Cisco ASA 5545 IPv6 SSL VPN query

Poltergeist · ‎06-30-2014

Hi,

we are planning to migrate out network to IPv6 standard. Preferably Dual Stack.

Currently we enabled SSL VPN using Anyconnect client, where the VPN users will get connected with the ASA 5545 and then able to access the internal network. We are planning to enable dual stack in the outside interface of ASA and the Internal network will remain in IPV4 network.

A user with IPv6 IP need to access the IPv4 internal network using the SSL vpn (the IP address assigned to Anyconnect interface will be an IPv4 address.).

Currently the ASA version is 8.0(4) .

my query is, what are the things i need to consider prior to the migration.

1) Which ASA software version will support IPv6 SSL VPN using Anyconnect Client ( Please note, we don't need IPSec)

2) Similarly which Anyconnect Client will support IPv6 SSL connection.

3) What could be the best practice for this kind of deployment.

Kindly help.

Any helpful answers will be appreciated.

Marcin Latosiewicz · ‎06-30-2014

You should consider going for at least ASA 9.0:

- New NAT config

- Unified IPv6 and IPv4 ACLs.

If you want basics:

- ASA IPv6 with failover you need 8.2.2

- ASA IPv6 VPN you need 9.0

- Anyconnect IPv6 you need 3.0 (but there is no reason not to run 3.1)

FYI, all this info can be found in release notes

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-release-notes-list.html

http://www.cisco.com/c/en/us/support/security/anyconnect-secure-mobility-client/products-release-notes-list.html

As for best practices, there's not much to it, it should work, it's just a different transport and overlay tech.

Scan the configuration guides for limitations, there's not too many but you should make sure it's not a show stopper for you.

Poltergeist · ‎07-01-2014

Hi Marcin,

Thanks alot... pls help me to clear these doubts.... please refer the diagram.

Current Scenario

•Currently all the devices are assigned with IPv4 Addresses.

•Planning to migrate the Internet Edge devices to IPv6 ( Dual Stack)

•Firewalls Outside interface is having Public IPv4 IP addresses.

•The firewalls are in HA mode ( Active/Standby).

•The firewalls are currently used for only the SSL VPN purpose.

•The users from Internet will access the application servers using Any connect SSL VPN.

•The VPN users will get authenticated by using Cisco ACS and RSA token authentication (Dual factor).

IPv6 scenario

•The authentication servers will remain in IPv4 network.

•If an IPv6 VPN user tried to access the internal network, will they get authenticated ?

•Whether dual stack environment will work for SSL VPN using Any connect?

•If an IPv6 user try to establish a VPN connection, can the firewall to assign an IPv4 IP to the Any connect client interface of the client ? (Which means, the user will connect over the internet using IPv6 and the Anyconnect SSL VPN will be established with an IPv4 IP address.)

•If enabling dual stack on the outside interface of Firewall, then, is it possible to assign both IPv6 and IPv4 IP together to the VPN user?

•The firewalls are in Active /Standby mode. For failover, is there any prerequisites in the IPv6 environment?

•For supporting IPv6, which ASA software version is required? // these are not X series firewall.

•Which version of Any connect Client is required for supporting IPv6 SSL VPN (Dual stack).// currently the customer need just SSL vpn using anyconnect.

Marcin Latosiewicz · ‎07-01-2014

The ASA-> Authentication server flow in SSL VPN is separate TCP/UDP from connectivity between client and headend. ASA will take the credentials and pass them to corresponding server(s).

From ASA's perspective you configure pools, IPv4, IPv6, or both to determine what you're like to assign, it may happen that the client does not support some of the protocols. As long as the OS supports it you should be able to assign IPv6 and IPv4 and use it accordingly.

ASA 9.0 and Anyconnect 3.1 the minimum you should consider for IPv6 deployment. (this includes connectivity with IPv6 and failover).