Hello Harold ..

servers are in vlan20 , so I have given default gateway  vlan20 ipv6 address :

FDD2:1FB0:D7E:3939:FA66:F2FF:FEB1:1C7F

And I have Already enable ipv6 unicast routing on all devices

and  configured a static route on FW for the servers subnet

FDD2:1FB0:D7E:3939::/64 pointed towards Vlan 90 ( IP is

FDB5:4CE6:7C10:831D:FA66:F2FF:FEB1:1C7F ) .

by vlan 90 , L3 switch and firewall is connected .

Hi Satyendra,

Can you ping the FW internal interface ipv6 address from the L3 switch (fdb5:4ce6:7c10:831d:215:17ff:fedf:c260) from the L3 switch? If not, it might be a problem with the FW configuration.

Can you ping the ipv6 address facing the FW on the L3 switch (FDB5:4CE6:7C10:831D:FA66:F2FF:FEB1:1C7F) from the servers?

Regards

Hello Harold ...

I am able to ping Vlan 90

(FDB5:4CE6:7C10:831D:FA66:F2FF:FEB1:1C7F )

through which the fw is connected with L3 switch but not able to ping fw internal interface from the servers . what configuration i need to configure on the fw ?

Hi Satyendra,

Have you tried pining the FW internal interface from the L3 switch? Could you please provide the configs for the L3 switch and the FW.

Regards

Hi..

FW internal interface from the L3 is also not pinging.  You can see the IPv6 access rule on the firewall .pls suggest ...

On L3 switch i have only configure ( I have change the private ip to public ip )

enabled ipv6 unicast routing

!

interface vlan20 ----------------------------------------- dual stack servers vlan

ipv6 enable

ipv6 address 2001:4408:4300:10::3/64

!

interface vlan90 ------------------------------------ connected to FW

ipv6 enable

ipv6 address 2001:4408:4300:F::3/64

!

FW internal interface ip

2001:4408:4300:F::2,

!

ping 2001:4408:4300:F::2 ------ Ping output from L3 switch to FW internal interface ....

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 2001:4408:4300:F::2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

on fw  inside to ouside access policy is

any any ip permited

and out to in access policy is

any any icmpv6 permit ........

Hi Satyendra,

The issue definitely seems to be with the ASA configuration. Could you please provide the actual configuration.

Regards

Could you also try configuring: ipv6 icmp permit any inside

Regards

Also, what is the status of IPv6 on the clients?  E.g., is anything sending ICMPv6 router advertisements indicating that your ULA prefixes are on-link?  Windows is probably unwilling to use IPv6 by default in the absence of RA's.  Depending on your routing topology this might be coming from the ASA, or if the ASA has "ipv6 nd suppress-ra", from an actual router.

-- Jim Leinweber, WI State Lab of Hygiene

Hello Harold

You can see the access policy for the ipv6 address .pls see the attachement ....

Hi Satyendra,

I just found the following statement.

"The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the ASA.To  configure the ICMPv6 traffic that is allowed to originate and terminate  at a specific interface, use the ipv6 icmp command."

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acl_ipv6.html

Can you please configure this command and see if you can ping the FW from the L3 switch.

Regards

Hi Harold

Now my IPv6 nework has been succesful . Thanks for your co-operation ....

Satyendra

i need to access one user with privilized level15 access on router 7200

when i am giving the below command its working all other devices but for this device still i am getting enable prompt only

Device info : 7200 series router 12.4 ios version.

command : 

username test privilege 15 secret 5 test command is taking but asking for enabe password.

when we will access with username test , we should diractly go to  prompt mode( rtr # ) , but still going to user mode ( > ).

what may be the issue ?