01-16-2012 01:06 PM - edited 03-01-2019 05:32 PM
I am studying for my CCNP Route/Switch and think that I will probably have a few IPv6 questions on the exam. Since my internet connect at home is IPv4, I know that I will need to connect my ASA to a IPv6 Broker. Do I need to run IPv6 behind the ASA as well or do I do something different. Would prefer not to have to install a second internet connection just for IPv6.
Any suggestions on this would be appreciated,
Ron
01-18-2012 09:41 PM
Ron,
not very familiar with the ASA but I was with the PIX a few years ago, the concept between the two appliances should be the same. So I believe the ASA will not be able to terminate an IPv6IP tunnel.
Also in front of the ASA you should have a router providing you connectivity to you ISP (lot of guessing here but you did not provide details).
So what you do is terminate the IPv6IP tunnel on the router and then configure the ASA for IPv6 between the outside interface (attached to the router) and the inside interface (your network).
It is a pretty straigh forward process on the router:
!
interface Tunnel6
description HE ipv6 tunnel ID xxxxx
ip ddns update ipv6tunnel2
no ip address
ipv6 address 2001:470:x:x::2/64
ipv6 enable
no ipv6 redirects
ipv6 inspect FW6-tnl1 out
ipv6 traffic-filter AL6-v6-inetin in
tunnel source Dialer9
tunnel mode ipv6ip
tunnel destination 216.66.80.30
end
then you add the IPv6 route and you are done.
ipv6 route ::/0 2001:470:x:x::1
Note that this configuration takes care also of dynamic IP address by using the DDNS update methos and interface as source.
If your IPv4 connection is terminated on the ASA, then you will have to punch a hole in the ASA for the IPv6IP tunnel and do the same thing on an inside router and run you local firewall on the router.
Hope this helps good luck for the CCNP
Fabio
01-19-2012 09:39 AM
Since posting that message, I have learned a little more. My ASA will connecting to the outside world, with the router functioning as the tunnel broker to be on the inside. It appeares that I may need to upgrade the code on the ASA to allow protocol 41 (used by the tunnel broker) to pass through. I have tried to do this with 8.2.5 code but all the pieces doent seem to be there. May have to upgrade to 8.3 or 8.4.
Ron
01-20-2012 07:28 AM
fabios,
I have been looking for a good sample to construct a v6 traffic filtering on an in-bound interface.
I noticed thatn you are doing CBAC and v6 fitlering on your example, Can you share the configurations for "ipv6 inspect FW6-tnl1 out and ipv6 traffic-filter AL6-v6-inetin in"?
Thanks!
01-20-2012 01:48 PM
Hi Joe,
not very proud of my config but I am still experimenting with it and I do not have any servers, so I only need so little.
Also we might consider, rather than hijacking this thread, to open one on ipv6 filtering (all the niceties of the ipv6 lists having some implicit permits before the implicit deny all and the sort) .....
Also that one would be a good place to discuss ipv6 inspect which in my view is still quite immature, at least comparing to ipv4.
Cheers
Fabio
ipv6 access-list AL6-v6-inetin
sequence 1 remark Filtering inbound traffic at Tunnel interface
sequence 20 remark allowing ping of outside for tunnel statu and reachability
sequence 30 permit icmp any host 2001:470:x:x::2
remark preventing spoofing
sequence 70 deny ipv6 ::/3 any log
deny ipv6 8000::/2 any log
deny ipv6 C000::/3 any log
deny ipv6 E000::/4 any log
deny ipv6 F000::/5 any log
deny ipv6 F800::/6 any log
deny ipv6 FC00::/7 any log
deny ipv6 FE00::/8 any log
permit icmp any any time-exceeded
sequence 155 permit icmp any any unreachable
sequence 156 permit icmp any any 1 4
sequence 160 permit icmp any any packet-too-big
permit icmp any any echo-request
permit icmp any any echo-reply
ipv6 inspect name FW6-tnl1 tcp
ipv6 inspect name FW6-tnl1 udp
ipv6 inspect name FW6-tnl1 icmp
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide