Updated: Phillip Remaker August 2016 for 9.6(2) DHCP-PD client feature.
IPv6 Feature Support on the Cisco ASA Firewall
ASA supports IPv6 and it can be setup very easily and quickly. This document focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network. Here is a quick way to configure up your ASA firewall for IPv6 connectivity.
In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface
Configure the interface to generate a link local address from its MAC address.
interface GigabitEthernet 0/0
When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).
Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.
NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.
Verify IPv6 configuration.
show ipv6 interface
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2
Global unicast address(es):
2001:db8:2:3::1, subnet is 2001:db8:2:3::/64
Joined group address(es):
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
Step 4 (Optional)
Suppress Router Advertisement messages on an interface.
By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
ipv6 nd suppress-ra
Neighbor discovery will continue to be operational even though RA suppression has been configured.
Define an IPv6 default route.
ipv6 route outside ::/0 next_hop_ipv6_addr
Using ::/0 is equivalent to “any”. The IPv6 route command is functionally similar to the IPv4 route.
Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.
access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d
access-group test in interface outside
The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.
SECURING THE FIREWALL
If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.
access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement
access-list outsideACL deny icmp6 any any router-advertisement
access-group outsideACL in interface outside
interface GigabitEthernet 0/0
ipv6 address autoconfig
The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.
Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA
The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.
Stateful dynamic address assignment
For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.
To configure the DHCPv6 relay agent the following configuration is needed:
ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701
ipv6 dhcprelay enable inside
The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.
Stateless dynamic address assignment
In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.
Prior to 9.6(2), ff the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode. The following must be configured on the ASA:
172.16.1.1 /30 or 255.255.255.252
252 = 1111 1100
That means 2^6 = 64 and 2^2-2 = 2
I checked a subnet chart and found out a /30 has 64 subnets and 2 hosts per subnet.
This has tricked me before. Originally I d...
Hello All - I am having SM-X-ES3-16-P module installed in 4500 Router. I also have External switch 3750 connected in the same Router using Gig 0/0 of the Router using a Dot1 sub-interface.
I wan to establish a layer 2 connection between ...
if I configure dhcp on router after I configure and switchport port-security on switch fastethernet 0/1
switchport access vlan 10
switchport mode access
switchport port-security maximum 2
How to make mpls fail over to site to site vpn?
Site A and Site B has primary MPLS connection and site to site ipsec vpn between them. If primary MPLS fails traffic have to flow over ipsec vpn. How to achieve this?
We have to crea...
Just started working with Cisco switches so a bit of a newbie.
I was asked to step up some IE5000 switches running OS15.2 with SSH version 2 only. Which went fine, thanks to the tutorials in the community, however once the devic...