Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2150
Views
0
Helpful
1
Replies

IPv6 provided through IPv4 VPN hair pinning on ASA not working.

OveDC
Level 1
Level 1

‎03-06-2019 04:21 AM

spoke side: 

access-list V6 line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 (hitcnt=28) 0x0ca670f3

crypto map outside_map0 2 match address V6
crypto map outside_map0 2 set peer y.y.y.y
crypto map outside_map0 2 set ikev2 ipsec-proposal 3DES AES AES192 AES256 DES
crypto map outside_map0 interface outside

 

Crypto map tag: outside_map0, seq num: 2, local addr: z.z.z.z

access-list V6 extended permit ip 2a02:xxx:3d02:2::/64 any
local ident (addr/mask/prot/port): (2a02:xxx:3d02:2::/64/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer: y.y.y.y


#pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3

 

 

HUB Side:

vpn(config)# sh run | in same
same-security-traffic permit intra-interface

 

access-list V6-Ove line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 (hitcnt=2266)

 

vpn(config)# sh run | in ipv6 route
ipv6 route Nia-Internet ::/0 2a02:xxx:110:4::1

 

Crypto map tag: ove, seq num: 1, local addr: z.z.z.z

access-list Nia-Internet_cryptomap extended permit ip any 2a02:xxx:3d02:2::/64
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (2a02:xxx:3d02:2::/64/0/0)
current_peer: x.x.x.x


#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 289, #pkts decrypt: 289, #pkts verify: 289

 

 

traffic works for networks on the inside of the HUB ASA - but doing hair pinning and trying to reach internet does not work. 

ACL's: 

access-list outside line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 log debugging interval 300 (hitcnt=1(packet tracert))

access-list global_access line 5 extended permit ip 2a02:xxx:3d02:2::/64 any6 log debugging interval 300 (hitcnt=5(proberly also packet tracer))

 

packet tracert fails with: 

Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

 

which is normal for the ASA - packet tracert does not understand VPN.... so im at a loss here - can the ASA do ipv6 hairpinning?

 

Does anyone know what im overlooking? :-)

CCIES#21940
Labels:
0 Helpful
1 Reply 1

OveDC
Level 1
Level 1

‎03-06-2019 04:25 AM

version of Spoke:

ASA-OVE# show ver

Cisco Adaptive Security Appliance Software Version 9.2(4)33

(ASA5505 HW)

 

HUB:

vpn(config)# sh ver

Cisco Adaptive Security Appliance Software Version 9.6(4)20

CCIES#21940
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents