If you are using the ASA to perform NAT, you'll only need to allow inbound TCP 443. If you are routing to the DirectAccess server or have the ASA configured in transparent firewall mode, then you'll need to allow inbound IP protocol 41, and inbound UDP 3544. If your ASA and your DirectAccess clients are on the IPv6 Internet, you will also need to allow inbound IP protocol 50, inbound UDP 500, and all ICMPv6 traffic.
Richard Hicks - directaccess.richardhicks.com
Thanks for the reply Richard and you bring up an interesting question that stumped the Cisco tech I contacted and that is how to allow inbound protocol 41.
Do you know the specific CLI command for that particular subject?
This article explains how to configure a Cisco ASA for protocol-41.
Prerequisites for this article:
Configuration setup I used:
Define a new protocol object group
conf t object-group protocol IPv6inIPv4 protocol-object 41 end wr mem
Define the internal linux Debian host
conf t object network IPv6_HOST host 192.168.35.18 end wr mem
Define the POP that you are using
conf t object network IPv6_POP host 18.104.22.168 end wr mem
With the new version of IOS 8.3, configuring a NAT rule has changed. You are now able to NAT specific source and destination traffic, this is what we need to make the IPv6-IPv4 tunnel to work and to let protocol 41 flow trough the ASA. Make sure this line is the first one in you NAT configuration, it should be on top of the rest! (Add NAT Rule Before "Network Object" NAT Rules...)
conf t object network IPv6_HOST nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP end wr mem
Open up you're firewall and let protocol 41 flow between the internal Debian host and the POP. I have put these lines at position one, the first line on the interface.
conf t access-list inside_access_in extended permit object-group IPv6inIPv4 object IPv6_HOST object IPv6_POP access-list outside_access_in extended permit object-group IPv6inIPv4 object IPv6_POP object IPv6_HOST end wr mem
Now you should be able to configure the tunnel on the Debian box or any other machine on which you are planning the tunnel end-point.