Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1825
Views
0
Helpful
1
Replies

Cisco and Tunnel Broker with CCP.

NathanLKoch
Level 1
Level 1

‎01-16-2021 11:59 AM 

!
! Last configuration change at 22:12:49 GMT Fri Jan 15 2021 by nkoch
! NVRAM config last updated at 22:12:58 GMT Fri Jan 15 2021 by nkoch
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login local_access local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT -6 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool ccp-pool
 network 192.168.2.0 255.255.255.248
 default-router 192.168.2.1 
 dns-server 192.168.2.1 
 lease 0 2
!
ip dhcp pool Server
 network 192.168.30.0 255.255.255.248
 default-router 192.168.30.1 
!
!
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 2620:119:35::35
ip name-server 2620:119:53::53
ip ddns update method update
 HTTP
  add https://@ipv4.tunnelbroker.net/nic/update?hostname=
 interval maximum 0 0 5 0
!
ip cef
ipv6 unicast-routing
ipv6 dhcp pool vlandefault
 address prefix 2001:470:1F19:24A::/64
 dns-server 2620:119:35::35
 dns-server 2620:119:53::53
!
ipv6 cef
!
!
flow record nbar-appmon
 match ipv4 source address
 match ipv4 destination address
 match application name
 collect interface output
 collect counter bytes
 collect counter packets
 collect timestamp absolute first
 collect timestamp absolute last
!
!
flow monitor application-mon
 cache timeout active 60
 record nbar-appmon
!
parameter-map type inspect global
 max-incomplete low 18000
 max-incomplete high 20000
 nbar-classify
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1119805475
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1119805475
 revocation-check none
 rsakeypair TP-self-signed-1119805475
!
!
crypto pki certificate chain TP-self-signed-1119805475
 certificate self-signed 01

  	quit
voice-card 0
!
!
!
!
!
!
!
!
vxml logging-tag
license udi pid CISCO2911/K9 sn 
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
!
object-group service INTERNAL_UTM_SERVICE 
!
object-group network Others_dst_net 
 any
!
object-group network Others_src_net 
 any
!
object-group service Others_svc 
 ip
!
object-group network Web_dst_net 
 any
!
object-group network Web_src_net 
 any
!
object-group service Web_svc 
 ip
!
object-group network local_cws_net 
!
object-group network local_lan_subnets 
 192.168.2.0 255.255.255.248
!
object-group network trafficout_dst_net 
 any
!
object-group network trafficout_src_net 
 any
!
object-group service trafficout_svc 
 ip
!
object-group network vpn_remote_subnets 
 any
!
vtp mode transparent
username nkoch privilege 15 secret 5 
!
redundancy
!
!
!
!
!
!
class-map type inspect match-all trafficout
  description Lan Outbound Traffic
 match access-group name trafficout_acl
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
 match protocol msnmsgr
 match protocol ymsgr
class-map type inspect match-any Others_app
 match protocol https
 match protocol smtp
 match protocol pop3
 match protocol imap
 match protocol sip
 match protocol ftp
 match protocol dns
 match protocol icmp
class-map type inspect match-any Web_app
 match protocol http
class-map type inspect match-all Others
 match class-map Others_app
 match access-group name Others_acl
class-map type inspect match-all Web
 match class-map Web_app
 match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
 class type inspect trafficout
  inspect 
 class type inspect Web
  inspect 
 class type inspect Others
  inspect 
 class type inspect INTERNAL_DOMAIN_FILTER
  inspect 
 class class-default
  drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
 service-policy type inspect LAN-WAN-POLICY
! 
!
!
!
!
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 zone-member security WAN
 ipv6 address 2001:470:1F18:24A::2/64
 ipv6 enable
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip
 tunnel destination 
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description PrimaryWANDesc_
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security WAN
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $ETH-LAN$ETH-SW-LAUNCH$INTF-INFO-GE 0/1$
 ip address 192.168.2.1 255.255.255.248
 ip nbar protocol-discovery
 ip flow monitor application-mon input
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 zone-member security LAN
 load-interval 30
 duplex auto
 speed auto
 ipv6 address 2001:470:1F19:24A::3/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server vlandefault
!
interface GigabitEthernet0/2
 ip address 192.168.30.1 255.255.255.248
 ip nat inside
 ip virtual-reassembly in
 zone-member security DMZ
 duplex auto
 speed auto
!
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended Others_acl
 permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
 permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
 permit ip object-group local_lan_subnets any
 deny   ip any any
ip access-list extended trafficout_acl
 permit object-group trafficout_svc object-group trafficout_src_net object-group trafficout_dst_net
!
ipv6 route static resolve default
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
!
!
!
!
ipv6 access-list LAN-WAN-POLICY
 permit ipv6 2001:470:1F19:24A::/64 any
control-plane host
!
!
control-plane
!
 !
 !
 !
 !
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
gatekeeper
 shutdown
!
banner login 

   *******         *****       ,******.          ,**************        ,******,             
 **********,       *****     .**********      ,*****************       **********            
******,*****       *****     ************    *******************      ************           
*****   *****      *****    *****   ******   *****                   *****   ,*****          
*****   *****,     *****   ******    *****   *****                  ,*****    *****          
*****    *****     *****   *****      *****  ,****************      *****      *****         
*****    ,*****    *****  *****       ******   *****************   *****       ,*****        
*****     *****    *****  *****        *****       ************** .*****        *****        
*****     ,*****   ***** *****          *****               ***** *****          *****       
*****      *****   **********           *****,             ***********,          ******      
*****       ***********.*****            *********************** *****            *****      
*****        ********* *****              ********************  *****              *****     
Welcome to                                 Please login

banner motd odt
Oh hai!

!
line con 0
 login authentication local_access
 speed 115200
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login authentication local_access
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp master
ntp update-calendar
ntp server north-america.pool.ntp.org
!
end

After several failed attempts of trying to get port forwarding working I figured I would attempt using CCP. I am trying to get ipv6 tunneling working but am unable to route packets which is unrelated to nat port forwarding. I would like to setup multiple vlans and 802.1q tunneling to a cisco switch where i will be configuring switch ports to vlans.

 

My tunnel broker allocation:

2001:470:1f19:24a::/64

2001:470:2882::/48

 

Any assistance would be appreciated.

 

 

---------------------
"Fortune favors the brave."
▊▊▊
Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎01-18-2021 08:06 AM

Hello,

 

as far as I can tell, your ipv6 access list is not part of any inspection. Add the lines marked in bold (I cold not tell what classes are already part of your policy, due to the many objects you have configured. In any case, make sure the ipv6 access list is part of a class that is being inspected:

 

!
! Last configuration change at 22:12:49 GMT Fri Jan 15 2021 by nkoch
! NVRAM config last updated at 22:12:58 GMT Fri Jan 15 2021 by nkoch
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login local_access local
!
aaa session-id common
clock timezone GMT -6 0
!
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool ccp-pool
network 192.168.2.0 255.255.255.248
default-router 192.168.2.1
dns-server 192.168.2.1
lease 0 2
!
ip dhcp pool Server
network 192.168.30.0 255.255.255.248
default-router 192.168.30.1
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 2620:119:35::35
ip name-server 2620:119:53::53
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
ipv6 unicast-routing
ipv6 dhcp pool vlandefault
address prefix 2001:470:1F19:24A::/64
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1119805475
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119805475
revocation-check none
rsakeypair TP-self-signed-1119805475
!
crypto pki certificate chain TP-self-signed-1119805475
certificate self-signed 01

quit
voice-card 0
!
vxml logging-tag
license udi pid CISCO2911/K9 sn
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.2.0 255.255.255.248
!
object-group network trafficout_dst_net
any
!
object-group network trafficout_src_net
any
!
object-group service trafficout_svc
ip
!
object-group network vpn_remote_subnets
any
!
vtp mode transparent
username nkoch privilege 15 secret 5
!
redundancy
!
class-map type inspect match-all trafficout
description Lan Outbound Traffic
match access-group name trafficout_acl
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
--> match access-group name LAN-WAN-POLICY
!
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect trafficout
inspect
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
--> class type inspect Others_app
--> inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
interface Loopback0
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security WAN
ipv6 address 2001:470:1F18:24A::2/64
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-LAN$ETH-SW-LAUNCH$INTF-INFO-GE 0/1$
ip address 192.168.2.1 255.255.255.248
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
duplex auto
speed auto
ipv6 address 2001:470:1F19:24A::3/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server vlandefault
!
interface GigabitEthernet0/2
ip address 192.168.30.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended trafficout_acl
permit object-group trafficout_svc object-group trafficout_src_net object-group trafficout_dst_net
!
ipv6 route static resolve default
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
ipv6 access-list LAN-WAN-POLICY
permit ipv6 2001:470:1F19:24A::/64 any
control-plane host
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-forcesable
!
mgcp profile default
!
gatekeeper
shutdown
!
banner login 

******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ************** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** *****
Welcome to Please login

banner motd odt
Oh hai!

!
line con 0
login authentication local_access
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp master
ntp update-calendar
ntp server north-america.pool.ntp.org
!
end

0 Helpful
Customers Also Viewed These Support Documents