04-04-2010 05:51 AM - edited 03-08-2019 06:32 PM
This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/route_ipv6_neighbor.html
and
http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ref_ports.html#wp1007606
IPv6 is the next generation of the Internet Protocol after IPv4. It provides an expanded address space, a simplified header format, improved support for extensions and options, flow labeling capability, and authentication and privacy capabilities. IPv6 is described in RFC 2460. The IPv6 addressing architecture is described in RFC 3513.
ipv6 address command was introduced in 7.0.1 code. 8.2.1 code introduced support for transparent mode and in 8.2.2 the support for standby IP address was intoduced. In the latest 8.3 code, support has been added for LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).
IPV6-IPV4 (Network Address Translation – Protocol Translation) bi-directional connectivity between IPv4 and IPv6 domains is not supported on the ASA platform.
ASA: Failover support for IPV6 has been added in ASA 8.2.2 and above.
Please refer this link: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1090421
If an interface has IPv4 and IPv6 addresses configured on it, the adaptive security appliance uses the IPv4 addresses to perform the health monitoring.
If an interface has only IPv6 addresses configured on it, then the adaptive security appliance uses IPv6 neighbor discovery instead of ARP to perform the health monitoring tests. For the broadcast ping test, the adaptive security appliance uses the IPv6 all nodes address (FE02::1).
FWSM: There still is no support for FWSM failover for ipv6. But following enhancement request exists:
PIX: PIX platforms cannot run 8.2.2 code the latest that a PIX can run is 8.04(28) so, failover suport for IPV6 is not available for PIX platforms.
ASA(config)# sh run int vlan1
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.2.1 255.255.255.0
ipv6 address 2001:4800:0:1::1/64
ipv6 enable
ASA(config)# sh int vlan1
Interface Vlan1 "inside", is up, line protocol is up
Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
MAC address 0019.0725.94ab, MTU 1500
ASA(config)# sh ipv6 interface inside
inside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::219:7ff:fe25:94ab
Global unicast address(es):
2001:4800:0:1::1, subnet is 2001:4800:0:1::/64
Joined group address(es):
ff02::1
ff02::2
ff02::1:ff25:94ab -------------> Solicited node multicast address
.
.
.
Hosts use stateless autoconfig for addresses.
For more info see http://wwwin.cisco.com/ios/tech/ipv6/docs/EUI64.shtml
http://wiki.nil.com/IPv6_EUI-64_interface_addressing
This is a hierarchical address that is globally unique. Allows for aggregation of routing prefixes.
2000::/3 = 001x xxxx xxxx xxxx: /12 through /23 allocated to RIRs
examples:
2600:0000::/12 to ARIN
2003:0000::/18 to RIPE
/32 given to ISPs /48 given to Customers
This is a IPv6 unicast address that uses prefix FC00::/7 ( 1111 1100 ). This address can be used for a site without using the globally unique address and it can be considered as private address.
RFC 4193: LSB of 1st octet = “Assignment Policy Bit”...should always be set to one xxxx xxx1
As a result, Unique Local addresses always start with FD00::/8
This is a unicast IPv6 address that can be automatically configured by using the prefix FE80::/10 ( 1111 1110 10 ) and the Interface identifier in EUI-64 format. Nodes on a local link can use the link-local address to communicate and a router will not forward packets that have link-local source or destination addresses.
This is an address for a set of Interfaces belonging to different nodes. A packet sent to this address is delivered to all interfaces identified by the
multicast address. IP multicast address has a prefix FF00::/8 (1111 1111). The second octet defines the lifetime and scope of the multicast address.
OSPFv3 Hello Packets
Used on OSPFv3 DR and BDR routers to receive OSPF packets.
This is an address for a set of interfaces belonging to different nodes.
ipv6 nd router-preference {high | medium | low}
fe80::219:7ff:fe25:94ab
ff02::1:ff25:94ab ----> is the solicited-node multicast address
ASA# conf
ASA(config)# int vlan 1
ASA(config-if)#ipv6 enable
ASA(config-if)#ipv6 address 2001:4800:0:1::1/64
ASA# conf t
ASA(config)#ipv6 access-list inside-v6 permit icmp6 2001:4800:0:1::1/64 any
ASA(config)#ipv6 access-list inside-v6 permit icmp 2001:4800:0:1::1/64 host 2610:108:3000:5004::1
ASA(config)#ipv6 access-list inside-v6 permit icmp 2001:4800:0:1::1/64 2610:108:4000:aaaa::/64
ASA(config)#ipv6 access-list inside-v6 permit icmp6 any any
ASA(config)#access-group inside-v6 in interface inside
The following example uses it to permit access to all ports less than port 1025, which permits access to the well-known ports (1 to 1024):
ASA(config)# ipv6 access-list acl_dmz-v6 permit tcp any host 3001:1::203:A0FF:FED6:162D lt 1025
ASA(config)# access-group acl_dmz1-v6 in interface dmz1
ipv6 route inside 2410:108:3000::/48 2610:108:4000:a001::2
ipv6 route inside 2410:108:4000:a002::/64 2610:108:4000:a001::2
ipv6 route inside 2410:108:4000:aaaa::/64 2610:108:4000:a001::3
Configure interesting access-list for packet capture:
ipv6 access-list tacin permit ip host 2410:108:4000:a000::1 host 2410:108:4000:a000::2
ipv6 access-list tacin permit ip host 2410:108:4000:a000::2 host 2410:108:4000:a000::1
Apply capture acl to the interface:
sh cap capin detail
CSCth46161 Transparent mode ASA does not pass IPv6 Router Advertisement packet
CSCte44112 "icmp-type" object groups can be erroneously used with the IPv6 ACL
CSCte51194 IPv6: Multiple equal cost routes not working
CSCtd34024 ASA not getting IPv6 ND sollicitation on subinterfaces
http://tools.cisco.com/Support/BugToolKit/
Please go to the above link login with your CCO ID and then key above defect IDs to read more details.
great document. Very helpful.
Thanks Paul.
-Kureli
Is it possible to convert ipv4 to ipv6 address when we configure cisco router with ipv4 in one end and that provide ipv6 as an output in other end
If so then please help me with that command...
Great !
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: