cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5410
Views
4
Helpful
12
Replies

ASA IPv6 routing (very simple routing, but it does not work)

viacheslav.k
Level 1
Level 1

Hi guys,

My question is connected with IPv6 routing and ASA.

My simple lab network topology:

PC======ASA 5520=======Router 2801

I've assigned following IPv6 Subnets:

PC-ASA:

Network is 2001::3000:100:/104

ASA has 2001::3000:101:1/104

PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)

ASA-Router:

Network is FC00:1::/32

ASA has FC00:1::1/32

Router has FC00:1::101/32 (default gateway is FC00:1::1)

PC can ping it's IPv6 gateway

Router can ping it's IPv6 gateway

The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.

ASA can ping both of them.

When I use 'packet-trace' command on ASA it says that connections are allowed.

PC firewall is disabled. Router has not any IPv6 access-list.

ASA has two IPv6 access-list for both interfaces with following rules:

permit ip any any

permit icmp any any

I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.

What is the problem of my situation? why PC and Routers can't communicate?

I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.

When I do 'show ipv6 interface' I get:

INT1 [up/up]

.....

INT2 [up/up]

ASA firmware is 8.2. PC is Windows 7. Router is 12.4.

12 Replies 12

Namit Agarwal
Cisco Employee
Cisco Employee

Hi ,

Please look at the following link, it shows how to put a default router for IPv6 addresses http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1880507

I hope this helps.

Thanks,

Namit

How can it be helpful?

ASA does not need default routes. It's directly connected to the PC and Router networks.

asa5520# show ipv6 route

C   2001::3000:100:0/104 [0/0]
     via ::, INT1

C   fc00:1::/32 [0/0]
     via ::, INT2

Router has it's default route:

1#sh run | in route

ipv6 route ::/0 FastEthernet0/0.7

#show ipv6 route

S   ::/0 [1/0]
     via ::, FastEthernet0/0.7

PC also has it's default gateway.

Namit Agarwal
Cisco Employee
Cisco Employee

Hi ,

Apologies for that. I misunderstood the problem. Just confirming the topology is PC----ASA----ROUTER. PC can ping ASA and vice versa. ASA can ping router and vice versa. The PC cannot ping the router but the ASA can ping both. Could you please provide the running config on the ASA ? Also when you run pings from the PC, please run the command "debug icmp trace" , using this we can see if pings are reaching the ASA. Please use this only if you DO NOT have a lot of icmp traffic flowing. to disable this use "un all".

Thanks,

Namit

Thank you for your responce.

I can not provide a full ASA config as it has a lot of information.

Below IPv6 related information:

:
ASA Version 8.2(2)17
!
...
!
interface GigabitEthernet0/1
nameif INT1
security-level 0
ipv6 address 2001::3000:101:1/104
ipv6 enable 
!
...
!
interface GigabitEthernet0/2.7
vlan 7      
nameif INT2  
security-level 0
ipv6 address fc00:1::1/32
ipv6 enable 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
...
...
ipv6 icmp permit any INT1
ipv6 icmp permit any INT2
...
ipv6 access-list INT1v6_access_in permit ip any any
ipv6 access-list INT1v6_access_in permit icmp any any
ipv6 access-list INT2v6_access_in permit ip any any
ipv6 access-list INT2v6_access_in permit icmp any any
...
access-group INT1v6_access_in in interface INT1
access-group INT2v6_access_in in interface INT2

Ping traces.

I tried to ping Router from PC (Windows 7).

Windows 7 has following IPv6 addresses:

   IPv6 Address. . . . . . . . . . . : 2001::3000:133:136(Preferred)   <<== this one I've assigned manually

   IPv6 Address. . . . . . . . . . . : 2001::30:11:8daa:f149:c8f4:cce9(Preferred)

   Temporary IPv6 Address. . . . . . : 2001::30:11:28b2:673b:fe27:ab66(Preferred)

   Link-local IPv6 Address . . . . . : fe80::8daa:f149:c8f4:cce9%11(Preferred)

On ASA:

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

On Router:

*Oct  1 06:26:50.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:50.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:55.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:55.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66

any solution for this? I've got exactly the same trouble...

My problem was the wrong IPv6 allocation.

Be sure that you don't use IPv6 subnetworks with prefixes lower than /64.

I tried to use /104.

IPv6 was designerd for using at least /64 subnet mask. Many hardware network was designed to do such.

Even for point to point links.

You can use other subnets besides /64 on an ASA. IPv6 uses /64 for neat features like auto-discovery, but you can use anything you want if you don't care about that. I usually use /80s and /96s (all taken from a subnetted /64) for testing. I haven't had any problem doing that on FWSMs and other Cisco gear.

If I understand your situation correctly, though, you had your router on one subnet, your ASA on another subnet, and your PC on a third subnet, then you were pointing your PC's default gateway to the ASA. My guess is that it figured out how to reach it through the link-local address that was auto-assigned, but when it tried to get farther than the ASA it didn't know where to go and was dying. The same goes for the router trying to talk back to the PC.

This sort of scenario may have worked:

Subnet 1: 2001::3000:100::/104

Subnet 2: 2001::3000:101::/104

Router: 2001::3000:100::1/104
ASA INT1 interface: 2001::3000:100::2/104

ASA INT2 interface: 2001::3000:101::1/104

PC: 2001::3000:101::2/104

PC Default gateway: 2001::3000:101::1/104 (or the link-local address on the INT2 interface)

Perhaps when you reverted to a /64 it all sorted itself out thanks to auto-discovery, but I'm just speculating. I'm no expert on IPv6

Hope that helps...

All I knew from working with IPv6 that don't use less than /64 for hosts even it works sometimes.

RFCs about IPv6 say the same.

Anyway, thanks for your post.

No RFC says that IPv6 only works sometimes when using a non-/64 subnet. TCP/IP either works or it doesn't, it's not intermittent. Certain features are designed around using a /64, but you can use whatever you want if you don't care about those things.

Just trying to help, you can feel free to not believe me if you like . It sounds like you got your issue sorted out and that's what matters

I believe you guys

In the meantime I found my problem. I forgot the routing entry in the external router pointing to my ASA-inside network. Now it works.

Thanks

Ahhh that would cause an issue . I did the same thing the other day. I couldn't figure out why a load balancer could talk through my firewall, only to remember that I had stripped out the routes in order to start over from scratch and forgot to add them back in. Woops!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: