Re: IPv6 to IPv4 translation

j.worley · ‎07-25-2013

I have confige a pair of Ace appliances with configuration provided by Cisco for this function, in that I have a Global IPv6 address x-lating to an IPv4 real server farm. I'm having no love. Does this functionality work with a static NAT IPv6 to IPv4? Also, the firewall in front of the Ace pair sees IPv6 traffic passing, but not reply. What would be the best capture command to see if the request (https) is actually reaching the Ace?

Jorge Bejarano · ‎07-25-2013

James,

http://www.cisco.com/en/US/prod/collateral/contnetw/ps5719/ps7027/product_bulletin_c25-687419.html

If you have an ACE30 you can get a 10gig captures on the switch.

If you have an ACE 4710 you need to take it in the switch directly connected to the ACE which faces the Client side

Jorge

ajayku2 · ‎07-26-2013

Hi,

if you just want to verify whether the traffic is hitting ACE or not you can try the following :

create a access list with source as client IP address. ( here source is 10.10.10.10 in my example )

ace-4710-1/Admin(config)# access-list captureacl extended permit tcp 10.10.10.10 255.255.255.0 any eq 443

ace-4710-1/Admin# capture capturetest all access-list captureacl

ace-4710-1/Admin# capture capturetest start

Once it is done you can stop it by using

ace-4710-2/Admin# capture capturetest stop

Save the file to disk :

ace-4710-2/Admin# copy capture capturetest disk0: test.pcap

hope that helps.

regards,

Ajay Kumar

ajayku2 · ‎07-26-2013

Hi,

I see you are willing to capture ipv6.

You can create ACL using ipv6 :

ace-4710-1/Admin(config)# access-list test extended permit ip

Specify source IP address

Specify source IPv6 address

any Any source address and mask (Equiv of 0.0.0.0 0.0.0.0)

anyv6 Any source address and mask (Equiv of 0::0/0)

host Configure source host

object-group Network object-group for source address

see if that helps. Or else Span is a good option as suggested by Jorge.

regards,

Ajay Kumar