Re: ASA 5510 fire wall to config static routing using ipv6 address

vasusop-Research · ‎07-25-2023

Hi,

I am trying to config Static routing in asa 5510 firewall using IPV6 address.

I have config the following ipv6 based on the simple network in order to generate traffic flow in Firewall accessing all the host and server.

I am able to ping in ASA

1) FC00::4:2

2)FC00:5::2

3)FC00:7::1

4)FC00:8:1

But not the other way from any of the Hosts or DMZ.

-->Can any one suggest where I am going wrong or missing anything.

***kindly provide any video or Constructive steps to resolve this issue.

The following provides the respective IPv6 configured.

configuring outside (Router 2901 side):

ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# ipv6 address FC00::4:2/64
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

ciscoasa(config)# ipv6 route outside 0::0/0 FC00::4:1
ciscoasa(config)# show ipv6 route

configuring Server16 DMZ :

ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# ipv6 address FC00:5::1/64
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

configuring inside (Building A (lan 1) and B inside (lan 2))

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# ipv6 address FC00:6::1/64
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

configuring inside Vlan 1:

ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

configuring inside Vlan 2:

ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

COnfiguring static route from Host to Firewall
ciscoasa(config)#ipv6 route inside-lan1 F000:7::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside-lan2 F000:8::0/64 FC00:6::1

ciscoasa(config)#ipv6 route inside F000::0:0/64 Fc00:5::1

Access list config:

ciscoasa(config)# access-list OUT extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:8::1 any

ciscoasa(config)#access-group acl_dmz in interface dmz
ciscoasa(config)#access-group acl_dmz out interface dmz

ciscoasa(config)#ipv6 route inside-lan1 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route inside-lan2 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route dmz FC00:0005::/64 FC00:0005::FFFF:FFFF:FFFF:FFFF

ICMP:

ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:8::1 any

MHM Cisco World · ‎07-25-2023

ipv6 enable

This need to add under each ipv6 interface

Flavio Miranda · ‎07-25-2023

Hi @vasusop-Research

The switch interface facing the Firewall is in trunk? The vlan was added to the switch?

This is not the IP address of the hosts, right? As the .1 you added to the Firewall interface?

vasusop-Research · ‎07-26-2023

The switch is layer 2 and the Ipv6 FC00:7::1 and FC00:8::1 are added to Ethernet0/1 splitting as Ehternet0/1.1(FC00:7::1) and Ethernet0/1.2 (FC00:8::1). If possible provide right configuration.

MHM Cisco World · ‎07-26-2023

Did ypu add ipv6 enable under asa interface??

Flavio Miranda · ‎07-28-2023

Hello @vasusop-Research

This configuration is not right. Forget about IPv6 for a moment. The interfaces need to be fixed.

If you are dealing with subinterfaces, you dont add IP address on the physical interface.

ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:6::1/64 - Remove this config
ciscoasa(config-if)# nameif inside - Remove this config
ciscoasa(config-if)# security-level 100 - Remove this config
ciscoasa(config-if)# speed 100 - - Remove this config
ciscoasa(config-if)# duplex full - Remove this config
ciscoasa(config-if)# no shutdown

ciscoasa(config-if)# switchport mode trunk - Add this

configuring inside Vlan 1:

ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

configuring inside Vlan 2:

ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

Make sure you create vlan1 and vlan 2 on the switch. Put the interface between Switch and firewall in trunk mode.

Assign the proper vlan to the interfaces where the PC is connected.

vasusop-Research · ‎07-28-2023

i Sir, I have tried to use the command switchport trunk in GigabitEthernet0/1 and interface mode i.e.

ciscoasa(config)# interface GigabitEthernet0/1

ciscoasa(config-if)# switchport mode trunk

^

Error: % invalid input detected at '^' marker.

checked it from (https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.html#wp1057200)

I tried to check even in interface GigabitEthernet0/1.1 , it is the same error I am getting.

I even tried to change the switch 3560 and 3750 series and it is the same error. So kept 3560 switch.

Flavio Miranda · ‎07-28-2023

Which ASA version is it?

vasusop-Research · ‎08-03-2023

Sir I changed as per your given steps but still not working.

vasusop-Research · ‎07-26-2023

I am trying to configure this network based on exploring the cisco documents. It seems a little confusing due to lots of information as I am new. I only have basic knowledge using IPv4. Any possibility to provide the Configuration steps to establish connections and can ping from all the devices present in the above given network based on static route.

1) ping DMZ server to Hosts in vlan 1, vlan 2 and router - Vice versa

2) ping Hosts in vlan 1 to DMZ server, vlan 2 and router - Vice versa

3) ping Hosts in vlan 2 to DMZ server, vlan 1 and router - Vice versa

4) ping Hosts in vlan1 to vlan 2, DMZ server and router - vice versa

5) ping Hosts in vlan2 to vlan 1, DMZ server and router - vice versa

The main purpose of this is to generate a normal traffic flow data sets using ipv6 address which will be captured using Wireshark. It will be great help.

MHM Cisco World · ‎07-26-2023

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/119012-configure-asa-00.html

MHM Cisco World · ‎07-26-2023

One more think

Acl for ipv6 in asa must add as following

Ipv6 access-list ........

vasusop-Research · ‎07-26-2023

If I am prefixing ipv6 to the access-list... it is displaying error "invalid error input detected at ^ marker. i.e. at extended.

If I am not prefixing ipv6 then it is displaying found duplicate element. So that means access-list are present.

I have also enabled ipv6 in each interface. Still I am not able to ping successfully between the devices present in the network accept the self ping of respective device.

MHM Cisco World · ‎07-26-2023

Ok I will test config in my lab.

vasusop-Research · ‎08-03-2023

Sir any comments or suggestions to correct my steps or any scope you can generate a ICMPv6 DDoS attack data set and kindly share based on the above network diagram.