ā09-29-2010 04:17 PM - edited ā03-11-2019 11:47 AM
Hi guys,
My question is connected with IPv6 routing and ASA.
My simple lab network topology:
PC======ASA 5520=======Router 2801
I've assigned following IPv6 Subnets:
PC-ASA:
Network is 2001::3000:100:/104
ASA has 2001::3000:101:1/104
PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)
ASA-Router:
Network is FC00:1::/32
ASA has FC00:1::1/32
Router has FC00:1::101/32 (default gateway is FC00:1::1)
PC can ping it's IPv6 gateway
Router can ping it's IPv6 gateway
The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.
ASA can ping both of them.
When I use 'packet-trace' command on ASA it says that connections are allowed.
PC firewall is disabled. Router has not any IPv6 access-list.
ASA has two IPv6 access-list for both interfaces with following rules:
permit ip any any
permit icmp any any
I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.
What is the problem of my situation? why PC and Routers can't communicate?
I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.
When I do 'show ipv6 interface' I get:
INT1 [up/up]
.....
INT2 [up/up]
ASA firmware is 8.2. PC is Windows 7. Router is 12.4.
ā09-29-2010 06:09 PM
Hi ,
Please look at the following link, it shows how to put a default router for IPv6 addresses http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1880507
I hope this helps.
Thanks,
Namit
ā09-29-2010 06:38 PM
How can it be helpful?
ASA does not need default routes. It's directly connected to the PC and Router networks.
asa5520# show ipv6 route
C 2001::3000:100:0/104 [0/0]
via ::, INT1
C fc00:1::/32 [0/0]
via ::, INT2
Router has it's default route:
1#sh run | in route
ipv6 route ::/0 FastEthernet0/0.7
#show ipv6 route
S ::/0 [1/0]
via ::, FastEthernet0/0.7
PC also has it's default gateway.
ā09-29-2010 07:11 PM
Hi ,
Apologies for that. I misunderstood the problem. Just confirming the topology is PC----ASA----ROUTER. PC can ping ASA and vice versa. ASA can ping router and vice versa. The PC cannot ping the router but the ASA can ping both. Could you please provide the running config on the ASA ? Also when you run pings from the PC, please run the command "debug icmp trace" , using this we can see if pings are reaching the ASA. Please use this only if you DO NOT have a lot of icmp traffic flowing. to disable this use "un all".
Thanks,
Namit
ā09-30-2010 08:47 PM
Thank you for your responce.
I can not provide a full ASA config as it has a lot of information.
Below IPv6 related information:
:
ASA Version 8.2(2)17
!
...
!
interface GigabitEthernet0/1
nameif INT1
security-level 0
ipv6 address 2001::3000:101:1/104
ipv6 enable
!
...
!
interface GigabitEthernet0/2.7
vlan 7
nameif INT2
security-level 0
ipv6 address fc00:1::1/32
ipv6 enable
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
...
...
ipv6 icmp permit any INT1
ipv6 icmp permit any INT2
...
ipv6 access-list INT1v6_access_in permit ip any any
ipv6 access-list INT1v6_access_in permit icmp any any
ipv6 access-list INT2v6_access_in permit ip any any
ipv6 access-list INT2v6_access_in permit icmp any any
...
access-group INT1v6_access_in in interface INT1
access-group INT2v6_access_in in interface INT2
ā09-30-2010 10:19 PM
Ping traces.
I tried to ping Router from PC (Windows 7).
Windows 7 has following IPv6 addresses:
IPv6 Address. . . . . . . . . . . : 2001::3000:133:136(Preferred) <<== this one I've assigned manually
IPv6 Address. . . . . . . . . . . : 2001::30:11:8daa:f149:c8f4:cce9(Preferred)
Temporary IPv6 Address. . . . . . : 2001::30:11:28b2:673b:fe27:ab66(Preferred)
Link-local IPv6 Address . . . . . : fe80::8daa:f149:c8f4:cce9%11(Preferred)
On ASA:
ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101
ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101
ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101
ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101
On Router:
*Oct 1 06:26:50.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66
*Oct 1 06:26:50.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66
*Oct 1 06:26:55.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66
*Oct 1 06:26:55.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66
ā01-10-2012 04:53 AM
any solution for this? I've got exactly the same trouble...
ā01-10-2012 02:16 PM
My problem was the wrong IPv6 allocation.
Be sure that you don't use IPv6 subnetworks with prefixes lower than /64.
I tried to use /104.
IPv6 was designerd for using at least /64 subnet mask. Many hardware network was designed to do such.
Even for point to point links.
ā01-13-2012 05:26 PM
You can use other subnets besides /64 on an ASA. IPv6 uses /64 for neat features like auto-discovery, but you can use anything you want if you don't care about that. I usually use /80s and /96s (all taken from a subnetted /64) for testing. I haven't had any problem doing that on FWSMs and other Cisco gear.
If I understand your situation correctly, though, you had your router on one subnet, your ASA on another subnet, and your PC on a third subnet, then you were pointing your PC's default gateway to the ASA. My guess is that it figured out how to reach it through the link-local address that was auto-assigned, but when it tried to get farther than the ASA it didn't know where to go and was dying. The same goes for the router trying to talk back to the PC.
This sort of scenario may have worked:
Subnet 1: 2001::3000:100::/104
Subnet 2: 2001::3000:101::/104
Router: 2001::3000:100::1/104
ASA INT1 interface: 2001::3000:100::2/104
ASA INT2 interface: 2001::3000:101::1/104
PC: 2001::3000:101::2/104
PC Default gateway: 2001::3000:101::1/104 (or the link-local address on the INT2 interface)
Perhaps when you reverted to a /64 it all sorted itself out thanks to auto-discovery, but I'm just speculating. I'm no expert on IPv6
Hope that helps...
ā01-15-2012 04:17 PM
All I knew from working with IPv6 that don't use less than /64 for hosts even it works sometimes.
RFCs about IPv6 say the same.
Anyway, thanks for your post.
ā01-16-2012 10:38 AM
No RFC says that IPv6 only works sometimes when using a non-/64 subnet. TCP/IP either works or it doesn't, it's not intermittent. Certain features are designed around using a /64, but you can use whatever you want if you don't care about those things.
Just trying to help, you can feel free to not believe me if you like . It sounds like you got your issue sorted out and that's what matters
ā01-17-2012 09:20 AM
I believe you guys
In the meantime I found my problem. I forgot the routing entry in the external router pointing to my ASA-inside network. Now it works.
Thanks
ā01-17-2012 12:56 PM
Ahhh that would cause an issue . I did the same thing the other day. I couldn't figure out why a load balancer could talk through my firewall, only to remember that I had stripped out the routes in order to start over from scratch and forgot to add them back in. Woops!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide