06-24-2014 03:24 AM
We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup
We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.
LAN Server are in IPv4 only..
Requirement :
Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)
Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.
Qus:
1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?
2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.
Thanks
Sankar
06-24-2014 05:13 AM
AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing.
Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.
06-24-2014 05:55 AM
Thanks Marcin, We have SSL VPN only. Not IPSec.
AAA part i am not clear..
06-24-2014 06:06 AM
With IKEv2, ASA with Anyconnect, you're most likely using EAP-Anyconnect :-)
With SSL, as I said, it's a separate flow.
06-22-2015 02:25 AM
Hi
Sorry to wake up this old thread, but this issue is getting actual for me now.
One of our main country ISPs is soon going to offer IPv6 DS-Lite to it's customers. Those customers then want to connect to our, currently only with IPv4 reachable, ASA for AnyConnect VPN.
I run 9.1.x on the ASA and use AnyConnect 3.1.
My thought is now to add an IPv6 address to the public interface of my ASA (I have a public pool and the infrastructure is ready to do this), but then only offer an IPv4 address pool.
So the client connects with IPv6 but gets assigned only an IPv4 address. Is this supported?
Thanks
Patrick
06-22-2015 02:49 AM
Patrick,
SSL with IPv6 and IPv6 assigned IP address has been working for some time.
Vide: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/115735-acssl-ip-config-00.html
I've been out of the loop for a while but I'm told IPsec should also work with both both assigned protocols - didn't test it.
M.
06-22-2015 04:02 AM
I found that document, but it doesn't answer my question:
So the client connects with IPv6 (client and asa have a public address, but client doesn't have a public ipv4 one) but gets assigned only an IPv4 address. Is this supported?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide