We are excited to announce Secure Access support for dual-stack configured clients!  This is 1 of 3 releases in this project with the end goal of supporting single-stack IPv6 clients.

How To Start Using Dual-Stack Support in Secure Access

• Secure Client with “Umbrella” module installed (or the module formerly known as RSM, Roaming Security Module) – no special configuration required.  If the client is configured with dual-stack, it will send IPv6-based web requests to Secure Access.
• PAC files and explicit proxy – configure or update existing Registered Networks with an IPv6 address/CIDR.
• Remote Access VPN – configure VPN IP pools to have an IPv6 address/CIDR.
• Network Tunnel Groups (i.e. IPsec tunnels) – to enable this feature, please contact Support.  While the tunnels themselves, i.e. transport, remain IPv4, they will transit IPv6-based traffic automatically.  The reason we disabled this was due to a growing concern that since we did not include a dashboard control to toggle this feature, an IPv6 route would suddenly show up in IPsec tunnels to, unexpectedly, start accepting IPv6 traffic.  If any rules were configured to block an IPv4-based host, and that host was also configured with an IPv6 address, then users would be able to connect to that host.  Before enabling this service, please update all IPv4-based block rules to include an IPv6 analogue for the same host(s) before enabling this service.
• Private Resources – configure an IPv6 address for new or existing applications.
• Destination Lists – IPv6 addresses and CIDRs are now accepted.
• In-Line IP Sources and Destinations – IPv6 addresses are now accepted.  Destinations accept IPv6 CIDRs.
• Internal Networks – IPv6 addresses and CIDRs are now accepted for backwards compatibility with Networks, Network Tunnel Groups, and Sites that have clients configured with IPv6 addresses behind them.
• Internet Security Bypass – IPv6 addresses are now accepted.

Additional Notes on IPv6 Support in Secure Access

• Reports now reflect the IP version used in a transaction.
• Secure Access will accept input of both long and short form IPv6 addresses.

Secure Access Components Which Do Not Currently Support IPv6

• Reserved IP
• Secure Client ZTA module
• Browser-based Private Access
• Notification Pages
• Resource Connectors
• IPsec Tunnel “transport”, already mentioned above
• APIs and the API Gateway
• Hydra Sync Service – manages Secure Client configuration, status, etc.
• The Dashboard – currently only hosted on IPv4
• Virtual Appliances
• AD Connectors

How Do Clients Connect to IPv6-Based Hosts?

Irrespective of decryption or policy bypass, Secure Access will still control the IP connection of the client.  Thereby accepting an IPv6-based connection from the client.  When connecting upstream, Secure Access will still prefer IPv4-based connections, even if the upstream host is also configured with an IPv6 address.  If the upstream host is only configured with an IPv6 address, then Secure Access will connect to the host using IPv6.

The reason for this is that Reserved IP does not yet support IPv6, and we must maintain this service for customers using Reserved IP so these customers can continue to connect to their allow listed apps and services.

Documentation

Product documentation has been updated to reflect the changes above: Welcome to Cisco Secure Access