Cisco - клиент может пинговать, но маршрутизатор не

1

Я настроил туннель IPv6 HE.net на моем маршрутизаторе, который имеет два порта WAN. Странно то, что все клиенты могут пинговать хосты IPv6 в Интернете, но мой маршрутизатор не может никого пинговать.

Вот конфигурация:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname gateway
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!         
!
!
aaa session-id common
!
ipv6 unicast-routing
ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 172.16.10.1 172.16.10.10
ip dhcp excluded-address 172.16.10.200 172.16.10.254
ip dhcp excluded-address 172.16.20.1 172.16.20.10
ip dhcp excluded-address 172.16.20.200 172.16.20.254
!
ip dhcp pool A-Group
 network 172.16.10.0 255.255.255.0
 default-router 172.16.10.254 
 dns-server 172.16.10.254 
!
ip dhcp pool B-Group
 network 172.16.20.0 255.255.255.0
 default-router 172.16.20.254 
 dns-server 172.16.20.254 
!
!
ip domain name internal.xxxxxx.net
ip name-server 2001:4860:4860::8888
ip name-server 2001:470:20::2
ip name-server 8.8.8.8
ip ddns update method TunnelBroker
 HTTP
  add https://xxxx:xxxxxxxxx@ipv4.tunnelbroker.net/ipv4_end.phptid=xxxxxx
 interval maximum 0 1 0 0
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint tunnelbroker
 enrollment terminal pem
 revocation-check none
!
!
crypto pki certificate chain tunnelbroker
 certificate ca 01
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    quit
license udi pid CISCO2901/K9 sn FGL170311S6
!
!
object-group network PRIVATE-NET 
 host xxx.xxx.xxx.xxx
!
username xxxxxx password 0 xxxxxxxx
!
!
ip ssh time-out 60
ip ssh authentication-retries 5
!
!
!
!
interface Tunnel0
 no ip address
 ipv6 address 2001:470:xxxx:xxxx::2/64
 ipv6 enable
 tunnel source Dialer2
 tunnel mode ipv6ip
 tunnel destination 72.52.104.74
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 2
!
interface GigabitEthernet0/1
 no ip address
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
 mtu 1496
 no ip address
 ip nat inside
 ip virtual-reassembly in
 negotiation auto
!
interface GigabitEthernet0/1/0.10
 encapsulation dot1Q 10
 ip address 172.16.10.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:xxx:xxx:10::1/64
 ipv6 enable
!
interface GigabitEthernet0/1/0.20
 encapsulation dot1Q 20
 ip address 172.16.20.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address 2001:xxx:xxx:20::1/64
 ipv6 enable
!
interface Dialer1
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 ppp chap hostname xxxxxxxxxxx
 ppp chap password 0 xxxxxxxxxxx
 ppp pap sent-username xxxxxxxx password 0 xxxxxxx
 ppp ipcp dns request
!
interface Dialer2
 ip ddns update TunnelBroker
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 2
 ppp chap hostname xxxxxx
 ppp chap password 0 xxxxxxx
 ppp pap sent-username xxxxxx password 0 xxxxxx
 ppp ipcp dns request
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source route-map dia1-nat interface Dialer1 overload
ip nat inside source route-map dia2-nat interface Dialer2 overload
ip route 0.0.0.0 0.0.0.0 Dialer2
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 72.52.104.74 255.255.255.255 Dialer2
!
ip access-list extended PRIVATE-POOL
 permit ip object-group PRIVATE-NET any
ip access-list extended WAN-POOL
 permit ip any any
!
ipv6 route ::/0 Tunnel0
!
route-map dia2-nat permit 10
 match ip address WAN-POOL
 match interface Dialer2
!         
route-map dia1-nat permit 10
 match ip address PRIVATE-POOL
 match interface Dialer1
!
!
!
!
!
control-plane
!
!
!
----omitted----

На стороне клиента:

xxxx$ ping6 google.com
PING6(56=40+8+8 bytes) 2001:470:8318:10:dc24:208e:6843:8932 --> 2404:6800:4008:c00::66
16 bytes from 2404:6800:4008:c00::66, icmp_seq=0 hlim=52 time=343.733 ms
16 bytes from 2404:6800:4008:c00::66, icmp_seq=1 hlim=52 time=343.917 ms
16 bytes from 2404:6800:4008:c00::66, icmp_seq=2 hlim=52 time=345.722 ms
^C
--- google.com ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 343.733/344.457/345.722/0.897 ms

На роутере:

gateway#ping 2404:6800:4008:c00::66
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2404:6800:4008:C00::66, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
gateway#
Линфэн Сюн
источник
Не связано, но так как у вас есть пароль типа 4 ... tools.cisco.com/security/center/content/CiscoSecurityResponse/…
cpt_fink

Ответы:

0

Я удалил части multi-wan (маршрутизатор по умолчанию и NAT), и это работает ... Понятия не имею, почему :-(

Линфэн Сюн
источник
0

Вы смешиваете IPv4 и IPv6. Думайте о них как о совершенно разных протоколах, таких как OSPF / EIGRP, они не разговаривают, пока вы им не скажете. Вы должны «думать» как маршрутизатор.

user1043064
источник