IPv6 on ASA 5520

mchance · ‎02-13-2018

I have a Cisco ASA 5520 connected OSPF to a Cisco 3750. Everything is IPv4 and working like a champ. I have 3 VLANs all working IPv4 just fine. I want to start playing with IPv6. I have a few questions I haven't found answers to.

1. I am not picking up an IPv6 address from my carrier. I have verified that Cox is fully IPv6. Why am I not picking up an IP?

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address dhcp setroute
ipv6 address autoconfig
ipv6 enable
ipv6 nd managed-config-flag
ipv6 nd other-config-flag

mikerofw# sho ipv6 int
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::218:73ff:fed6:b418
No global unicast address is configured
Joined group address(es):
ff02::2
ff02::1:ffd6:b418
ff02::1:2
ff02::1
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.

2. On my switch, I am not sure what IP blocks I should use. Every example I find shows 2001:: but I was under the impression that 2000:: was publically routable. I set up a DHCP pool with fcab::/64, and everything is picking up IP's. Should I use this or should I use something else? What is the best way to setup IPv6 for my devices?

Harold Ritter · ‎02-13-2018

Hello,

1. You should contact Cox to find out what is supported and how it is supported.

2. On the residential side, service providers normally provide a standard DHCPv6 lease for the CPE WAN interface and an IPv6 prefix via DHCPv6 prefix delegation that your CPE can use to assign IPv6 addresses to the various LAN interfaces.

To find out more about the DHCPv6 prefix delegation feature on the ASA, please refer to the following document:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-routed-tfw.html#id_23218

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-13-2018

@Harold Ritter wrote:

Hello,

1. You should contact Cox to find out what is supported and how it is supported.

2. On the residential side, service providers normally provide a standard DHCPv6 lease for the CPE WAN interface and an IPv6 prefix via DHCPv6 prefix delegation that your CPE can use to assign IPv6 addresses to the various LAN interfaces.

To find out more about the DHCPv6 prefix delegation feature on the ASA, please refer to the following document:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-routed-tfw.html#id_23218

Regards,

I have confirmed with Cox that they do DHCPv6. I plugged in my laptop directly to the cable modem and picked up an IPv6 address.

Harold Ritter · ‎02-13-2018

Doing a DHCPv6 single address lease is good enough for a laptop, but unfortunately not for your firewall scenario. Did you ask if they support DHCPv6 prefix delegation?

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-13-2018

@Harold Ritter wrote:

Doing a DHCPv6 single address lease is good enough for a laptop, but unfortunately not for your firewall scenario. Did you ask if they support DHCPv6 prefix delegation?

Regards,

They do not support prefix delegation. Does that mean no ipv6 for me?

Harold Ritter · ‎02-14-2018

It depends what you means by "no ipv6 for me". What they provide is good enough for a single station, but not for a small network.

You could technically take only one ipv6 address from them via dhcpv6 and then use nat66 to provide internet connectivity to you internal network, but I would rather not go there.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-14-2018

@Harold Ritter wrote:

It depends what you means by "no ipv6 for me". What they provide is good enough for a single station, but not for a small network.

You could technically take only one ipv6 address from them via dhcpv6 and then use nat66 to provide internet connectivity to you internal network, but I would rather not go there.

Regards,

The idea for right now is to get a stinkin IPv6 on that outside port. I planned to use the fc:: private IP addresses for the internal network for the 3 VLANs.

What am I doing wrong? Do you have a suggestion as to how I should set up an IPv6 network?

Harold Ritter · ‎02-14-2018

You have confirmed with Cox that they do DHCPv6, but do they do DHCPv6 prefix delegation? If you just need to get an IPv6 address on the outside interface, you should try removing all the ipv6 configuration on the outside interface and use this one instead:

interface GigabitEthernet0/0
ipv6 address dhcp default

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-14-2018

@Harold Ritter wrote:

You have confirmed with Cox that they do DHCPv6, but do they do DHCPv6 prefix delegation? If you just need to get an IPv6 address on the outside interface, you should try removing all the ipv6 configuration on the outside interface and use this one instead:

interface GigabitEthernet0/0
ipv6 address dhcp default

Regards,

It will not allow me to add that. I get an error at default. IPv6 is enabled on the port.

Harold Ritter · ‎02-15-2018

Probably due to the version you are using on your ASA. Please try without the default and see if you get an address from your provider.

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-15-2018

@Harold Ritter wrote:

Probably due to the version you are using on your ASA. Please try without the default and see if you get an address from your provider.

Regards,

I am on version 9.1.7.23, which is the latest version I see for the 5520. Below is the results of the latest attempt.

mikerofw(config-if)# ipv6 dhcp ?

configure mode commands/options:
enable Enable DHCPv6 Relay Agent on a interface
server Configure DHCPv6 server address
timeout Configure DHCPv6 Relay Binding timeout value
mikerofw(config-if)# ipv6 dhcp

Harold Ritter · ‎02-15-2018

The command is "ipv6 address dhcp default".

interface GigabitEthernet0/0
ipv6 address dhcp default
ipv6 enable

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-15-2018

@Harold Ritter wrote:

The command is "ipv6 address dhcp default".

interface GigabitEthernet0/0
ipv6 address dhcp default
ipv6 enable

Regards,

Yeah. That didn't work. It doesn't like "default". autoconfiguration doesn't pull an ip address.

mikerofw(config-if)# ipv6 address ?

interface mode commands/options:
Hostname or X:X:X:X::X IPv6 link-local address
X:X:X:X::X/<0-128> IPv6 prefix
autoconfig Obtain address using autoconfiguration

Harold Ritter · ‎02-16-2018

It looks like the issue is not only the default keyword, but the dhcp functionality altogether. If your ASA does not support getting IPv6 address via DHCP and your provider only supports getting IPv6 address via DHCP, then the only solution would be to use the IPv6 transparent mode, which has been available since 8.2(1) according to the following document. You could then acquire an IPv6 address via DHCP on the 3750.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/119012-configure-asa-00.html

Regards,

Harold Ritter
Sr Technical Leader
CCIE 4168 (R&S, SP)
harold@cisco.com
México móvil: +52 1 55 8312 4915
Cisco México
Paseo de la Reforma 222
Piso 19
Cuauhtémoc, Juárez
Ciudad de México, 06600
México

mchance · ‎02-16-2018

@Harold Ritter wrote:

It looks like the issue is not only the default keyword, but the dhcp functionality altogether. If your ASA does not support getting IPv6 address via DHCP and your provider only supports getting IPv6 address via DHCP, then the only solution would be to use the IPv6 transparent mode, which has been available since 8.2(1) according to the following document. You could then acquire an IPv6 address via DHCP on the 3750.

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/119012-configure-asa-00.html

Regards,

Thanks. I will look into that. I just don't understand how Cisco could have left out DHCP when implementing IPv6.