Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1131
Views
0
Helpful
6
Replies

Can we assign IPv4 IP address pool to IPv6 VPN Client

sankarccie
Level 1
Level 1

‎06-24-2014 03:24 AM

We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup

We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.

LAN Server are in IPv4 only..

Requirement :

 

Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)

 

Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.

Qus:

1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?

2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.

Thanks

Sankar

 

 

 

Labels:
0 Helpful
6 Replies 6

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎06-24-2014 05:13 AM

AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 

 

Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

0 Helpful

sankarccie
Level 1
Level 1
In response to Marcin Latosiewicz

‎06-24-2014 05:55 AM

Thanks Marcin, We have SSL VPN only. Not IPSec.

AAA part i am not clear..

 

 

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to sankarccie

‎06-24-2014 06:06 AM

With IKEv2, ASA with Anyconnect, you're most likely using EAP-Anyconnect :-)

With SSL, as I said, it's a separate flow.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎06-22-2015 02:25 AM

Hi

Sorry to wake up this old thread, but this issue is getting actual for me now.

One of our main country ISPs is soon going to offer IPv6 DS-Lite to it's customers. Those customers then want to connect to our, currently only with IPv4 reachable, ASA for AnyConnect VPN.

I run 9.1.x on the ASA and use AnyConnect 3.1.

My thought is now to add an IPv6 address to the public interface of my ASA (I have a public pool and the infrastructure is ready to do this), but then only offer an IPv4 address pool.

So the client connects with IPv6 but gets assigned only an IPv4 address. Is this supported?

Thanks

Patrick

 

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to patoberli

‎06-22-2015 02:49 AM

Patrick, 

 

SSL with IPv6 and IPv6 assigned IP address has been working for some time. 

Vide: http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/115735-acssl-ip-config-00.html

I've been out of the loop for a while but I'm told IPsec should also work with both both assigned protocols - didn't test it. 

 

M.

0 Helpful

patoberli
VIP Alumni
VIP Alumni
In response to Marcin Latosiewicz

‎06-22-2015 04:02 AM

I found that document, but it doesn't answer my question:

So the client connects with IPv6 (client and asa have a public address, but client doesn't have a public ipv4 one) but gets assigned only an IPv4 address. Is this supported?

0 Helpful
Customers Also Viewed These Support Documents