Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6313
Views
0
Helpful
21
Replies

Configuration In order to Implement IPV6 with a ::/64 ISP prefix block

JulioGarcia
Level 1
Level 1

‎12-08-2021 06:02 PM - edited ‎12-08-2021 06:04 PM

Greetings! Sorry for the incoveniencies but I'm implementing ipv6 address on my network, due that our ISP have implemented cgnat on ipv4 addresses, but on they start implementing public ipv6 addresses, The prefix that i got from my ISP is dynamic, means that it could change by time, like the ipv4 dynamic public ip adresses. This is an example of one of the prefix we receive dynamically: 

2806:109F:1A:C407::/64

I need to configure my network in order for my server (DNS,WEB,E-mail) to have access to the internet. Could you guide in configuring my cisco887VAG2 please?, My cisco ISR router have all ipv6 commands enabled. The IOS it has is 15.9.3.M4 version, with adipservices enabled.

My first try was a mess, although i achieve to have ipv6 address configuration, I couldn't forward the to my local server runing dns, web and e-mail. I'm going to post my configuration, without the ipv6 config that i did, better start with a clean working config on ipv4, also my cisco could run dual ipv4 and ipv6. I have an adsl2+ Connection.

 

Building configuration...

Current configuration : 7073 bytes
!
! Last configuration change at 18:08:04 GMT Fri Dec 3 2021 by ITJulio
version 15.9
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Gateway
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 xxxxxxxxxx
!
no aaa new-model
clock timezone GMT -6 0
!
!
!
!
!
!


!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.128
default-router 10.10.10.1
dns-server 10.10.10.6 1.1.1.1 1.0.0.1
lease 0 2
!
ip dhcp pool AccessPoint1
host 10.10.10.3 255.255.255.128
client-identifier xxxx.xxxxx.xxxx.xxxx
default-router 10.10.10.1
!
ip dhcp pool MobilePhone
host 10.10.10.5 255.255.255.128
client-identifier xxxx.xxx.xxx.xxx
default-router 10.10.10.1
!
ip dhcp pool Workstation1
host 10.10.10.4 255.255.255.128
client-identifier xxxx.xxxx.xxx.xxx
default-router 10.10.10.1
!
ip dhcp pool AccessPoint2
host 10.10.10.2 255.255.255.128
client-identifier xxx.xxxx.xxxx.xxx
default-router 10.10.10.1
!
ip dhcp pool Workstation2
host 10.10.10.9 255.255.255.128
client-identifier xxx.xxx.xxxx.xxx
default-router 10.10.10.1
!
ip dhcp pool server1
host 10.10.10.6 255.255.255.128
client-identifier xxx.xxxxx.xxxx.xxx
default-router 10.10.10.1
domain-name xxxxx
dns-server 10.10.10.6
!
!
!
ip dhcp snooping vlan 1
ip dhcp snooping
ip domain round-robin
ip domain name xxxxx
ip host xxxx 10.10.10.6
ip name-server 10.10.10.6
ip name-server 1.1.1.1
ip name-server 1.0.0.1
ip dhcp-server 10.10.10.1
ip cef
!
!
!
multilink bundle-name authenticated
license udi pid C887VAG-S-K9 sn xxxxxxxx
!
!
object-group network local_lan_subnets
10.10.10.0 255.255.255.128
!
username xxxxx privilege 15 secret 4 xxxxxxxxxxx
!
!
!
!
!
controller VDSL 0
operating mode adsl2+ annex A
sync mode itu
!
controller Cellular 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
description WAN
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 8/81
tx-ring-limit 2
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
duplex full
speed 100
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet1
no ip address
duplex full
speed 100
spanning-tree portfast
ip dhcp snooping trust
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Cellular0
no ip address
encapsulation ppp
shutdown
!
interface Vlan1
description $LAN$
ip address 10.10.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
description WAN
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 0 xxxxxxxx
ppp pap sent-username xxxxxxxx password 0 xxxxxxxxx
no cdp enable
!
ip default-gateway 10.10.10.1
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list nat-list interface Dialer1 overload
ip nat inside source static 10.10.10.6 interface Dialer1
ip nat inside source static tcp 10.10.10.6 21 interface Dialer1 21
ip nat inside source static tcp 10.10.10.6 25 interface Dialer1 25
ip nat inside source static udp 10.10.10.6 53 interface Dialer1 53
ip nat inside source static tcp 10.10.10.6 80 interface Dialer1 80
ip nat inside source static tcp 10.10.10.9 5900 interface Dialer1 5900
ip nat inside source static udp 10.10.10.9 5900 interface Dialer1 5900
ip nat inside source static tcp 10.10.10.5 9120 interface Dialer1 9120
ip nat inside source static tcp 10.10.10.4 1802 interface Dialer1 1802
ip nat inside source static tcp 10.10.10.4 30000 interface Dialer1 30000
ip nat inside source static udp 10.10.10.4 1802 interface Dialer1 1802
ip nat inside source static tcp 10.10.10.6 110 interface Dialer1 110
ip nat inside source static tcp 10.10.10.6 143 interface Dialer1 143
ip nat inside source static tcp 10.10.10.6 443 interface Dialer1 443
ip nat inside source static tcp 10.10.10.6 587 interface Dialer1 587
ip nat inside source static tcp 10.10.10.6 993 interface Dialer1 993
ip nat inside source static tcp 10.10.10.6 995 interface Dialer1 995
ip route 0.0.0.0 0.0.0.0 Dialer1 permanent
!
ip access-list extended nat-list
permit ip object-group local_lan_subnets any
permit icmp any any
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.127
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line 3
no exec
speed 144000
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
login local
transport input telnet ssh
!
!
end

 

Thanks in advance.

 

 

Labels:
0 Helpful
21 Replies 21

JulioGarcia
Level 1
Level 1
In response to Harold Ritter

‎01-31-2022 07:36 AM

Greetings Mr. Harold! How have you been?, I have solved the issue. What I did is create Access-list and allow icm, tcp and udp traffic.  My server and devices are running fine with the ipv6 address now. Now I only have a problem, my web page is only reachable by clients that are on dula stack mode (ipv6 and ipv4) and ipv6 only network. How could i let an ipv4 client to reach my mail server and web server?, I have an ipv6 public address, but my ipv4 is behind a CG-NAT. I could retrieve the public IPv4 address, and now the private address that my ISP is giving me; Here's an example of my actual connection, my ISP service is providing me with a dual stack mode (Public IPV6 and CG-NAT IPv4): 

This is the Public IPv4 address of the ISP 187.136.99.12

This is the CG-NAT IPv4 address that my ISP is assigning me for IPv4 connectivity: 10.134.94.135/32

This is the current IPv6 address as i.e. 2806:109f:1a:c407:55a0:6cf9:1655:3065.

 

How do I enable ipv4 networks to access my ipv6 web and mail servers?

I Known some public ipv4 address (static) from the clients (they are coming from the Internet side) that are trying to connect to my services.

 

Thanks in advanced. And God blessed you all.

P.D.: If need my current configuration, don't hesitate to ask.

0 Helpful

JulioGarcia
Level 1
Level 1
In response to Harold Ritter

‎12-09-2021 10:07 AM

Ok, I have configure this route on my router:

ipv6 route ::/0 Vlan 1

 

the result, i have access to the all the sites again, except my site. Server only translates local address without preffix, and it cannot be access from the outside.

0 Helpful

Harold Ritter
Spotlight
Spotlight
In response to JulioGarcia

‎12-09-2021 10:37 AM

Hi @JulioGarcia ,

 

> ipv6 route ::/0 Vlan 1

 

You should not add the default route towards your internal interface (Vlan1). The default route is learnt automatically from your WAN interface. Adding it towards your internal interface will break things.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)
0 Helpful

JulioGarcia
Level 1
Level 1
In response to Harold Ritter

‎12-09-2021 10:38 AM

well then i should configure ipv6 route ::/0 Dialer 1 ?

0 Helpful

JulioGarcia
Level 1
Level 1
In response to JulioGarcia

‎12-09-2021 08:47 AM - edited ‎12-09-2021 08:49 AM

Now I'm going to use that prefix on VLAN1, that is the virtual interface that delegates the ip's to local pc's and servers.

 

Int Vlan 1

ip address 10.10.10.75 255.255.255.128
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ipv6 address Prefix-Provider ::1/64
ipv6 enable

 

Now this is my sh ipv6 int brief results:

ATM0 [up/up]
unassigned
ATM0.1 [up/up]
unassigned
Cellular0 [administratively down/down]
unassigned
Dialer1 [up/up]
FE80::7E69:F6FF:FE24:45D2
Ethernet0 [administratively down/down]
unassigned
FastEthernet0 [up/up]
unassigned
FastEthernet1 [up/up]
unassigned
FastEthernet2 [up/up]
unassigned
FastEthernet3 [down/down]
unassigned
NVI0 [up/up]
unassigned
Virtual-Access1 [up/up]
FE80::7E69:F6FF:FE24:45D2
Vlan1 [up/up]
FE80::7E69:F6FF:FE24:45CE
2806:109F:1A:C407::1

 

the sh ipv6 int vlan 1 results:

 

Vlan1 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::7E69:F6FF:FE24:45CE
No Virtual link-local address(es):
General-prefix in use for addressing
Global unicast address(es):
2806:109F:1A:C407::1, subnet is 2806:109F:1A:C407::/64 [CAL/PRE]
valid lifetime 85262 preferred lifetime 85262
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
FF02::1:FF24:45CE
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
Input features: Common Flow Table Stile classification
Output features: Common Flow Table Stile Classification
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.

 

and sh ipv6 dhcp binding does'nt throw anything. By the way this is the ipv6 address have been permited access to internet.

Now his the important part. How to managed my ipv6 network, and mount my main server (DNS,WEB,E-mail), my local server have been configured to work with ipv6 address. How to open ports and route the packets that each service would use.

 

Going to play with some parameters while waiting for your guidance. Thanks in advanced.

0 Helpful

Harold Ritter
Spotlight
Spotlight
In response to JulioGarcia

‎12-09-2021 09:38 AM - edited ‎12-09-2021 09:39 AM

Hi @JulioGarcia ,

 

How to open ports and route the packets that each service would use.

 

I am not an expert at configuring the security rules, but configuring these rules for IPv6 should be pretty similar to what they are with IPv4.

 

Regards,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)
0 Helpful

JulioGarcia
Level 1
Level 1
In response to Harold Ritter

‎12-09-2021 09:41 AM

No problem I'm going to investigate further and share results, by the way, I can ping the sites that i couldn't have access from my computer, but on my router i cannot ping them. Any idea? Thanks in advanced.

0 Helpful
Customers Also Viewed These Support Documents