10-10-2011 11:30 AM - edited 03-11-2019 02:36 PM
hi all - below is my sanitized ASA 5510 config. got an IPv6 T1 from at&t and im unable to pass any traffic from my LAN clients out. any help appreciated. thx-
:
ASA Version 8.2(2)
!
enable password PoBmYYxuAzCciKRA encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif public
security-level 0
no ip address
ipv6 address 2001:XXXX:XXXX:300::2/64
ipv6 enable
!
interface Ethernet0/1
description Private IPv6 VLAN
nameif private
security-level 100
no ip address
ipv6 address 2001:XXXX:XXXX:302::1/64
ipv6 enable
!
interface Ethernet0/2
nameif DMZ
security-level 100
no ip address
ipv6 address 2001:XXXX:XXXX:301::1/64
ipv6 enable
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 10.6.196.9 255.255.255.0
!
ftp mode passive
pager lines 24
logging asdm informational
mtu management 1500
mtu public 1500
mtu private 1500
mtu DMZ 1500
ipv6 icmp permit any public
ipv6 icmp permit any private
ipv6 route public ::/0 2001:XXXX:XXXX:300::1
ipv6 access-list icmp6 permit icmp6 any any echo
ipv6 access-list icmp6 permit icmp6 any any echo-reply
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645-106.bin
no asdm history enable
arp timeout 14400
nat (private) 0 0.0.0.0 0.0.0.0
access-group icmp6 in interface public
route management 10.0.0.0 255.0.0.0 10.6.196.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 private
http 10.0.0.0 255.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
client-update enable
telnet 10.0.0.0 255.0.0.0 management
telnet timeout 5
ssh 10.0.0.0 255.0.0.0 management
ssh timeout 5
console timeout 0
management-access private
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
webvpn
username cisco password F43alxF8o6MbdvrW encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:0d21785edef26771d1ea7462f5310c97
: end
10-10-2011 11:52 AM
here's my default route to the ISP:
ipv6 route public ::/0 2001:XXXX:XXXX:300::1
10-10-2011 01:02 PM
Check the command below. Is this your output?
ASA1# show asp drop | include header
Unsupported IPV6 header (unsupport-ipv6-hdr) 10
IPv6 packets carrying the routing header are always blocked, without the need of any further configuration.
10-10-2011 01:17 PM
asa5510(config)# sh asp drop | include header
asa5510(config)#
..no output from that command.
thx-
10-10-2011 01:31 PM
Have you tried packet tracer?
10-10-2011 01:40 PM
10-10-2011 03:02 PM
don't think this is the problem at the moment. i dont have any win hosts hooked up. trying to access via ubuntu and a cisco 4500 switch behind the asa.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide