12-08-2021 06:02 PM - edited 12-08-2021 06:04 PM
Greetings! Sorry for the incoveniencies but I'm implementing ipv6 address on my network, due that our ISP have implemented cgnat on ipv4 addresses, but on they start implementing public ipv6 addresses, The prefix that i got from my ISP is dynamic, means that it could change by time, like the ipv4 dynamic public ip adresses. This is an example of one of the prefix we receive dynamically:
2806:109F:1A:C407::/64
I need to configure my network in order for my server (DNS,WEB,E-mail) to have access to the internet. Could you guide in configuring my cisco887VAG2 please?, My cisco ISR router have all ipv6 commands enabled. The IOS it has is 15.9.3.M4 version, with adipservices enabled.
My first try was a mess, although i achieve to have ipv6 address configuration, I couldn't forward the to my local server runing dns, web and e-mail. I'm going to post my configuration, without the ipv6 config that i did, better start with a clean working config on ipv4, also my cisco could run dual ipv4 and ipv6. I have an adsl2+ Connection.
Building configuration...
Current configuration : 7073 bytes
!
! Last configuration change at 18:08:04 GMT Fri Dec 3 2021 by ITJulio
version 15.9
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 xxxxxxxxxx
!
no aaa new-model
clock timezone GMT -6 0
!
!
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
dns-server 10.10.10.6 1.1.1.1 1.0.0.1
lease 0 2
!
ip dhcp pool AccessPoint1
host 10.10.10.3 255.255.255.128
client-identifier xxxx.xxxxx.xxxx.xxxx
default-router 10.10.10.1
!
ip dhcp pool MobilePhone
host 10.10.10.5 255.255.255.128
client-identifier xxxx.xxx.xxx.xxx
default-router 10.10.10.1
!
ip dhcp pool Workstation1
host 10.10.10.4 255.255.255.128
client-identifier xxxx.xxxx.xxx.xxx
default-router 10.10.10.1
!
ip dhcp pool AccessPoint2
host 10.10.10.2 255.255.255.128
client-identifier xxx.xxxx.xxxx.xxx
default-router 10.10.10.1
!
ip dhcp pool Workstation2
host 10.10.10.9 255.255.255.128
client-identifier xxx.xxx.xxxx.xxx
default-router 10.10.10.1
!
ip dhcp pool server1
host 10.10.10.6 255.255.255.128
client-identifier xxx.xxxxx.xxxx.xxx
default-router 10.10.10.1
domain-name xxxxx
dns-server 10.10.10.6
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip domain round-robin
ip domain name xxxxx
ip host xxxx 10.10.10.6
ip name-server 10.10.10.6
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip dhcp-server 10.10.10.1
ip cef
!
!
!
multilink bundle-name authenticated
license udi pid C887VAG-S-K9 sn xxxxxxxx
!
!
object-group network local_lan_subnets
10.10.10.0 255.255.255.128
!
username xxxxx privilege 15 secret 4 xxxxxxxxxxx
!
!
!
!
!
controller VDSL 0
operating mode adsl2+ annex A
sync mode itu
!
controller Cellular 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description WAN
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/81
tx-ring-limit 2
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
duplex full
speed 100
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet1
no ip address
duplex full
speed 100
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Cellular0
no ip address
encapsulation ppp
shutdown
!
interface Vlan1
description $LAN$
ip address 10.10.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description WAN
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxxx password 0 xxxxxxxxx
no cdp enable
!
ip default-gateway 10.10.10.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static 10.10.10.6 interface Dialer1
ip nat inside source static tcp 10.10.10.6 21 interface Dialer1 21
ip nat inside source static tcp 10.10.10.6 25 interface Dialer1 25
ip nat inside source static udp 10.10.10.6 53 interface Dialer1 53
ip nat inside source static tcp 10.10.10.6 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.9 5900 interface Dialer1 5900
ip nat inside source static udp 10.10.10.9 5900 interface Dialer1 5900
ip nat inside source static tcp 10.10.10.5 9120 interface Dialer1 9120
ip nat inside source static tcp 10.10.10.4 1802 interface Dialer1 1802
ip nat inside source static tcp 10.10.10.4 30000 interface Dialer1 30000
ip nat inside source static udp 10.10.10.4 1802 interface Dialer1 1802
ip nat inside source static tcp 10.10.10.6 110 interface Dialer1 110
ip nat inside source static tcp 10.10.10.6 143 interface Dialer1 143
ip nat inside source static tcp 10.10.10.6 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.6 587 interface Dialer1 587
ip nat inside source static tcp 10.10.10.6 993 interface Dialer1 993
ip nat inside source static tcp 10.10.10.6 995 interface Dialer1 995
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
permit icmp any any
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.127
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line 3
no exec
speed 144000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end
Thanks in advance.
12-09-2021 07:51 AM
Hi @JulioGarcia ,
It is generally as simple as getting the prefix delegation from your service provider on the wan interface and then start using it on the internal interface(s).
interface <wan interface name>
ipv6 DHCP client pd prefix-from-provider
interface <internal interface name>
ipv6 address prefix-from-provider ::1/64
Please refer to the following document for more information:
https://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113141-DHCPv6-00.html
Regards,
12-09-2021 08:04 AM
Good morning Mr. Harold, I'm going to try with the documentation your sent me, I'm going to post the results. For example that prefix my ISP sent me is a 64 prefix. That means that I only could configure 1 subnet right?.
12-09-2021 08:39 AM
Hi @JulioGarcia ,
> That means that I only could configure 1 subnet right?.
That is correct.
Regards,
12-09-2021 08:26 AM - edited 12-09-2021 08:34 AM
I'm a little confuse. DHCP server and DHCP Client could run on the same ISR Router. Should I required my cisco router to be a dhcpv6 server so my local host(dns,web and email server) could access the internet? For example for interface Wan, in my case is the Dialer 1 this configuration should do the first part with my ISP right?
Here my config on int Dialer, ipv6 unicast-routing and ipv6 cef has been enabled:
interface Dialer1
description INFINITUM_WAN
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ipv6 enable
ipv6 mtu 1472 < - This is the specified ISP mtu for ipv6
ipv6 dhcp client pd Prefix-Provider rapid-commit
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxxxxxxx password 0 xxxxxx
And this is the result from sh ipv6 int dialer 1
Dialer1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::7E69:F6FF:FE24:45D2
No Virtual link-local address(es):
Description: INFINITUM_WAN
No global unicast address is configured
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF24:45D2
MTU is 1472 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification Dialer i/f override
Output features: Common Flow Table Stile Classification Dialer idle reset
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
ND RAs are suppressed (periodic)
Hosts use stateless autoconfig for addresses.
And this from sh ipv6
Dialer1 is in client mode
Prefix State is OPEN
Renew will be sent in 11:51:52
Address State is IDLE
List of known servers:
Reachable via address: FE80::CAE7:F0FF:FE53:BC88
DUID: 00020000058363383A65373A66303A35333A62663A6330000000
Preference: 0
Configuration parameters:
IA PD: IA ID 0x000D0001, T1 43200, T2 69120
Prefix: 2806:109F:1A:C407::/64
preferred lifetime 86400, valid lifetime 86400
expires at Dec 10 2021 10:38 AM (85913 seconds)
DNS server: 2806:109F:FFFF:102::E
DNS server: 2806:108F:FFFF:3::E
Information refresh time: 0
Prefix name: Prefix-Provider
Prefix Rapid-Commit: enabled
Address Rapid-Commit: disabled
12-09-2021 08:41 AM
Hi @JulioGarcia ,
You can forget about the DHCP server part. This role is being played by your SP. You only need to focus on the DHCP client part of the document. Let us know if you have any follow-up question.
Sorry for the confusion.
Regards,
12-09-2021 09:16 AM
Ok, something rare have happened, the pc's have and hosts have acquire their ipv6 address with 2806:109F:1A:407:: prefix. But now I cannot access to some sites, like russia todays new, lacnic, and some other forums. I could ping them and receive the good response that their also have ipv6 addressese. But i cannot access to their sites on any Internet web app, (MS Edge, Firefox, Yandex). Also how could i open ports or redirect packets to my server (DNS,Web,Email)?. First i need to fix the issue that i have lost access to certain sites. Could you help me please? Don't worry i know that all of you have work too like I have. So take your time too. I'm reading and experimenting and sharing what i have found. And again, thanks in advanced.
12-09-2021 09:50 AM
Hi @JulioGarcia ,
> Ok, something rare have happened, the pc's have and hosts have acquire their ipv6 address with 2806:109F:1A:407:: prefix. > But now I cannot access to some sites, like russia todays new, lacnic, and some other forums. I could ping them and receive
> the good response that their also have ipv6 addressese. But i cannot access to their sites on any Internet web app, (MS Edge, > Firefox, Yandex).
Not sure what the issue could be. If it is just with certain sites that you are having issue, I am not sure what can be done. You can always check if your local security policies are interfering in any way.
> Also how could i open ports or redirect packets to my server (DNS,Web,Email)?
Seeing the security rules for IPv6 should be pretty similar to what you are doing on the IPv4 side. The only exception might be the port forwarding, which you will not need for IPv6, as your server as global connectivity with its assigned IPv6 address. This is not the case for IPv4, hence the need for port redirection.
Regards,
12-09-2021 09:55 AM
Thanks, I'm going to try, because the server is now up on the internet but I only confirm that ports 80,21,110,143 are the only open ones, need to open 587 and others. But maybe with access-list? Some documentation you could recommend please, thanks ins advanced.
12-09-2021 10:40 AM
Hi @JulioGarcia ,
> I only confirm that ports 80,21,110,143 are the only open ones
The fact that you are seeing these ports available from the Internet is probably a sign that you do not have an access-list in place or that the access-list allows only these ports. Please check the current configuration.
Regards,
12-09-2021 10:52 AM
Thanks, oh Mr. Harold look this is the ipv6 route table, without configuring any ipv6 route, i have disbla the ipv6 route to vlan. Here:
IPv6 Routing Table - default - 6 entries
Codes: C - Connected, L - Local, S - Static, U - Per-user Static route
B - BGP, HA - Home Agent, MR - Mobile Router, R - RIP
H - NHRP, D - EIGRP, EX - EIGRP external, ND - ND Default
NDp - ND Prefix, DCE - Destination, NDr - Redirect, O - OSPF Intra
OI - OSPF Inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2, ON1 - OSPF NSSA ext 1
ON2 - OSPF NSSA ext 2, la - LISP alt, lr - LISP site-registrations
ld - LISP dyn-eid, lA - LISP away, a - Application
ND ::/0 [2/0]
via FE80::CAE7:F0FF:FE53:BC88, Dialer1
C 2806:109F:1A:C407::/64 [0/0]
via Vlan1, directly connected
L 2806:109F:1A:C407::1/128 [0/0]
via Vlan1, receive
NDp FC00:1090:14:C407::/64 [2/0]
via Dialer1, directly connected
L FC00:1090:14:C407:7E69:F6FF:FE24:45D2/128 [0/0]
via Dialer1, receive
L FF00::/8 [0/0]
via Null0, receive
Could it be that dialer 1 doesn't have a GUA, that is the reason that i cannot connect to other sites, and when i route to vlan directly i have access to navigate the ohters sites but lost access to my server from the outside (due to the routing misconfig)?
Thanks in advanced.
12-09-2021 11:29 AM
Hi @JulioGarcia ,
> Could it be that dialer 1 doesn't have a GUA
The reason the Dialer interface doesn't have a GUA, is that your SP sends you a ULA instead in the router advertisement.
ULA prefix: FC00:1090:14:C407::/64
This is not an issue.
> that is the reason that i cannot connect to other sites, and when i route to vlan directly i have access to navigate the ohters
> sites but lost access to my server from the outside (due to the routing misconfig)?
This is not a misconfiguration and does not prevent your local devices from accessing the Internet.
Regards,
12-10-2021 10:20 AM
Greetings Mr. Harold. Sorry for the delay, I was in a meeting. Then, how to permit VLAN to have full access to internet?, maybe through an ACL?, Because when I add this command : ipv6 route ::/0 Vlan1 ; is when we could navigate through all the sites without problems, the only issue is that we lost access from the outside resulting in our web and mail servers having issues to receive and have access from outdoors. I'm going to try with access-lists and report the results. Thanks in advanced. God blessed you.
12-10-2021 10:59 AM
Hi @JulioGarcia ,
This command is certainly issues with connectivity, as it says that the next hop to go anywhere is Vlan1.
Could you post the most recent config so we can try to help with was is wrong?
Regards,
12-10-2021 11:28 AM - edited 12-10-2021 11:30 AM
yes
This is the run config :
!
ip dhcp excluded-address 10.10.10.75
!
ip dhcp pool INTRANET
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.75
dns-server 10.10.10.6 1.1.1.1 1.0.0.1
lease 0 2
!
!
ip dhcp pool myserver
host 10.10.10.x 255.255.255.xxx
client-identifier xxxx.xxxx.xxxx.xxxx
default-router 10.10.10.75
domain-name mydomain.com
dns-server 10.10.10.6
!
!
ip domain name mydomain.com
ip host myhost 10.10.10.6
ip name-server 10.10.10.6
ip name-server 2606:4700:4700::1111
ip name-server 2606:4700:4700::1001
ip dhcp-server 10.10.10.75
ip cef
ipv6 unicast-routing
ipv6 cef
!
!
multilink bundle-name authenticated
chat-script cdma "" "atdt#777" TIMEOUT 60 "CONNECT"
license udi pid C887VAG-S-K9 sn FTX17318514
!
!
object-group network local_lan_subnets
10.10.10.0 255.255.255.128
!
username myusername privilege 15 secret 9 mypassword
!
!
!
!
controller VDSL 0
operating mode adsl2+ annex A
sync mode itu
sra
!
controller Cellular 0
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description DSL_Connection
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/81
tx-ring-limit 2
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport mode access
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet1
switchport mode access
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet2
switchport mode access
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface FastEthernet3
switchport mode access
no ip address
duplex full
speed 100
spanning-tree portfast
!
interface Cellular0
no ip address
encapsulation ppp
shutdown
dialer in-band
dialer string cdma
!
interface Vlan1
ip address 10.10.10.75 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ipv6 address FE80::XXXX:XXXX:XXXX:XXXX link-local
ipv6 address Prefix-Provider ::1/64
ipv6 enable
!
interface Dialer1
description INFINITUM_WAN
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ipv6 address autoconfig default
ipv6 enable
ipv6 mtu 1472
ipv6 dhcp client pd Prefix-Provider rapid-commit
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname myusername
ppp chap password 0 mypassword
ppp pap sent-username myusername password 0 mypassword
!
ip default-gateway 10.10.10.75
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list nat-list interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended nat-list
permit icmp any any
permit ip object-group local_lan_subnets any
deny ip any any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
access-list 23 permit 10.10.10.0 0.0.0.127
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 3
script dialer cdma
no exec
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
--More--
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide