Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1491
Views
0
Helpful
7
Replies

IPv6 through ASA - not working correctly.

jgauthier
Level 1
Level 1

‎05-16-2011 11:56 AM - edited ‎03-06-2019 05:04 PM

Greetings,

I am attempting to use an ASA as an edge device with other devices behind it.  I am unable to get those devices to contact any ipv6 hosts through the ASA.

I've acquired IPv6 space from my provider, and (modified IPs) am basically doing this:

ISP:

2001:4871:c140::1/64

interface GigabitEthernet0/0.66
vlan 66
nameif twtc
security-level 1
ipv6 address 2001:4871:c140::2/64

This interface seems to work fine:

ASA# ping 2001:4871:c140::1 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 2001:4871:c140::1, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 100 percent (100/100), round-trip min/avg/max = 1/2/20 ms

So, then I added IPv6 address to a VLAN, and internal Cisco 4500:

ASA:

interface GigabitEthernet0/0.20
vlan 20
nameif inside
security-level 100
ip address 192.168.20.2 255.255.255.0
ipv6 address 2001:4871:c14e::20:2/56
ipv6 address autoconfig

Cisco 4500:

interface Vlan20
ip address 192.168.20.1 255.255.255.0
ipv6 address 2001:4871:C14E::20:1/56
!

This interface seems to work fine:

4500#ping 2001:4870:C14E::20:2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4870:C14E::20:2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms

Lastly, I added another IPv6 address to another vlan on the 4500.

interface Vlan400
ip address 192.168.74.29 255.255.255.0 secondary
ip address 192.168.74.1 255.255.255.0
no ip redirects
ipv6 address 2001:4871:C14E:AAAA::400:1/56
ipv6 nd other-config-flag

And I've added this IPv6 address to a server:

2001:4871:c14e:aaaa::400:8/56

All devices connected at layer 2 can communicate with each other just fine.

The server (2001:4871:c14e:aaaa::400:8) can ping the ASA (2001:4871:c14e::20:1) through the 4500.

However, the server cannot ping the ISP address or the ASA edge address

(2001:4871:c140::1 and 2001:4871:c140::2, respectively)

A tcpdump shows that there isn't even an echo reply that is being sent back through the ASA:


ISP:

14:48:43.671838 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::1: ICMP6, echo request, seq 389, length 40
14:48:43.684341 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::1: ICMP6, echo request, seq 389, length 40
14:48:43.684587 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::1: ICMP6, echo request, seq 389, length 40


ASA Edge:

14:49:04.032093 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::2: ICMP6, echo request, seq 393, length 40
14:49:04.039587 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::2: ICMP6, echo request, seq 393, length 40
14:49:08.956320 IP6 2001:4870:c14e:aaaa::400:8 > 2001:4870:c140::2: ICMP6, echo request, seq 394, length 40

I'm not sure what else to do or try.  Unicast routing is enabled on both the ASA and the 4500.  (The 4500 is working, in order to get to the ASA)

Any help would be greatly appreciated.

Labels:
0 Helpful
7 Replies 7

PETER EIJSBERG
Level 1
Level 1

‎05-16-2011 12:12 PM

Hi Jason,

I might be totally out of my league here, but did you get any confirmation that the ISP is actually routing 2001:4871:C14E:: to you? If they try to ping your server, do you see the incoming packet arrive at your ASA? Otherwise it could be simple routing problem on the ISP side...

Peter

0 Helpful

jgauthier
Level 1
Level 1
In response to PETER EIJSBERG

‎05-16-2011 12:16 PM

Hello Peter,

Thank you for your reply.  I contacted them two days ago, and they indicated they are able to ping my equipment, they do see the IPv6 packets that I sent them.  A good idea!  I thought the same!

Jason

0 Helpful

PETER EIJSBERG
Level 1
Level 1
In response to jgauthier

‎05-16-2011 12:22 PM

Hmm: Did they just ping your ASA (which is directly attached to their router and therefore almost always works) or did they actually try to ping one of your servers (which are on a different subnet and need to be routed)? Also, if the ISP techies see your traffic coming in, but not their reply going out, that would also point at a problem on their end...

0 Helpful

jgauthier
Level 1
Level 1
In response to PETER EIJSBERG

‎05-16-2011 12:29 PM

They only passed traffic to the ASA.  I did not ask them to route it. I could ask them to, though. I will ask them to, though.  Nothing else, I should get some denied hits through the ASA. will report back!

0 Helpful

Florin Barhala
Level 6
Level 6

‎05-18-2011 01:22 AM

Hi Jason,

Let me see if I guess it right: server - 4500 - ASA - ISP

An you ping from server, ASA's interface connecting to ISP? If that's the case it is NORMAL that ASA doesn't give you a reply, as this is the BEHAVIOUR of any Cisco's ASA for FWSM.

0 Helpful

jgauthier
Level 1
Level 1
In response to Florin Barhala

‎05-18-2011 05:54 AM

I ping from the server to the ISP's interface, not the ASAs. that's what fails.

I am working with the ISP to determine if they hut anything beyond my ASA, but I haven't been able to get on the phone with them to give them the details.

0 Helpful

jgauthier
Level 1
Level 1
In response to jgauthier

‎05-23-2011 02:09 PM

I am beginning to beleive this might be my understanding of IPv6 subnetting.  My ISP can confirm the main IP is accessible, but it seems that I cannot route my subets correctly.

I am still playing with this.

0 Helpful
Customers Also Viewed These Support Documents