01-16-2021 11:59 AM
! ! Last configuration change at 22:12:49 GMT Fri Jan 15 2021 by nkoch ! NVRAM config last updated at 22:12:58 GMT Fri Jan 15 2021 by nkoch ! version 15.7 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname NASA ! boot-start-marker boot-end-marker ! ! logging buffered 51200 warnings ! aaa new-model ! ! aaa authentication login local_access local ! ! ! ! ! ! aaa session-id common clock timezone GMT -6 0 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ip dhcp excluded-address 192.168.30.1 ip dhcp excluded-address 192.168.2.1 ! ip dhcp pool ccp-pool network 192.168.2.0 255.255.255.248 default-router 192.168.2.1 dns-server 192.168.2.1 lease 0 2 ! ip dhcp pool Server network 192.168.30.0 255.255.255.248 default-router 192.168.30.1 ! ! ! ip name-server 208.67.222.222 ip name-server 208.67.220.220 ip name-server 2620:119:35::35 ip name-server 2620:119:53::53 ip ddns update method update HTTP add https://@ipv4.tunnelbroker.net/nic/update?hostname= interval maximum 0 0 5 0 ! ip cef ipv6 unicast-routing ipv6 dhcp pool vlandefault address prefix 2001:470:1F19:24A::/64 dns-server 2620:119:35::35 dns-server 2620:119:53::53 ! ipv6 cef ! ! flow record nbar-appmon match ipv4 source address match ipv4 destination address match application name collect interface output collect counter bytes collect counter packets collect timestamp absolute first collect timestamp absolute last ! ! flow monitor application-mon cache timeout active 60 record nbar-appmon ! parameter-map type inspect global max-incomplete low 18000 max-incomplete high 20000 nbar-classify multilink bundle-name authenticated ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-1119805475 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1119805475 revocation-check none rsakeypair TP-self-signed-1119805475 ! ! crypto pki certificate chain TP-self-signed-1119805475 certificate self-signed 01 quit voice-card 0 ! ! ! ! ! ! ! ! vxml logging-tag license udi pid CISCO2911/K9 sn license accept end user agreement license boot module c2900 technology-package securityk9 license boot module c2900 technology-package uck9 license boot module c2900 technology-package datak9 ! ! object-group service INTERNAL_UTM_SERVICE ! object-group network Others_dst_net any ! object-group network Others_src_net any ! object-group service Others_svc ip ! object-group network Web_dst_net any ! object-group network Web_src_net any ! object-group service Web_svc ip ! object-group network local_cws_net ! object-group network local_lan_subnets 192.168.2.0 255.255.255.248 ! object-group network trafficout_dst_net any ! object-group network trafficout_src_net any ! object-group service trafficout_svc ip ! object-group network vpn_remote_subnets any ! vtp mode transparent username nkoch privilege 15 secret 5 ! redundancy ! ! ! ! ! ! class-map type inspect match-all trafficout description Lan Outbound Traffic match access-group name trafficout_acl class-map type inspect match-any INTERNAL_DOMAIN_FILTER match protocol msnmsgr match protocol ymsgr class-map type inspect match-any Others_app match protocol https match protocol smtp match protocol pop3 match protocol imap match protocol sip match protocol ftp match protocol dns match protocol icmp class-map type inspect match-any Web_app match protocol http class-map type inspect match-all Others match class-map Others_app match access-group name Others_acl class-map type inspect match-all Web match class-map Web_app match access-group name Web_acl ! policy-map type inspect LAN-WAN-POLICY class type inspect trafficout inspect class type inspect Web inspect class type inspect Others inspect class type inspect INTERNAL_DOMAIN_FILTER inspect class class-default drop log ! zone security LAN zone security WAN zone security VPN zone security DMZ zone-pair security LAN-WAN source LAN destination WAN service-policy type inspect LAN-WAN-POLICY ! ! ! ! ! ! ! ! ! ! interface Loopback0 no ip address ! interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address zone-member security WAN ipv6 address 2001:470:1F18:24A::2/64 ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip tunnel destination ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description PrimaryWANDesc_ ip address dhcp ip nat outside ip virtual-reassembly in zone-member security WAN duplex auto speed auto ! interface GigabitEthernet0/1 description $ETH-LAN$ETH-SW-LAUNCH$INTF-INFO-GE 0/1$ ip address 192.168.2.1 255.255.255.248 ip nbar protocol-discovery ip flow monitor application-mon input ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in zone-member security LAN load-interval 30 duplex auto speed auto ipv6 address 2001:470:1F19:24A::3/64 ipv6 enable ipv6 nd other-config-flag ipv6 dhcp server vlandefault ! interface GigabitEthernet0/2 ip address 192.168.30.1 255.255.255.248 ip nat inside ip virtual-reassembly in zone-member security DMZ duplex auto speed auto ! ! ip forward-protocol nd ! ip http server ip http upload enable path flash: ip http upload overwrite ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip dns server ip nat inside source list nat-list interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list extended Others_acl permit object-group Others_svc object-group Others_src_net object-group Others_dst_net ip access-list extended Web_acl permit object-group Web_svc object-group Web_src_net object-group Web_dst_net ip access-list extended nat-list permit ip object-group local_lan_subnets any deny ip any any ip access-list extended trafficout_acl permit object-group trafficout_svc object-group trafficout_src_net object-group trafficout_dst_net ! ipv6 route static resolve default ipv6 route ::/0 Tunnel0 ipv6 ioam timestamp ! ! ! ! ! ipv6 access-list LAN-WAN-POLICY permit ipv6 2001:470:1F19:24A::/64 any control-plane host ! ! control-plane ! ! ! ! ! ! mgcp behavior rsip-range tgcp-only mgcp behavior comedia-role none mgcp behavior comedia-check-media-src disable mgcp behavior comedia-sdp-force disable ! mgcp profile default ! ! ! ! ! ! ! gatekeeper shutdown ! banner login ******* ***** ,******. ,************** ,******, **********, ***** .********** ,***************** ********** ******,***** ***** ************ ******************* ************ ***** ***** ***** ***** ****** ***** ***** ,***** ***** *****, ***** ****** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ,**************** ***** ***** ***** ,***** ***** ***** ****** ***************** ***** ,***** ***** ***** ***** ***** ***** ************** .***** ***** ***** ,***** ***** ***** ***** ***** ***** ***** ***** ***** ********** *****, ***********, ****** ***** ***********.***** *********************** ***** ***** ***** ********* ***** ******************** ***** ***** Welcome to Please login banner motd odt Oh hai! ! line con 0 login authentication local_access speed 115200 line aux 0 line 2 no activation-character no exec transport preferred none transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 23 in privilege level 15 login authentication local_access transport input telnet ssh line vty 5 15 access-class 23 in privilege level 15 transport input telnet ssh ! scheduler allocate 20000 1000 ntp source GigabitEthernet0/0 ntp master ntp update-calendar ntp server north-america.pool.ntp.org ! end
After several failed attempts of trying to get port forwarding working I figured I would attempt using CCP. I am trying to get ipv6 tunneling working but am unable to route packets which is unrelated to nat port forwarding. I would like to setup multiple vlans and 802.1q tunneling to a cisco switch where i will be configuring switch ports to vlans.
My tunnel broker allocation:
2001:470:1f19:24a::/64
2001:470:2882::/48
Any assistance would be appreciated.
01-18-2021 08:06 AM
Hello,
as far as I can tell, your ipv6 access list is not part of any inspection. Add the lines marked in bold (I cold not tell what classes are already part of your policy, due to the many objects you have configured. In any case, make sure the ipv6 access list is part of a class that is being inspected:
!
! Last configuration change at 22:12:49 GMT Fri Jan 15 2021 by nkoch
! NVRAM config last updated at 22:12:58 GMT Fri Jan 15 2021 by nkoch
!
version 15.7
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname NASA
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa authentication login local_access local
!
aaa session-id common
clock timezone GMT -6 0
!
ip dhcp excluded-address 192.168.30.1
ip dhcp excluded-address 192.168.2.1
!
ip dhcp pool ccp-pool
network 192.168.2.0 255.255.255.248
default-router 192.168.2.1
dns-server 192.168.2.1
lease 0 2
!
ip dhcp pool Server
network 192.168.30.0 255.255.255.248
default-router 192.168.30.1
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 2620:119:35::35
ip name-server 2620:119:53::53
ip ddns update method update
HTTP
add https://@ipv4.tunnelbroker.net/nic/update?hostname=
interval maximum 0 0 5 0
!
ip cef
ipv6 unicast-routing
ipv6 dhcp pool vlandefault
address prefix 2001:470:1F19:24A::/64
dns-server 2620:119:35::35
dns-server 2620:119:53::53
!
ipv6 cef
!
flow record nbar-appmon
match ipv4 source address
match ipv4 destination address
match application name
collect interface output
collect counter bytes
collect counter packets
collect timestamp absolute first
collect timestamp absolute last
!
flow monitor application-mon
cache timeout active 60
record nbar-appmon
!
parameter-map type inspect global
max-incomplete low 18000
max-incomplete high 20000
nbar-classify
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-1119805475
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119805475
revocation-check none
rsakeypair TP-self-signed-1119805475
!
crypto pki certificate chain TP-self-signed-1119805475
certificate self-signed 01
quit
voice-card 0
!
vxml logging-tag
license udi pid CISCO2911/K9 sn
license accept end user agreement
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package uck9
license boot module c2900 technology-package datak9
!
object-group service INTERNAL_UTM_SERVICE
!
object-group network Others_dst_net
any
!
object-group network Others_src_net
any
!
object-group service Others_svc
ip
!
object-group network Web_dst_net
any
!
object-group network Web_src_net
any
!
object-group service Web_svc
ip
!
object-group network local_cws_net
!
object-group network local_lan_subnets
192.168.2.0 255.255.255.248
!
object-group network trafficout_dst_net
any
!
object-group network trafficout_src_net
any
!
object-group service trafficout_svc
ip
!
object-group network vpn_remote_subnets
any
!
vtp mode transparent
username nkoch privilege 15 secret 5
!
redundancy
!
class-map type inspect match-all trafficout
description Lan Outbound Traffic
match access-group name trafficout_acl
class-map type inspect match-any INTERNAL_DOMAIN_FILTER
match protocol msnmsgr
match protocol ymsgr
class-map type inspect match-any Others_app
match protocol https
match protocol smtp
match protocol pop3
match protocol imap
match protocol sip
match protocol ftp
match protocol dns
match protocol icmp
--> match access-group name LAN-WAN-POLICY
!
class-map type inspect match-any Web_app
match protocol http
class-map type inspect match-all Others
match class-map Others_app
match access-group name Others_acl
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect LAN-WAN-POLICY
class type inspect trafficout
inspect
class type inspect Web
inspect
class type inspect Others
inspect
class type inspect INTERNAL_DOMAIN_FILTER
inspect
--> class type inspect Others_app
--> inspect
class class-default
drop log
!
zone security LAN
zone security WAN
zone security VPN
zone security DMZ
zone-pair security LAN-WAN source LAN destination WAN
service-policy type inspect LAN-WAN-POLICY
!
interface Loopback0
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security WAN
ipv6 address 2001:470:1F18:24A::2/64
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip
tunnel destination
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description PrimaryWANDesc_
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security WAN
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $ETH-LAN$ETH-SW-LAUNCH$INTF-INFO-GE 0/1$
ip address 192.168.2.1 255.255.255.248
ip nbar protocol-discovery
ip flow monitor application-mon input
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
zone-member security LAN
load-interval 30
duplex auto
speed auto
ipv6 address 2001:470:1F19:24A::3/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server vlandefault
!
interface GigabitEthernet0/2
ip address 192.168.30.1 255.255.255.248
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http upload enable path flash:
ip http upload overwrite
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list nat-list interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended Others_acl
permit object-group Others_svc object-group Others_src_net object-group Others_dst_net
ip access-list extended Web_acl
permit object-group Web_svc object-group Web_src_net object-group Web_dst_net
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
deny ip any any
ip access-list extended trafficout_acl
permit object-group trafficout_svc object-group trafficout_src_net object-group trafficout_dst_net
!
ipv6 route static resolve default
ipv6 route ::/0 Tunnel0
ipv6 ioam timestamp
!
ipv6 access-list LAN-WAN-POLICY
permit ipv6 2001:470:1F19:24A::/64 any
control-plane host
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-forcesable
!
mgcp profile default
!
gatekeeper
shutdown
!
banner login
******* ***** ,******. ,************** ,******,
**********, ***** .********** ,***************** **********
******,***** ***** ************ ******************* ************
***** ***** ***** ***** ****** ***** ***** ,*****
***** *****, ***** ****** ***** ***** ,***** *****
***** ***** ***** ***** ***** ,**************** ***** *****
***** ,***** ***** ***** ****** ***************** ***** ,*****
***** ***** ***** ***** ***** ************** .***** *****
***** ,***** ***** ***** ***** ***** ***** *****
***** ***** ********** *****, ***********, ******
***** ***********.***** *********************** ***** *****
***** ********* ***** ******************** ***** *****
Welcome to Please login
banner motd odt
Oh hai!
!
line con 0
login authentication local_access
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
login authentication local_access
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp source GigabitEthernet0/0
ntp master
ntp update-calendar
ntp server north-america.pool.ntp.org
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide