[c-nsp] Searching for cheap IPv6 NAT-PT Cisco-device
Hello, I would like to connect IPv4-only devices like printers to an IPv6-only Network and I thought about doing this with NAT-PT on a cisco-device. To play around with NAT-PT and do some tests I need a cheap device. According to the cisco document Implementing NAT-PT for IPv6 (http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-nat_trnsln_ps6350_TSD_Products_Configuration_Guide_Chapter.html) I need IOS 12.4(2)T if I want to use all the available features. What is the cheapest cisco-device with at least two or better four fast ethernet ports running IOS 12.4(2)T to evaluate, if configuring NAT-PT is a solution for my problem ? greetings and thanks for help, Andreas -- Zentrum für Datenverarbeitung Abteilung Netze Tel: 07071-2970342 Fax: 07071-295912 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] PIX ipv6 neighbour problem
Hello, thanks for your hint concerning the shared interfaces. When I disabled the interface in other contexts, the neighbour-discovery started working again. The Problem occured due to a no mac-address auto in the config. When I changed this to mac-address auto the neighour discovery works in all contexts with shared interfaces. thanks for help, Andreas On 10/19/2010 06:07 PM, Andrew Yourtchenko wrote: Hi Andreas, On Tue, 19 Oct 2010, Andreas Mueller wrote: Hello, my PIX515E is running PIX 8.0.4 with multiple contexts. In one of my contexts I would like to have IPv6 connectivity. The Interface is configured as I silently assume but just to verify - no shared interface between the contexts ? [snip] S ::/0 [0/0] via :::1::d, inside when I tried to ping the IP (:::1::e8) of the PIX on the inside interface from a linux box I get no responses. When I look at the output of the command show ipv6 neighbours, started multiple times during the pings I get the following outputs: pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside :::1::d 0 0021.85ca.6146 DELAY inside fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside :::1::d 0 0021.85ca.6146 PROBE inside fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside fe80::221:85ff:feca:6146 - 0021.85ca.6146 REACH inside Looks like we've already got the neighbor entry for pref:1::d, then tried to send the NS to it and failed ? here is the output of the PIX-debugging: Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host identity:fe80::20e:cff:fe80:c80c Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host inside:ff02::1 Oct 19 15:55:52 pix515e %PIX-6-302020: Built outbound ICMP connection for faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr fe80::20e:cff:fe80:c80c/0 Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: Sending RA to ff02::1 on inside Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: MTU = 1500 Oct 19 15:55:52 pix515e %PIX-7-711001: IPV6: source fe80::20e:cff:fe80:c80c (local) Oct 19 15:55:52 pix515e %PIX-7-711001: dest ff02::1 (inside) Oct 19 15:55:52 pix515e %PIX-7-711001: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating Oct 19 15:55:52 pix515e %PIX-7-711001: IPv6: Sending on inside Oct 19 15:55:56 pix515e %PIX-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr fe80::20e:cff:fe80:c80c/0 Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host identity:fe80::20e:cff:fe80:c80c duration 0:00:04 Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host inside:ff02::1 duration 0:00:04 Based on the timestamps, seems like the ICMP connection was built to send the RA - so I do not see any traces of ND working here at all... Give it a shot this way: debug ipv6 nd, deb ipv6 icmp then clear ipv6 neigh, you should have something like this when pinging from the linux box: ASA(config)# clear ipv6 neigh ASA(config)# deb ipv6 nd ASA(config)# deb ipv6 icmp ASA(config)# sh ipv6 neigh ASA(config)# ICMPv6: Received ICMPv6 packet from 2002:c01d:cafe:1002:218:51ff:fef9:bceb, type 128 ICMPv6: Received echo request from 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Sending echo reply to 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6-ND: DELETE - INCMP: 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6-ND: Sending NS for 2002:c01d:cafe:1002:218:51ff:fef9:bceb on inside ICMPv6: Received ICMPv6 packet from 2002:c01d:cafe:1002:218:51ff:fef9:bceb, type 136 ICMPv6-ND: Received NA for 2002:c01d:cafe:1002:218:51ff:fef9:bceb on inside from 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6-ND: INCMP - REACH: 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Received ICMPv6 packet from 2002:c01d:cafe:1002:218:51ff:fef9:bceb, type 128 ICMPv6: Received echo request from 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Sending echo reply to 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Received ICMPv6 packet from 2002:c01d:cafe:1002:218:51ff:fef9:bceb, type 128 ICMPv6: Received echo request from 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Sending echo reply to 2002:c01d:cafe:1002:218:51ff:fef9:bceb ICMPv6: Received ICMPv6 packet from fe80::218:51ff:fef9:bceb, type 135 ICMPv6-ND: Received NS for fe80::21e:7aff:fe36:6d37 on inside from fe80::218:51ff:fef9:bceb ICMPv6-ND: DELETE - INCMP: fe80::218:51ff:fef9:bceb ICMPv6-ND: INCMP - STALE: fe80::218:51ff:fef9:bceb ICMPv6
[c-nsp] PIX ipv6 neighbour problem
Hello, my PIX515E is running PIX 8.0.4 with multiple contexts. In one of my contexts I would like to have IPv6 connectivity. The Interface is configured as follows (anonymized IPv6 address) -- interface: interface GigabitEthernet1 nameif inside security-level 100 ip address 192.168.1.232 255.255.255.0 ipv6 address :::1::e8/64 ipv6 nd prefix :::1::/64 no-advertise no-autoconfig -- ipv6-routing: Codes: C - Connected, L - Local, S - Static L :::1::e8/128 [0/0] via ::, inside C :::1::/64 [0/0] via ::, inside L fe80::/10 [0/0] via ::, int_ipv6 via ::, outside via ::, inside L ff00::/8 [0/0] via ::, int_ipv6 via ::, outside via ::, inside S ::/0 [0/0] via :::1::d, inside when I tried to ping the IP (:::1::e8) of the PIX on the inside interface from a linux box I get no responses. When I look at the output of the command show ipv6 neighbours, started multiple times during the pings I get the following outputs: pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside fe80::221:85ff:feca:6146- 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 518 000a.b8fb.6d43 STALE inside :::1::d 0 0021.85ca.6146 DELAY inside fe80::221:85ff:feca:6146- 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside :::1::d 0 0021.85ca.6146 PROBE inside fe80::221:85ff:feca:6146- 0021.85ca.6146 REACH inside pix515e/s6ipv6# show ipv6 neigh IPv6 Address Age Link-layer Addr State Interface fe80::20a:b8ff:fefb:6d43 519 000a.b8fb.6d43 STALE inside fe80::221:85ff:feca:6146- 0021.85ca.6146 REACH inside here is the output of the PIX-debugging: Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host identity:fe80::20e:cff:fe80:c80c Oct 19 15:55:52 pix515e %PIX-7-609001: Built local-host inside:ff02::1 Oct 19 15:55:52 pix515e %PIX-6-302020: Built outbound ICMP connection for faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr fe80::20e:cff:fe80:c80c/0 Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: Sending RA to ff02::1 on inside Oct 19 15:55:52 pix515e %PIX-7-711001: ICMPv6-ND: MTU = 1500 Oct 19 15:55:52 pix515e %PIX-7-711001: IPV6: source fe80::20e:cff:fe80:c80c (local) Oct 19 15:55:52 pix515e %PIX-7-711001: dest ff02::1 (inside) Oct 19 15:55:52 pix515e %PIX-7-711001: traffic class 224, flow 0x0, len 72+0, prot 58, hops 255, originating Oct 19 15:55:52 pix515e %PIX-7-711001: IPv6: Sending on inside Oct 19 15:55:56 pix515e %PIX-6-302021: Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::20e:cff:fe80:c80c/0 laddr fe80::20e:cff:fe80:c80c/0 Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host identity:fe80::20e:cff:fe80:c80c duration 0:00:04 Oct 19 15:55:56 pix515e %PIX-7-609002: Teardown local-host inside:ff02::1 duration 0:00:04 the neighbour discovery is working well if I ping one linux-host from another. greetings and thanks for help, Andreas -- Zentrum für Datenverarbeitung Abteilung Netze Tel: 07071-2970342 Fax: 07071-295912 ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] NAT-Device with authentication ?
Hello, are there any (cisco)-NAT-devices which enable the NAT after the user has done some kind of authentication - which is checked against a radius-server or an active directory for example ? What I need is like a captive portal connected to a NAT-device. The scenario I try to have is: The user will get its IP-address from a private IP-range via DHCP after connecting his computer to the network.. With this address he should be able to connect to services within his internal network. But to connect to computers outside his network he should authenticate himself. thanks for hints greetings, Andreas ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] Device for mapping IPv6 to IPv4-addresses
Hello, I need to realize an IPv6-island inside an IPv4 network. To connect my IPv6-island to the IPv4-world I need a network-device with the following features: - the IPv6-addresses need to be mapped (dynamically) to IPv4-addresses for internet-connectivity. - the IPv6-Island will contain about a hundred computers. - some servers in the IPv6-island have to be reached from the outside-world by a static-IPv4-address. - the network is based on gigabit ethernet. what possibilities do I have to realize this scenario ? thanks for help happy weekend, Andreas Mueller smime.p7s Description: S/MIME Cryptographic Signature ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/