Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2637
Views
0
Helpful
7
Replies

ASA 5510 IPv6 Routing

flexin010
Level 1
Level 1

‎08-02-2012 10:40 PM - edited ‎03-11-2019 04:37 PM

Good Morning guys,

I have an asa 5510 8.2 i have configured IPv4 and this is working fine.

I am now trying to add the IPv6 configuration. We have been assigned a public /48 block which i have chopped up to /112 blocks. (dont want to use the eui-64) i have assigened diffrent subnets to the inside and outside interfaces. i can ping inside hosts from the inside interface and outside hosts from the outside inteface but cannot ping inside host from the outside interface.

First i thought this was a firewall policy but the ping error i get is "NO ROUTE TO HOST" how can the firewall have no route to connected interfaces. I have checked the IPv6 routing table and the routes are there.

Any ideas why i would get this and how this may be fixed.

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎08-02-2012 11:04 PM

Using a different subnet prefix-length then /64 can break many functionality in IPv6 (see http://tools.ietf.org/html/rfc5375#section-3 ). And also with /64 you are not restricted to eui-64-addresses. So the first step to fix this is to correct your IPv6-setup.

0 Helpful

flexin010
Level 1
Level 1
In response to Karsten Iwen

‎08-03-2012 12:03 AM

Thanks for that,

Will try changing it up later today, I thought we were going for less waste and better allocation with ipv6. a whole /64 even for point to point links thants really bad LOL.

Even if you use eui-64 you couln't fill a /64 as it's a 48 bit address with padding and mac addresses are supposed to be "unique" giving us a limit of 281,474,976,710,656 possible nodes not the virtually unlimited number they claim with this "new" protocol. Will they ever learn the lessons?

Anyway rant over.

Again many thanks for your help will let you know if that fixes it.

0 Helpful

Karsten Iwen
VIP
VIP
In response to flexin010

‎08-03-2012 12:32 AM

For point-to-point links, /127 is the recomended prefix-length.

For your existing problem: Can you post your relevant config and routing-table?

0 Helpful

flexin010
Level 1
Level 1

‎08-03-2012 12:31 AM

Ok that made no diffrence at all still no route to connected subnets.

Any other ideas ?

0 Helpful

flexin010
Level 1
Level 1

‎08-16-2012 06:28 AM

CompuWall# show run

: Saved

:

ASA Version 8.4(1)

!

hostname CompuWall

domain-name xxxxxxxxxxxxxxxxx

enable password ejflejfefnffnefjke encrypted

passwd ewlkfj34otyu34fehf349 encrypted

names

name 2001:9784:6234:20:: Server-Network

name 2001:9784:6234:25:: Trust-Network

dns-guard

!

interface Ethernet0/0

description Interface to compuRouter

nameif UnTrust

security-level 0

ip address 154.XXX.XXX.1 255.255.255.224

ipv6 address 2001:9784:6234::/64 eui-64

ipv6 address autoconfig

ipv6 enable

!

interface Ethernet0/1

shutdown

no nameif

no security-level

no ip address

!

interface Ethernet0/2

description Interface to users PC's

nameif Trust

security-level 100

ip address 192.168.25.191 255.255.255.0

ipv6 address Trust-Network/64 eui-64

ipv6 address fe80:9784:6234:25::1 link-local

ipv6 address autoconfig

ipv6 enable

ipv6 nd ra-interval 5

ipv6 nd ra-lifetime 30

!

interface Ethernet0/3

no nameif

no security-level

no ip address

!

interface Ethernet0/3.1

description Interface To Server and Managment Vlan

vlan 172

nameif Server

security-level 100

ip address 172.16.20.1 255.255.255.0

ipv6 address Server-Network/64 eui-64

ipv6 address autoconfig

ipv6 enable

!

interface Management0/0

shutdown

nameif Managment

security-level 100

no ip address

management-only

!

boot system disk0:/asa841-k8.bin

ftp mode passive

clock timezone GMT/BST 0

clock summer-time GMT/BDT recurring last Sun Mar 1:00 last Sun Oct 2:00

dns server-group DefaultDNS

domain-name computrad.co.uk

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

object network obj-192.168.25.0

subnet 192.168.25.0 255.255.255.0

object network obj-172.16.20.0

subnet 172.16.20.0 255.255.255.0

object network obj-192.168.25.222

host 192.168.25.222

object network Trust-Network

subnet Trust-Network/64

description Created during name migration

object network Server-Network

subnet Server-Network/64

description Created during name migration

object-group network DM_INLINE_NETWORK_1

network-object Server-Network/64

network-object Trust-Network/64

access-list Trust_access_in extended permit ip 192.168.25.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list Trust_access_in extended permit icmp 192.168.25.0 255.255.255.0 any

access-list Trust_access_in extended permit ip 192.168.25.0 255.255.255.0 any

access-list Trust_access_in extended permit tcp 192.168.25.0 255.255.255.0 any

access-list Server_access_in extended permit ip 172.16.20.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list Server_access_in extended permit icmp any any

access-list Server_access_in_1 extended permit ip 172.16.20.0 255.255.255.0 192.168.25.0 255.255.255.0

access-list Server_access_in_1 extended permit ip 172.16.20.0 255.255.255.0 154.xxx.xxx.0 255.255.255.224

access-list Server_access_in_1 extended permit ip 172.16.20.0 255.255.255.0 any

access-list Server_access_in_1 extended permit icmp any any

access-list Trust_nat0_outbound extended permit ip 192.168.25.0 255.255.255.0 172.16.20.0 255.255.255.0

access-list UnTrust_access_in extended permit tcp any host 192.168.25.222 eq 3389

access-list UnTrust_access_in extended permit icmp any any

pager lines 24

logging enable

logging asdm informational

mtu UnTrust 1500

mtu Trust 1500

mtu Server 1500

mtu Managment 1500

ipv6 enforce-eui64 UnTrust

ipv6 enforce-eui64 Trust

ipv6 enforce-eui64 Server

ipv6 icmp permit any UnTrust

ipv6 icmp permit any Trust

ipv6 icmp permit any Server

ipv6 route UnTrust ::/0 2001:9784:6234::1

ipv6 access-list global_access_ipv6 permit ip any any

ipv6 access-list Trust_access_ipv6_in permit icmp6 object Trust-Network any

ipv6 access-list Trust_access_ipv6_in permit ip object Trust-Network any

ipv6 access-list UnTrust_access_ipv6_in permit icmp6 any object-group DM_INLINE_NETWORK_1

ipv6 access-list Server_access_ipv6_in permit ip object Server-Network any

ipv6 access-list Server_access_ipv6_in permit icmp6 object Server-Network any

icmp unreachable rate-limit 1 burst-size 1

icmp permit any UnTrust

icmp permit any Trust

icmp permit any Server

asdm image disk0:/asdm-641.bin

no asdm history enable

arp timeout 14400

nat (Trust,any) source static obj-192.168.25.0 obj-192.168.25.0 destination static obj-172.16.20.0 obj-172.16.20.0 unidirectional

!

object network obj-192.168.25.0

nat (Trust,UnTrust) dynamic interface dns

object network obj-172.16.20.0

nat (Server,UnTrust) dynamic interface

object network obj-192.168.25.222

nat (Trust,UnTrust) static 154.xxx.xxx.3 service tcp 3389 3389

access-group UnTrust_access_in in interface UnTrust

access-group UnTrust_access_ipv6_in in interface UnTrust

access-group Trust_access_in in interface Trust

access-group Trust_access_ipv6_in in interface Trust

access-group Server_access_in_1 in interface Server

access-group Server_access_ipv6_in in interface Server

access-group global_access_ipv6 global

!

route UnTrust 0.0.0.0 0.0.0.0 154.xxx.xxx.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication http console LOCAL

http server enable

http 192.168.25.0 255.255.255.0 Trust

http 192.168.25.0 255.255.255.0 Managment

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ikev1 policy 5

authentication pre-share

encryption 3des

hash sha

group 2

lifetime 86400

crypto ikev1 policy 10

authentication pre-share

encryption des

hash sha

group 2

lifetime 86400

telnet 192.168.25.0 255.255.255.0 Trust

telnet timeout 5

ssh timeout 5

console timeout 0

management-access Trust

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

ntp server 64.99.80.30 source UnTrust prefer

webvpn

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns migrated_dns_map_1

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect netbios

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect esmtp

  inspect sqlnet

  inspect sunrpc

  inspect tftp

  inspect sip

  inspect xdmcp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address httphttps://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0bd060c82d975ce22df58c58ed0a9e4d

: end

CompuWall#

Ok Guys Above is the Config

here is the test iam doing

pinging from the internal interface of asa to internal hosts (same interface) Successfull

Pinging from the asa external interface to the external router and beyond to the internet is ok

Pinging from the asa exernal interface to internal hosts unsuccessfull (no route to host)

Pinging from the asa internal interface to internet unsuccessfull (no route to host)

i have turned on the option to allow ping to and from interfaces as i know this is off by default.

0 Helpful

Karsten Iwen
VIP
VIP
In response to flexin010

‎08-16-2012 08:54 AM

>Pinging from the asa exernal interface to internal hosts unsuccessfull (no route to host)

>Pinging from the asa internal interface to internet unsuccessfull (no route to host)

thats normal behaviour for the ASA. You always have to use the interface that is the nearest to your communication-partner.

0 Helpful

flexin010
Level 1
Level 1
In response to Karsten Iwen

‎08-16-2012 10:17 AM

Ok but from the above why would you say internal host still cant ping to the net.

i really cant see the problem i have looked everywhere to try and solve this. If there is nothing in the config then the only thing i can be left with is faulty asa which i am hesitant to belive considering it is working well with ipv4

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card