Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1062
Views
0
Helpful
6
Replies

unable to send IPv6 traffic through ASA

mbazan
Level 1
Level 1

‎10-10-2011 11:30 AM - edited ‎03-11-2019 02:36 PM

hi all - below is my sanitized ASA 5510 config.  got an IPv6 T1 from at&t and im unable to pass any traffic from my LAN clients out.  any help appreciated.  thx-

:

ASA Version 8.2(2)

!

enable password PoBmYYxuAzCciKRA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif public

security-level 0

no ip address

ipv6 address 2001:XXXX:XXXX:300::2/64

ipv6 enable

!

interface Ethernet0/1

description Private IPv6 VLAN

nameif private

security-level 100

no ip address

ipv6 address 2001:XXXX:XXXX:302::1/64

ipv6 enable

!

interface Ethernet0/2

nameif DMZ

security-level 100

no ip address

ipv6 address 2001:XXXX:XXXX:301::1/64

ipv6 enable

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 10.6.196.9 255.255.255.0

!

ftp mode passive

pager lines 24

logging asdm informational

mtu management 1500

mtu public 1500

mtu private 1500

mtu DMZ 1500

ipv6 icmp permit any public

ipv6 icmp permit any private

ipv6 route public ::/0 2001:XXXX:XXXX:300::1

ipv6 access-list icmp6 permit icmp6 any any echo

ipv6 access-list icmp6 permit icmp6 any any echo-reply

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-645-106.bin

no asdm history enable

arp timeout 14400

nat (private) 0 0.0.0.0 0.0.0.0

access-group icmp6 in interface public

route management 10.0.0.0 255.0.0.0 10.6.196.1 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

aaa authentication ssh console LOCAL

http server enable

http 192.168.1.0 255.255.255.0 management

http 10.0.0.0 255.0.0.0 private

http 10.0.0.0 255.0.0.0 management

no snmp-server location

no snmp-server contact

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

client-update enable

telnet 10.0.0.0 255.0.0.0 management

telnet timeout 5

ssh 10.0.0.0 255.0.0.0 management

ssh timeout 5

console timeout 0

management-access private

threat-detection basic-threat

threat-detection statistics access-list

threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200

webvpn

username cisco password F43alxF8o6MbdvrW encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:0d21785edef26771d1ea7462f5310c97

: end

Labels:
0 Helpful
6 Replies 6

mbazan
Level 1
Level 1

‎10-10-2011 11:52 AM

here's my default route to the ISP:

ipv6 route public ::/0 2001:XXXX:XXXX:300::1

0 Helpful

lcaruso
Level 6
Level 6

‎10-10-2011 01:02 PM

Check the command below. Is this your output?

ASA1# show asp drop | include header

Unsupported IPV6 header (unsupport-ipv6-hdr) 10

IPv6 packets carrying the routing header are always blocked, without the need of any further configuration.

0 Helpful

mbazan
Level 1
Level 1
In response to lcaruso

‎10-10-2011 01:17 PM

asa5510(config)# sh asp drop | include header

asa5510(config)#

..no output from that command.

thx-

0 Helpful

lcaruso
Level 6
Level 6
In response to mbazan

‎10-10-2011 01:31 PM

Have you tried packet tracer?

0 Helpful

mbazan
Level 1
Level 1
In response to lcaruso

‎10-10-2011 03:02 PM

don't think this is the problem at the moment.  i dont have any win hosts hooked up.  trying to access via ubuntu and a cisco 4500 switch behind the asa.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card