07-25-2023 06:38 AM
Hi,
I am trying to config Static routing in asa 5510 firewall using IPV6 address.
I have config the following ipv6 based on the simple network in order to generate traffic flow in Firewall accessing all the host and server.
I am able to ping in ASA
1) FC00::4:2
2)FC00:5::2
3)FC00:7::1
4)FC00:8:1
But not the other way from any of the Hosts or DMZ.
-->Can any one suggest where I am going wrong or missing anything.
***kindly provide any video or Constructive steps to resolve this issue.
The following provides the respective IPv6 configured.
configuring outside (Router 2901 side):
ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)# ipv6 address FC00::4:2/64
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
ciscoasa(config)# ipv6 route outside 0::0/0 FC00::4:1
ciscoasa(config)# show ipv6 route
configuring Server16 DMZ :
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# ipv6 address FC00:5::1/64
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside (Building A (lan 1) and B inside (lan 2))
ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)# ipv6 address FC00:6::1/64
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside Vlan 1:
ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside Vlan 2:
ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
COnfiguring static route from Host to Firewall
ciscoasa(config)#ipv6 route inside-lan1 F000:7::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside-lan2 F000:8::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside F000::0:0/64 Fc00:5::1
Access list config:
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:8::1 any
ciscoasa(config)#access-group acl_dmz in interface dmz
ciscoasa(config)#access-group acl_dmz out interface dmz
ciscoasa(config)#ipv6 route inside-lan1 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route inside-lan2 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route dmz FC00:0005::/64 FC00:0005::FFFF:FFFF:FFFF:FFFF
ICMP:
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:8::1 any
07-26-2023 09:28 AM
This guide for ipv6 acl'
Now add icmp inspection under class of policy-map global
And try ping from inside to outside' this traffi no need acl to allow so it.must be success
07-26-2023 02:02 PM
I have added those steps
ciscoasa#config t
ciscoasa(config)#policy-map global
ciscoasa(config-pmap)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
ciscoasa(config-pmap-c)#inspect icmp error
ciscoasa(config-pmap-c)#end
it is reflecting in ciscoasa#Show run policy-map
Still I am not able to ping.
07-26-2023 02:07 PM
Till now I have tried the following steps to configure and yet not able to reach as mentioned in above comments:
ciscoasa(config)# interface Ethernet0/0
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00::4:2/64
ciscoasa(config-if)# nameif outside
ciscoasa(config-if)# security-level 0
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
ciscoasa(config)# ipv6 route outside 0::0/0 FC00::4:1
ciscoasa(config)# show ipv6 route
configuring Server16 DMZ :
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:5::1/64
ciscoasa(config-if)# nameif DMZ
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside (Building A (lan 1) and B inside (lan 2))
ciscoasa(config)# interface GigabitEthernet0/1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:6::1/64
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# speed 100
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside Vlan 1:
ciscoasa(config)# interface GigabitEthernet0/1.1
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:7::1/64
ciscoasa(config-if)# vlan 1
ciscoasa(config-if)# nameif inside-lan1
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
configuring inside Vlan 2:
ciscoasa(config)# interface GigabitEthernet0/1.2
ciscoasa(config-if)#ipv6 enable
ciscoasa(config-if)# ipv6 address FC00:8::1/64
ciscoasa(config-if)# vlan 2
ciscoasa(config-if)# nameif inside-lan2
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# exit
ciscoasa(config)exit
Configuring static route from Host to Firewall:
ciscoasa(config)#ipv6 route inside-lan1 F000:7::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside-lan2 F000:8::0/64 FC00:6::1
ciscoasa(config)#ipv6 route inside F000::0:0/64 Fc00:5::1
Access list config:
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit ip host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit ip host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit ip host FC00:8::1 any
ciscoasa(config)#access-group acl_dmz in interface dmz
ciscoasa(config)#access-group acl_dmz out interface dmz
Eth0/0
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1.1
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/1.2
ciscoasa(config-if)access-group acl_inside in interface inside
Eth0/2
ciscoasa(config-if)access-group acl_inside in interface inside
ciscoasa(config-if)access-group acl_inside in interface inside
ciscoasa(config)#ipv6 route inside-lan1 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route inside-lan2 FC00::/64 FC00::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)#ipv6 route dmz FC00:0005::/64 FC00:0005::FFFF:FFFF:FFFF:FFFF
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:5::2 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:6::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:7::1 any
ciscoasa(config)# access-list OUT extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list IN extended permit icmp host FC00:8::1 any
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:6::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:6::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:7::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:7::1
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:8::
ciscoasa(config)# access-list acl_grp permit tcp any host FC00:5::1
ciscoasa(config)#icmp permit any echo-reply outside
ciscoasa(config)#icmp permit any time-exceeded outside
ciscoasa(config)#icmp permit any unreachable outside
ciscoasa(config)#icmp permit any echo-reply inside
ciscoasa(config)#icmp permit any time-exceeded inside
ciscoasa(config)#icmp permit any unreachable inside
ciscoasa#Show run policy-map
ciscoasa#config t
ciscoasa(config)#policy-map global
ciscoasa(config-pmap)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
ciscoasa(config-pmap-c)#inspect icmp error
ciscoasa(config-pmap-c)#end
07-28-2023 02:08 AM
Sir, kindly provide any suggestions or comments that could help me to establish ping on all the connected devices. It will be a great help.
07-28-2023 07:34 AM
Is there any scope for any one who can at least direct me to ICMPv6 DDoS attacks data sets. I have tried my best to check from the openly available and could find only IPV4 DDoS attacks but not the ICMPv6 DDoS attacks data sets. I just need only 10-15 GB of size including normal and ICMPv6 DDoS attack. I can make an request through my Uni-mail.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide