cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8621
Views
5
Helpful
15
Replies

icmpv6

darkdi0dx
Level 1
Level 1

Hi networkers,

Simple question maybe, but I need some help with this one.

I've got IPv4-network on which I now will implement IPv6(dual-stack) on a couple of subnets, to try it out and to learn more about IPv6.

Okey, subnet A and subnet B is now dual-stack subnets. Between those subnets I've got a Cisco firewall, ASA5550. I've placed a pc (Windows Vista with the windows firewall off) in each subnet with a static IPv4 and an static IPv6 ip-address. So far so good.

Subnet A IPv6 address is: FEC0:0:0:1001::1/64

Subnet B IPv6 address is: FEC0:0:0:1003::1/64

IPv4 ping works fine between pc's in subnet A and B. But, IPv6 ping doesn't work. I have configured IPv6 ACLs to permit ip,  icmp6 and icmp6/echo-reply between subnet A and subnet B. Problem is still there :-(

ASA5550 is running software version: 8.4(1) with ASDM 6.4(1)

What have I forgotten?

BR

Tom

1 Accepted Solution

Accepted Solutions

Andrew Yourtchenko
Cisco Employee
Cisco Employee

Tom,

Packet tracer would be the first place to start - maybe it gives a hint right away.

If that does not give a quick win - then as Bruce mentioned: split the problem into its parts:

if you have a topology:

A -- [cloud A]---- ASA ---- [cloud B] -- B

Then if you can not ping from A to B, then either the echo request gets dropped by something on the way A->B,

or the echo reply gets dropped by something on the way B->A. (NB: I am not discounting anything, including the clouds

or even hosts themselves, as candidates to drop the packets, to avoid jumping to conclusions)

Various packet captures will allow to probe different points and verify whether the packet is there or not and narrow down to the place where the packets are dropped.

cheers,

andrew

View solution in original post

15 Replies 15

Andre Gustavo Albuquerque
Cisco Employee
Cisco Employee

Site Local addresses have been deprecated by IANA.

If the intention is to use something analogous to RFC1918, use Unique Local Addresses (FC00::/7), as defined by RFC4193.

http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xml

I don't think this would be a problem for ASA, but just want to make sure you start your experiments in the right direction.

If you are using Modular Policy Framework, be sure to use the match any command to match IPv6 traffic.

Cheers, Gustavo

Hi Gustavo,

So these Site-Local addresses has been deprecated by IANA? I got the IPv6 addresses I've used so far from the Cisco IPv6 book, an old one so thats is probably why. But, is the "old" site-local ipv6 addresses the whole reason whick i can't ping between the pc's?

I will then change IPv6-address space. I havn't been doing a lot of work so far, so thanks for enlighten me.

BR

-Tom.

Tom, I didn't mean that the Site Local Address is the problem for your setup.

As you are running an experiment, I just wanted to make sure you were in the right direction from start.

I don't believe this is what is causing problem.

Did you enable ipv6 unicast-routing on ASA?

Can you paste a sanitized version of your ASA config file?

Cheers, Gustavo

Hi Gustavo,

No it's okey, i'll understand you and i shall change the ip address range. It would be unwise not to.

That command, ipv6 unicast-routing, i can see that command if i try too enable it. if i'm running conf t, ipv6 ? i can't see that command. Isn't it on by default on the ASA running ASA 8.4(1)

I get back to you tommorow regarding the ASA config. It's getting late here :-) Thanks again.

bep
Level 1
Level 1

Silly question....did you enable IPv6 on the ASA interfaces and assign IPv6 addresses?  Have you run a packet capture to see what is happening?  Can you ping the workstations from the ASA?

Hi Bruce,

When it comes to IPv6 there is no such thing as a silly question, right ;-)

To answer your question, Yes i have enabled IPv6 on the two ASA interfaces and yes i can ping them both from the ASA. I can also ping both pc's from the ASA, but i can't ping between the pc's using icmp6 :-(

I havn't run a packet capture, i havn't used that feature on the ASA so far, but maybe now is the time (or tommorow, it's getting kinda late now)

I'll set up a packet capture first thing in the morning. I'll get back to you on this tommorow.

Cheers,

Phillip Remaker
Cisco Employee
Cisco Employee

Do the PCs have an IPv6 route configured (or learned?)

Command line:

route print

or

netsh inter ipv6  show route


Each will need a default or direct route pointing tthrough the ASA to get to the remote subnet

Hi Philip,

Sorry for answering late, I've been away from work for a while.

Take a look at the notepad-doc, it's the route print from Test-PC1 and Test-PC2

BR

Tom

To recap:

Subnet A IPv6 address is: FEC0:0:0:1001::1/64

Subnet B IPv6 address is: FEC0:0:0:1003::1/64

Neither of the PCs below have an inetrface on FEC0:0:0:1003::1/64.  They are both on FEC0:0:0:1001::1/64

Test-pc1

CMD Route print

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

10    266 ::/0                     fe80::1

  1    306 ::1/128                  On-link

10    266 fe80::/64                On-link

10    266 fe80::b8b3:255e:dbce:dbbb/128

                                    On-link

10     18 fec0:0:0:1001::/64       On-link

10    266 fec0::1001:b8b3:255e:dbce:dbbb/128

                                    On-link

  1    306 ff00::/8                 On-link

10    266 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

Test-PC2

IP address via DHCPv6

CMD route print

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

  1    306 ::1/128                  On-link

11    266 fe80::/64                On-link

11    266 fe80::1172:a558:86ac:6f3/128

                                    On-link

11    266 fec0::1001:542b:699:3b6d:9a21/128

                                    On-link

  1    306 ff00::/8                 On-link

11    266 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

Hi Phillip,

Sorry but thats correct, i was trying to solve a problem in the fec0:0:0:1001::1/64 net. So because of that both pc's was placed in this 1001-net.

But i'm trying to get my two pc's to receive IPv6-address via DHCP (Win2008-server) and i have to tweak them via netch commands shouldn't a Win7 pc be able to receive a IPv6 dhcp-address without tweaking ?

Sent from Cisco Technical Support iPhone App

Keith O'Brien
Cisco Employee
Cisco Employee

You need to explicitly permit ICMPv6 through the firewall. Not only echo replies but path mtu ICMPv6 messages are also a good idea to let through.

Sent from Cisco Technical Support iPhone App

Hi Keith,

Hmm, can't seem to find path mtu as icmp6 among the different Service's when editing the ACLv6-list? Right now i have allowed icmp6 and echo-reply6 in the ACLv6. I'm configuring the ASA via ASDM, not CLI.

BR

Tom

Hi, Tom:

I haven't used ASDM to configure ipv6 on the ASA, but the command line option would be "ipv6 access-list permit-icmpv6 permit icmp any any packet-too-big". Here are the other ICMP types allowed in an ACL conifguration on an ASA:

configure mode commands/options:

  <0-255>                 Enter ICMP type number (0 - 255)

  echo                   

  echo-reply             

  inactive                Keyword for disabling an ACL element

  log                     Keyword for enabling log option on this ACL element

  membership-query       

  membership-reduction   

  membership-report      

  neighbor-advertisement 

  neighbor-redirect      

  neighbor-solicitation  

  packet-too-big         

  parameter-problem      

  router-advertisement   

  router-renumbering     

  router-solicitation    

  time-exceeded          

  time-range              Keyword for attaching time-range option to this ACL

                          element

  unreachable           

Thanks,
Wen

Hi Wen, thanks for your help, i have now configured it via ASDM. Great, thanks for your help.

BR

Tom

Sent from Cisco Technical Support iPhone App

Review Cisco Networking for a $25 gift card