cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1752
Views
1
Helpful
19
Replies

ASA 5510 fire wall to config static routing using ipv6 address

Hi, 

I am trying to config Static routing in asa 5510 firewall using IPV6 address.

I have config the following ipv6 based on the simple network in order to generate traffic flow in Firewall accessing all the host and server.

I am able to ping in ASA 

1) FC00::4:2

2)FC00:5::2

3)FC00:7::1

4)FC00:8:1Modified Labnetwork diagram-ipv6.PNG

But not the other way from any of the Hosts or DMZ.

-->Can any one suggest where I am going wrong or missing anything. 

***kindly provide any video or Constructive steps to resolve this issue.

The following provides the respective IPv6 configured.

configuring outside (Router 2901 side):

ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# ipv6 address FC00::4:2/64
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

ciscoasa(config)# ipv6 route outside 0::0/0 FC00::4:1
ciscoasa(config)# show ipv6 route


configuring Server16 DMZ :

ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# ipv6 address FC00:5::1/64 
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside (Building A (lan 1) and B inside (lan 2))


ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# ipv6 address FC00:6::1/64
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside Vlan 1:

ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside Vlan 2:

ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


COnfiguring static route from Host to Firewall
ciscoasa(config)#ipv6 route inside-lan1 F000:7::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside-lan2 F000:8::0/64 FC00:6::1

ciscoasa(config)#ipv6 route inside F000::0:0/64 Fc00:5::1


Access list config:

ciscoasa(config)# access-list OUT extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:8::1 any

ciscoasa(config)#access-group acl_dmz in interface dmz
ciscoasa(config)#access-group acl_dmz out interface dmz

ciscoasa(config)#ipv6 route inside-lan1 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route inside-lan2 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route dmz FC00:0005::/64 FC00:0005::FFFF:FFFF:FFFF:FFFF

ICMP:

ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:8::1 any

19 Replies 19

https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/acl_ipv6.html#:~:text=The%20ipv6%20access%2Dlist%20command%20allows%20you%20to%20specify%20whether,using%20the%20access%2Dgroup%20command.

This guide for ipv6 acl'

Now add icmp inspection under class of policy-map global 

And try ping from inside to outside' this traffi  no need acl to allow so it.must be success 

I have added those steps 

ciscoasa#config t
ciscoasa(config)#policy-map global
ciscoasa(config-pmap)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
ciscoasa(config-pmap-c)#inspect icmp error
ciscoasa(config-pmap-c)#end

it is reflecting in ciscoasa#Show run policy-map

Still I am not able to ping.

Till now I have tried the following steps to configure and yet not able to reach as mentioned in above comments:

ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00::4:2/64 
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit

ciscoasa(config)# ipv6 route outside 0::0/0 FC00::4:1
ciscoasa(config)# show ipv6 route


configuring Server16 DMZ :

ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:5::1/64 
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside (Building A (lan 1) and B inside (lan 2))


ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:6::1/64
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside Vlan 1:

ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


configuring inside Vlan 2:

ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit


Configuring static route from Host to Firewall:


ciscoasa(config)#ipv6 route inside-lan1 F000:7::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside-lan2 F000:8::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside F000::0:0/64 Fc00:5::1


Access list config:

ciscoasa(config)# access-list OUT extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:8::1 any

ciscoasa(config)#access-group acl_dmz in interface dmz
ciscoasa(config)#access-group acl_dmz out interface dmz
Eth0/0
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1.1
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1.2
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/2
ciscoasa(config-if)access-group acl_inside in interface inside


ciscoasa(config-if)access-group acl_inside in interface inside
ciscoasa(config)#ipv6 route inside-lan1 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route inside-lan2 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route dmz FC00:0005::/64 FC00:0005::FFFF:FFFF:FFFF:FFFF

ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:8::1 any

ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:6::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:6::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:7::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:7::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:8::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::1

ciscoasa(config)#icmp permit any echo-reply outside
ciscoasa(config)#icmp permit any time-exceeded outside
ciscoasa(config)#icmp permit any unreachable outside
ciscoasa(config)#icmp permit any echo-reply inside
ciscoasa(config)#icmp permit any time-exceeded inside
ciscoasa(config)#icmp permit any unreachable inside


ciscoasa#Show run policy-map
ciscoasa#config t
ciscoasa(config)#policy-map global
ciscoasa(config-pmap)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
ciscoasa(config-pmap-c)#inspect icmp error
ciscoasa(config-pmap-c)#end

Sir, kindly provide any suggestions or comments that could help me to establish ping on all the connected devices. It will be a great help. 

Is there any scope for any one who can at least direct me to ICMPv6 DDoS attacks data sets. I have tried my best to check from the openly available and could find only IPV4 DDoS attacks but not the ICMPv6 DDoS attacks data sets. I just need only 10-15 GB of size including normal and ICMPv6 DDoS attack. I can make an request through my Uni-mail.