Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
483
Views
0
Helpful
4
Replies

Dual Stack Router+ASA w/Static IPv4 using PAT

Go to solution
Christopher Morris
Level 1
Level 1

‎01-04-2016 04:37 PM - edited ‎03-12-2019 12:06 AM

I have a bit of an interesting question that I would like some help with.

I am currently using an ASA 5505 running 9.2.1 as my edge device with a Cisco 2920 router on the inside acting as a tunnel endpoint for a 6in4 tunnel to Hurricane Electric.  I have a single static IPv4 address from my ISP assigned to the outside interface of my ASA, and a full /48 address space from HE.  My ASA is currently forwarding protocol 41 traffic to the router to perform this.  Everything is working fine so far, both IPv4 and IPv6 traffic are routing to the Internet just fine.  I have a number of port address translations (PAT) defined on the ASA to forward traffic to certain servers (SMTP, WWW, etc.) using IPv4 NAT rules.  All inside hosts are dual stack enabled using private 10.x.x.x/24 addresses and IPv6 addresses from my /48 (I actually subnetted it to several /64 networks).

I just bought a Cisco 3825 and I want to use that as my edge device (move the 6in4 tunnel to this device, decommission the 2920, put the ASA behind the 3825).  I am trying to figure out what changes I will need to make to allow my IPv4 translations to continue to work without them conflicting with my IPv6 addresses.  To put it another way, my rules translate a port of the full outside interface of the ASA to an inside address (i.e. all incoming traffic on TCP 25 goes to my email server).  How do I make this keep working in the new topology without effecting IPv6 addresses not assigned to my email server (i.e. allow+send TCP 25 traffic directed to the IPv6 address assigned to my email server, without also affecting anything to do with TCP 25 of other IPv6 addresses on the inside)??

Thanks in advance for any help!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2016 11:41 PM

Have the 3825 do all NAT.  Disable NAT completely on the ASA.

Configure an IPv4 and IPv6 stub between the 3825 and the ASA.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-05-2016 11:41 PM

Have the 3825 do all NAT.  Disable NAT completely on the ASA.

Configure an IPv4 and IPv6 stub between the 3825 and the ASA.

0 Helpful

Go to solution
Christopher Morris
Level 1
Level 1
In response to Philip D'Ath

‎01-06-2016 05:34 AM

Just to clarify, by "stub" you mean I should create a subnet between the router and ASA?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Christopher Morris

‎01-06-2016 10:47 AM

Correct.

0 Helpful

Go to solution
Christopher Morris
Level 1
Level 1
In response to Philip D'Ath

‎01-06-2016 03:31 PM

Thank you for your help!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card