Solved: IPv6 Configuration on ASA/PIX - IPv6 traffic seems not routed

Federico Olivieri · ‎10-28-2015

Hi all,

I'm struggling to get a right IPv6 configuration on my Cisco 887VA and Cisco PIX firewall.

Let me introduce the scenario:

Firewall - PIX-515E Cisco PIX Security Appliance Software Version 8.0(4)

Router - Cisco 887VA C880 Software (C880DATA-UNIVERSALK9-M), Version 15.4(3)M4,

On Router the conf seems fine

interface Dialer1

ipv6 address NODE-PD ::FF:0:0:0:1/128
ipv6 enable
ipv6 mtu 1500
ipv6 tcp adjust-mss 1440
ipv6 dhcp client pd NODE-PD

interface Vlan1

ipv6 address NODE-PD ::/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server DHCP6

dns-server 2a02:c7d:ca1b:6d00:d250:99ff:fe53:f2fc

ipv6 source-route
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool DHCP6

ipv6 route ::/0 Dialer1

887VA#ping 2001:4860:4860::8888
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4860:4860::8888, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 36/39/40 ms

The problem is more on Firewall side. This is the conf

interface Ethernet0
description +--WAN--+
nameif outside
security-level 0
ip address 192.168.0.3 255.255.255.0
ipv6 address autoconfig ---------------------------> The IP is got from Vlan1 of Cisco 887
ipv6 nd suppress-ra

interface Ethernet1
description +--LAN--+
nameif inside
security-level 100
ip address 172.16.0.1 255.255.255.0
ipv6 address autoconfig
ipv6 enable
ipv6 nd prefix 2a02:c7d:ca1b:6d00::/64 -----------> Same subnet delegated on Dialer 1 Cisco 887 (Is it right?)

ipv6 icmp permit any outside
ipv6 icmp permit any inside
ipv6 route outside ::/0 fe80::a693:4cff:fe73:a2a
ipv6 route inside ::/0 fe80::d250:99ff:fe53:f2fc
ipv6 access-list IPv6 permit ip any any

Now, If I had a look to my server sit behind the firewall I can see this conf

eth0 Link encap:Ethernet HWaddr d0:50:99:53:f2:fc
inet addr:172.16.0.3 Bcast:172.16.0.255 Mask:255.255.255.0
inet6 addr: 2a02:c7d:ca1b:6d00:d250:99ff:fe53:f2fc/64 Scope:Global ----> IP Addre get from autoconf on inside interface
inet6 addr: fe80::d250:99ff:fe53:f2fc/64 Scope:Link

Those are the server's routes

root@banana:~# ip -6 route show
2a02:c7d:ca1b:6d00::/64 dev eth0 proto kernel metric 256 expires 2592092sec
fe80::/64 dev eth0 proto kernel metric 256
default via fe80::20f:34ff:feac:fa49 dev eth0 proto kernel metric 1024 expires 1730sec -----> link local inside interface firewall

However ping does not work

root@banana:~# ping6 2001:4860:4860::8888
PING 2001:4860:4860::8888(2001:4860:4860::8888) 56 data bytes
^C
--- 2001:4860:4860::8888 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4031ms

For sure my conf is wrong. Can you please help me with that?

Thankyou!!!

Jon Marshall · ‎10-28-2015

Federico

I am just getting up to speed with IPv6 myself so I may be wrong but there are a number of things not right as far as I can see.

Assuiming the connecitivty is -

server -> firewall -> 887

then the main ones are -

1) you cannot use the same IPv6 subnet for the server as is used on the Dialer interface

2) I don't believe your firewall inside interface has an IPv6 address because you have used autoconfig.

Can you post the output of "sh ipv6 interface" from your firewall ?

Jon

View solution in original post

Jon Marshall · ‎10-28-2015

Federico

I am just getting up to speed with IPv6 myself so I may be wrong but there are a number of things not right as far as I can see.

Assuiming the connecitivty is -

server -> firewall -> 887

then the main ones are -

1) you cannot use the same IPv6 subnet for the server as is used on the Dialer interface

2) I don't believe your firewall inside interface has an IPv6 address because you have used autoconfig.

Can you post the output of "sh ipv6 interface" from your firewall ?

Jon

Federico Olivieri · ‎10-28-2015

Hi Jon,

Thanks for your replay. That was my though. I saw the error message when I tried to configure the same subnet however/ That should mean I cannot use the subnet delegated on the inside lan of the firewall. How can I do? Do I have to work with the link local on inside lan and than route via global on the outside?

This is the show required. BTW, the chanin server firewall router is right

PIX5151e# show ipv6 interface
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::20f:34ff:feac:fa48
Global unicast address(es):
2a02:c7d:ca1b:6d00:20f:34ff:feac:fa48, subnet is 2a02:c7d:ca1b:6d00::/64 [AUTOCONFIG]
valid lifetime 7195 preferred lifetime 3595
Joined group address(es):
ff02::1
ff02::2
ff02::1:ffac:fa48
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Hosts use stateless autoconfig for addresses.
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::20f:34ff:feac:fa49
No global unicast address is configured
Joined group address(es):
ff02::1
ff02::2
ff02::1:ffac:fa49
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
PIX5151e#

Jon Marshall · ‎10-28-2015

Your server will need a global address if you want to ping remote IPs.

So what you need is a new IPv6 subnet for the inside and then -

1) remove these commands from the inside interface -

"ipv6 address autoconfig"
"ipv6 nd prefix 2a02:c7d:ca1b:6d00::/64"

2) then assign an IP address from the new IPv6 subnet to the inside interface of the firewall.

The server will then get the prefix from the firewall and configure a global address with that prefix.

Next you have two default routes on the firewall and you only want the one pointing to the 887 so can you remove the other one.

Finally you will need to add a route to the 887 for the new IPv6 subnet you used on the inside interface of the firewall with the next hop of that route being the link local address of the outside interface of your firewall.

Jon

Federico Olivieri · ‎10-28-2015

Cool! I'll try that. However, my ISP give me just one prefix delegation /52. Maybe I can split the subnet in 2 differen subnets and use them as inside lan firewall. Otherwise I need to ask for another subnet. Any suggestion/opinion/idea?

Jon Marshall · ‎10-28-2015

A /52 is more than enough.

Each subnet is recommended to be a /64 which leaves you 64 bits for the prefix.

So 64 - 52 = 12 which means you have 12 bits for subnets ie. 2^12 = 4096.

So with the address space your ISP has given you you can have 4096 subnets each using a /64 prefix.

One thing to be aware of is you are using SLAAC for the server and this means the server does not get DNS information.

You can either continue to use SLAAC and point to a DHCPv6 server for DNS or you can just use DHCPv6 for everything.

Alternatively if you wanted you could just configure the DNS server manually on your server.

Jon

Federico Olivieri · ‎10-28-2015

Thanks Jon,

I'll try the conf and I'll let you know!

Federico