Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1697
Views
0
Helpful
3
Replies

permit icmpv6 on ipv4 access-list on tunnel

Go to solution
simonbmadsen
Level 1
Level 1

‎05-12-2013 04:08 AM - edited ‎02-20-2020 09:43 PM

Hello

I have a little problem with an ipv4 access-list blocking my ipv6 tunnel.

My tunnel is working and is as follows:

interface Tunnel0

no ip address

ipv6 address <IPV6 address::2>

ipv6 enable

tunnel source <Local WAN interface>

tunnel mode ipv6ip

tunnel destination <remote IPV4 IP on tunnel>

Then when i apply the access-list below, to the WAN interface on the IN direction, IPV6 stops working (everything is working on IPV4 when the access-list is applied). By this i mean i cant ping ipv6.google.com or ipv6.google.coms IP. I can still ping the remote tunnel ipv6 IP (<IPV6 address::1>).

The access-list i apply is as follows:

permit tcp any any established

permit udp any eq domain any

permit udp any eq 67 any eq 68

permit udp any eq 123 any

permit udp any eq 3740 any

permit udp any eq 41 any

permit udp any eq 5072 any

permit icmp any any

deny ip any any log

The following is the requirements asked of the tunnel provider, and one of the entries is ICMPv6. Is it possible to allow icmp v6 on a Cisco access-list?

TCP 3874tic.sixxs.netIPv4TIC (Tunnel Information & Control Protocol)Used for retrieving the tunnel information (eg by AICCU)Uses TCP and should work without problems
UDP 3740PoPIPv4Heartbeat ProtocolUsed for signaling where the current IPv4 endpoint of the tunnel is and that it is aliveoutbound from user to PoP only
protocol 41PoPIPv4IPv6 over IPv4 (6in4 tunnel)Used for tunneling IPv6 over IPv4 (static + heartbeat tunnels)One needs to appoint the internal host as the DMZ host which usually lets it pass the NAT
UDP 5072PoPIPv4AYIYA (Anything In Anything)Used for tunneling IPv6 over IPv4 (AYIYA tunnels)Should cross most NAT's and even firewalls without any issues
ICMPv6 Echo/ResponseTunnel endpointsIPv6Internet Control Message Protocol for IPv6Used for testing if a tunnel is alive by pinging the tunnel endpoint (tunnel::2) from the PoP side of the tunnel (tunnel::1) on the tunnelnone, as it happens inside the tunnel

Did i miss anything ?

sidequestion: i added the "deny ip any any log" to the access list, but it adds no logging entries to the log ( show log). Im sure it gets hits because when i run "show access-lists": 110 deny ip any any log (2210 matches).

Hope someone can help me.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to simonbmadsen

‎05-12-2013 06:56 AM

Hi,

In the above ACL you are atleast specifying the UDP and SOURCE source and destination ports of 41

If you would specify IPv6 on an IPv4 ACL I guess the format would be "permit 41 any any" for example.

Though I have barely touched IPv6 myself yet. Wouldnt it be possible to configure both Ipv4 ACL and IPv6 ACL and attach them to the same interface?

Though looking at my own router it doesnt support those commands while other devices do. Might be some software/model related thing I guess.

- Jouni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
simonbmadsen
Level 1
Level 1

‎05-12-2013 06:05 AM

Okay, i finally figured it out.

I tried to enable all possible "any any" options in the access-list, like GRE and IPINIP any any, still no luck.

Only "any any" that helped me was PERMIT IP ANY ANY but i removed it again since this is not a solution for me.

I found a logging entry denying 41 from the remote tunnel gateway to my WAN IP.

I added this to my access-list but without help:

permit tcp any eq 41 any

permit udp any eq 41 any

permit tcp any any eq 41

permit udp any any eq 41

Finally i added "Permit IP host host " and it worked.

apperantly protocol 41 doesnt use UDP or TCP?

Any help on that?

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to simonbmadsen

‎05-12-2013 06:56 AM

Hi,

In the above ACL you are atleast specifying the UDP and SOURCE source and destination ports of 41

If you would specify IPv6 on an IPv4 ACL I guess the format would be "permit 41 any any" for example.

Though I have barely touched IPv6 myself yet. Wouldnt it be possible to configure both Ipv4 ACL and IPv6 ACL and attach them to the same interface?

Though looking at my own router it doesnt support those commands while other devices do. Might be some software/model related thing I guess.

- Jouni

0 Helpful

Go to solution
simonbmadsen
Level 1
Level 1
In response to Jouni Forss

‎05-12-2013 07:33 AM

Thank you for your reply.

I removed  "Permit IP host host "

and added "Permit 41 host host "

It still works. I thought it was on udp/tcp port 41. But its on IP protocol 41.

To answer your question about the possibility of adding IPV6 accesslist to the same interface, the answer is yes, but that didnt work in my case since its ipv6 tunneled through ipv4.

IPv6 access-list is applied as "traffic-filter" under the interface.

example:

conf t

int X

ipv6 traffic-filter

/Simon



0 Helpful
Customers Also Viewed These Support Documents