IPv6 configuration question

RonaldNutter · ‎01-16-2012

I am studying for my CCNP Route/Switch and think that I will probably have a few IPv6 questions on the exam. Since my internet connect at home is IPv4, I know that I will need to connect my ASA to a IPv6 Broker. Do I need to run IPv6 behind the ASA as well or do I do something different. Would prefer not to have to install a second internet connection just for IPv6.

Any suggestions on this would be appreciated,

Ron

fabios · ‎01-18-2012

Ron,

not very familiar with the ASA but I was with the PIX a few years ago, the concept between the two appliances should be the same. So I believe the ASA will not be able to terminate an IPv6IP tunnel.

Also in front of the ASA you should have a router providing you connectivity to you ISP (lot of guessing here but you did not provide details).

So what you do is terminate the IPv6IP tunnel on the router and then configure the ASA for IPv6 between the outside interface (attached to the router) and the inside interface (your network).

It is a pretty straigh forward process on the router:

!

interface Tunnel6

description HE ipv6 tunnel ID xxxxx

ip ddns update ipv6tunnel2

no ip address

ipv6 address 2001:470:x:x::2/64

ipv6 enable

no ipv6 redirects

ipv6 inspect FW6-tnl1 out

ipv6 traffic-filter AL6-v6-inetin in

tunnel source Dialer9

tunnel mode ipv6ip

tunnel destination 216.66.80.30

end

then you add the IPv6 route and you are done.

ipv6 route ::/0 2001:470:x:x::1

Note that this configuration takes care also of dynamic IP address by using the DDNS update methos and interface as source.

If your IPv4 connection is terminated on the ASA, then you will have to punch a hole in the ASA for the IPv6IP tunnel and do the same thing on an inside router and run you local firewall on the router.

Hope this helps good luck for the CCNP

Fabio

RonaldNutter · ‎01-19-2012

Since posting that message, I have learned a little more. My ASA will connecting to the outside world, with the router functioning as the tunnel broker to be on the inside. It appeares that I may need to upgrade the code on the ASA to allow protocol 41 (used by the tunnel broker) to pass through. I have tried to do this with 8.2.5 code but all the pieces doent seem to be there. May have to upgrade to 8.3 or 8.4.

Ron

TCAM · ‎01-20-2012

fabios,

I have been looking for a good sample to construct a v6 traffic filtering on an in-bound interface.

I noticed thatn you are doing CBAC and v6 fitlering on your example, Can you share the configurations for "ipv6 inspect FW6-tnl1 out and ipv6 traffic-filter AL6-v6-inetin in"?

Thanks!

fabios · ‎01-20-2012

Hi Joe,

not very proud of my config but I am still experimenting with it and I do not have any servers, so I only need so little.

Also we might consider, rather than hijacking this thread, to open one on ipv6 filtering (all the niceties of the ipv6 lists having some implicit permits before the implicit deny all and the sort) .....

Also that one would be a good place to discuss ipv6 inspect which in my view is still quite immature, at least comparing to ipv4.

Cheers

Fabio

ipv6 access-list AL6-v6-inetin

sequence 1 remark Filtering inbound traffic at Tunnel interface

sequence 20 remark allowing ping of outside for tunnel statu and reachability

sequence 30 permit icmp any host 2001:470:x:x::2

remark preventing spoofing

sequence 70 deny ipv6 ::/3 any log

deny ipv6 8000::/2 any log

deny ipv6 C000::/3 any log

deny ipv6 E000::/4 any log

deny ipv6 F000::/5 any log

deny ipv6 F800::/6 any log

deny ipv6 FC00::/7 any log

deny ipv6 FE00::/8 any log

permit icmp any any time-exceeded

sequence 155 permit icmp any any unreachable

sequence 156 permit icmp any any 1 4

sequence 160 permit icmp any any packet-too-big

permit icmp any any echo-request

permit icmp any any echo-reply

ipv6 inspect name FW6-tnl1 tcp

ipv6 inspect name FW6-tnl1 udp

ipv6 inspect name FW6-tnl1 icmp