Showing results for 
Search instead for 
Did you mean: 

Cisco protocol=41 forwarding


Dear community,

I am trying to set up a 6to4 tunnel on one of my local hosts. I have set up all required ipv6 addresses and default gw's. When I initiate a traceroute from a traceroute6 tool at SixXs, to my own IPv6 address, i am receiving the following entries in my "debug ip packet detail" screen:

*Nov 11 03:57:59: IP: s=TUNNELBROKERIPv4(FastEthernet4), d=MYIPv4(FastEthernet4), len 124, rcvd 3, proto=41

*Nov 11 03:57:59: IP: s=TUNNELBROKERIPv4 (FastEthernet4), d=MYIPv4, len 124, unknown protocol, proto=41

I have added the following entry to allow ipv6 in ipv4 packets:

"permit 41 any any"

My question is how come the router does not recognize the proto=41 but does allow me to configure a permit entry for ipv6 in ipv4 packets?

*Nov 11 03:58:35: %SEC-6-IPACCESSLOGNP: list WAN-IN permitted 41 213.121.24.x -> MyIPv4, 35 packets

Does anyone know how i can forward these communications to my inside host?

Thanks in advance,




Is your tunnel configured as "tunnel mode ipv6ip 6to4" ?

If yes then can you supply some configs?

Hi mark,

Well the thing is, my tunnel endpoint is configured on my local linux host. See the following figure:

------- linux host 2.6 (ip tunnel mode sit) ----->>>---- cisco 2924 ----->>>--- cisco 851 (nat, permit 41 any) --->> inet cloud

But the cisco 851 does not seem to know how to handle the replies coming from the ipv6 tunnel broker back to my tunnel endpoint (the linux host). Maybe someone knows how i can forward these "unknown protocol" packets to the linux box.


can you supply the config of the Cisco851 (I'm assuming this is where the packets are being dropped)?

that's right, they are dropped at the Cisco 851's site. I am not at home right now, but i will supply you the config as soon as i am home.

Btw, I have also already mailed cisco support, why the 851 seems not to support ipv6 commands. I have bought this model especially because the product page described it should support all of the main ipv6 features. Apparently it does not, because the 850 only supports the advsecurity IOS instead of the advancedIP suite, which includes the IPv6 suite.


there you go:

see attachment


Can you confirm if traffic is being permitted outbound as the IP Inspect only allows TCP/UDP and ICMP.

My other concern is the NAT. IPV6 6to4 tunnels map the IPV6 destination address to a IPV4 address for transporting the traffic through the IPV4 network. If the IPV4 address is NATted this effectivley breakes the mapping between IPV4 and IPV6.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: