)
7a relay B is not involved if the server did its own 6to4 encapsulation
7b relay B encapsulates the v6 packet in a v4 envelope addressed to the decoded v4 address of the client
8 R1 receives a v4 encapsulated packet via either R2 or relay B, depending on step 5 choice
9 client decapsulates v6 reply from v4 envelope received from R1
Geof Huston and others have described why automatic tunnels like Teredo and 6to4 are a bad idea, e.g.
http://www.potaroo.net/ispcol/2010-12/6to4fail.html
-- Jim Leinweber, WI State Lab of Hygiene -
STS Tunnel in between Cisco ASA and Meraki Firewall
Hello Experts,
We are in process of configuring the syslog server which is placed at remote site and the STS Tunnel is established to send the Meraki syslogs over the Tunnel which is working fine. The local LANS of both sites can communicate each other without issue but we are facing an issue wherein when the traffic leaves the traffic from Meraki firewall then it uses the Meraki wan interface IP and in syslog it's being used as a source which can't be added in encryption list on Meraki firewall unfortunately as there is no option available to get the wan IP added to encryption list. Can somebody please advise on how to solve this issue? I also searched an option to get the source IP changed from wan to Inside interface IP which is still not possible on Meraki firewall.I am not very familiar with Meraki, but I did come across this document...hope it will help you out.
https://kb.meraki.com/knowledge_base/syslog-server-overview-and-configuration
Please remember to select a correct answer and rate helpful posts -
IPv6 Tunnel Input buffer leak on 15.1(4)M4/M5
Hello all, i have run trough the exam same bug showed here:
https://supportforums.cisco.com/thread/2184076
i do not have a valid support contract for my device, but i believe this is a bug that should be reported. Is anyone able to assit to open such a bug report?
We have a memory leak and that should be fixed
Regards
AndreaHello all, i have run trough the exam same bug showed here:
https://supportforums.cisco.com/thread/2184076
i do not have a valid support contract for my device, but i believe this is a bug that should be reported. Is anyone able to assit to open such a bug report?
We have a memory leak and that should be fixed
Regards
Andrea -
Problem: IPv6 w/ PPPoE on Cisco 2901
Folks: I have this Cisco 2901 configured with PPPoE and IPv6 and connect it through a CO (DSLAM) to an Actiontec xDSL router. PPPoE connections are on FE0/0/0, through virtual template.
The Actiontec router gets NA and PD addresses succesfully and LAN PC connected to Actiontec router can surf the IPv6 Internet w/ no problem. However, Cisco 2901 can't reach the Actiontec router by its NA or TA public IPv6 address. A 'stupid' workaround is to manually add a route w/ the virtual access. It is stupid cuz each new connection will bring up a different virtual acess.
I guess this is a bug on 2901, but want to confirm with you guys first. Now the whole config:
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname AEI_SV_Cisco_2091
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
no aaa new-model
ipv6 unicast-routing
ipv6 dhcp pool HE
prefix-delegation pool HE-48
address prefix 2001:470:1F05:7A::/64
ipv6 cef
ip dhcp pool default
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
ip dhcp pool dslam1
network 10.11.11.0 255.255.255.0
default-router 10.11.11.1
dns-server 10.11.11.1
ip domain name yourdomain.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
multilink bundle-name authenticated
vpdn enable
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3962993046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3962993046
revocation-check none
rsakeypair TP-self-signed-3962993046
crypto pki certificate chain TP-self-signed-3962993046
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393632 39393330 3436301E 170D3131 31313232 31363132
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39363239
39333034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E6AF 1640A998 F13E9F8B EB9E404C F0D6E105 8DE05E45 9C9C525A 5AAEAF59
456A4578 1C0E283C 39B3751D 3F362D64 13FACD69 A92C31BA 6D2EEFBE 52BCC70C
73359968 2F76B830 A978BD5F 9A86903F C12BB00B C35C47D1 BADBE727 773E205D
A839969D FE3854B3 26E93F21 63DC4E57 D4C44821 FBE88BAA 4A1D5565 DA416138
3A7D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14BA6DEA 79E4742D 4878C88E D014C7A3 8022546A FE301D06
03551D0E 04160414 BA6DEA79 E4742D48 78C88ED0 14C7A380 22546AFE 300D0609
2A864886 F70D0101 05050003 818100CE C6732F7E 6AB385C5 5BF4E241 BE179F5D
E7C5CC78 2BFB33EC 3181D4D2 90981D2B 1106205F A3C5FEE8 E78A013B ABF3F5E0
52772A22 F3A0A24C C4F62DDB E2E6A21D AC75772B 6FEC9323 3DFC4165 CC645E62
5C8F5842 18B8DF5B C3E3C39C EBB60D3E E7ADA89B A72FB468 92F77F0A A33B5591
F5048271 F074C64E 38291F93 848F09
quit
license udi pid CISCO2901/K9 sn FCZ15489123
username admin privilege 15 secret 5 $1$.CdN$d0DXERD9PqUtu6XPilTv/.
username chap password 0 chap
bba-group pppoe global
virtual-template 1
sessions max limit 256
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:470:1F04:7A::2/64
ipv6 enable
tunnel source 173.13.177.215
tunnel mode ipv6ip
tunnel destination 72.52.104.74
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip nat allow-static-host
ip nat enable
ip virtual-reassembly in
shutdown
duplex auto
speed auto
ipv6 enable
ipv6 dhcp server HE1
interface GigabitEthernet0/1
ip address 173.13.177.215 255.255.255.240
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/0/0
ip address 10.11.11.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address 2001:470:1F05:7A::1/64
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 dhcp server HE
pppoe enable group global
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
interface Virtual-Template1
mtu 1492
ip unnumbered FastEthernet0/0/0
ip nat inside
ip nat enable
ip virtual-reassembly in
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
no ipv6 nd ra suppress
ipv6 dhcp server HE
peer default ip address dhcp-pool dslam1
peer default ipv6 pool HE
ppp authentication chap
no routing dynamic
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 173.13.177.222
access-list 1 permit any
ipv6 route ::/0 Tunnel0
ipv6 local pool test 2001:470:7007::/48 64
ipv6 local pool HE-48 2001:470:8008::/48 64
control-plane
line con 0
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport preferred none
transport input all
transport output all
line vty 5 15
privilege level 15
login local
transport preferred none
transport input all
transport output all
scheduler allocate 20000 1000
end
See both IPv4 and IPv6 are using virtual template to get PPPoE work. Everything's working fairly well on IPv4. I can ping from cisco to the 10.11.11.x address on Actiontec router. But with IPv6, I can't ping 2001:470:1f05:7a:: address on Actiontec router. The correct route through virtual-access is not installed, or the F0/0/0 interface doesn't pass the IPv6 traffic to the corresponding virtual access interface:
AEI_SV_Cisco_2091#sh ipv6 route
IPv6 Routing Table - default - 7 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, R - RIP, I1 - ISIS L1, I2 - ISIS L2
IA - ISIS interarea, IS - ISIS summary, D - EIGRP, EX - EIGRP external
ND - Neighbor Discovery, l - LISP
O - OSPF Intra, OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
S ::/0 [1/0]
via Tunnel0, directly connected
C 2001:470:1F04:7A::/64 [0/0]
via Tunnel0, directly connected
L 2001:470:1F04:7A::2/128 [0/0]
via Tunnel0, receive
C 2001:470:1F05:7A::/64 [0/0]
via FastEthernet0/0/0, directly connected (this sounds correct, but I'm not able to reach client from this interface)
L 2001:470:1F05:7A::1/128 [0/0]
via FastEthernet0/0/0, receive
S 2001:470:8008::/64 [1/0]
via FE80::21F6:88C4:497E:6F9C, Virtual-Access2.2
L FF00::/8 [0/0]
via Null0, receive
Can some help? Thanks!
HenryHi,
The 'bug' i described above seems to apply only to packets the router generates itself. I tested it by creating a temporary subnet. Even though i had no end-to-end connectivity i could see packets matching the outbound acl which were created from a host on that subnet.
Carsten
Maybe you are looking for
-
What programs do I need
-
Business Partner Items - 0FC_BP_ITEMS
I want to activate datasource 0FC_BP_ITEMS as delta enabled. The documentation says to activate IMG settings. I do not see the "Maintain Central Settings" in IMG as in this thread: Business Partner Items - 0FC_BP_ITEMS I can not find how this was res
-
Search for data within a database table
Hi everyone :) I'm trying to make it so that the user can search for a record by id #. So, i made an input dialogue thing so the user can enter a record #. Basically, i want the data to appear in their textboxes based on the record # inputted by the
-
How to set width/height of iPad app in ipa file
Hello, I am developing an app for iPad in Flash Builder 4 and Packager for Iphone. I set the width and height node values in the descriptor XML and compile the application. When I run the same in iPad, I am not able to see any effect on the app's wid
-
How to implement drag-and-drop functionality in xMII iGrid?
Hi, Is it possible to implement the drag and drop functionality between two iGrids of xMII in an irpt page? If yes can anyone please explain how? Thanks in advance, Dipankar