03-06-2019 04:21 AM
spoke side:
access-list V6 line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 (hitcnt=28) 0x0ca670f3
crypto map outside_map0 2 match address V6
crypto map outside_map0 2 set peer y.y.y.y
crypto map outside_map0 2 set ikev2 ipsec-proposal 3DES AES AES192 AES256 DES
crypto map outside_map0 interface outside
Crypto map tag: outside_map0, seq num: 2, local addr: z.z.z.z
access-list V6 extended permit ip 2a02:xxx:3d02:2::/64 any
local ident (addr/mask/prot/port): (2a02:xxx:3d02:2::/64/0/0)
remote ident (addr/mask/prot/port): (::/0/0/0)
current_peer: y.y.y.y
#pkts encaps: 262, #pkts encrypt: 262, #pkts digest: 262
#pkts decaps: 3, #pkts decrypt: 3, #pkts verify: 3
HUB Side:
vpn(config)# sh run | in same
same-security-traffic permit intra-interface
access-list V6-Ove line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 (hitcnt=2266)
vpn(config)# sh run | in ipv6 route
ipv6 route Nia-Internet ::/0 2a02:xxx:110:4::1
Crypto map tag: ove, seq num: 1, local addr: z.z.z.z
access-list Nia-Internet_cryptomap extended permit ip any 2a02:xxx:3d02:2::/64
local ident (addr/mask/prot/port): (::/0/0/0)
remote ident (addr/mask/prot/port): (2a02:xxx:3d02:2::/64/0/0)
current_peer: x.x.x.x
#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3
#pkts decaps: 289, #pkts decrypt: 289, #pkts verify: 289
traffic works for networks on the inside of the HUB ASA - but doing hair pinning and trying to reach internet does not work.
ACL's:
access-list outside line 1 extended permit ip 2a02:xxx:3d02:2::/64 any6 log debugging interval 300 (hitcnt=1(packet tracert))
access-list global_access line 5 extended permit ip 2a02:xxx:3d02:2::/64 any6 log debugging interval 300 (hitcnt=5(proberly also packet tracer))
packet tracert fails with:
Phase: 8
Type: VPN
Subtype: ipsec-tunnel-flow
Result: DROP
Config:
Additional Information:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
which is normal for the ASA - packet tracert does not understand VPN.... so im at a loss here - can the ASA do ipv6 hairpinning?
Does anyone know what im overlooking? :-)
03-06-2019 04:25 AM
version of Spoke:
ASA-OVE# show ver
Cisco Adaptive Security Appliance Software Version 9.2(4)33
(ASA5505 HW)
HUB:
vpn(config)# sh ver
Cisco Adaptive Security Appliance Software Version 9.6(4)20
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide