cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
56638
Views
24
Helpful
20
Comments
Phillip Remaker
Cisco Employee
Cisco Employee

Author: Scott Nishimura.

Updated: Abishek Singh June 2015

Updated: Phillip Remaker August 2016 for 9.6(2) DHCP-PD client feature.

IPv6 Feature Support on the Cisco ASA Firewall

ASA supports IPv6 and it can be setup very easily and quickly.  This document focuses on a basic ASA setup for a native IPv6 network.   As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.
Here is a quick way to configure up your ASA firewall for IPv6 connectivity.

BASIC CONFIGURATION

Step 1     

In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface

Step 1.1.    

Configure the interface to generate a link local address from its MAC address.

interface GigabitEthernet 0/0
no shutdown
nameif inside
ipv6 enable

When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).  

Step 1.2.    

Configure a link local address manually.

interface GigabitEthernet 0/0
no shutdown
nameif inside
ipv6 address <ipv6-address> link-local

Using the above command you can assign a link local address to the interface manually.
You can verify the link local address by executing the “show ipv6 interface” command.

Step 2     

Next we have to assign the global address to the interface. There are 2 ways of doing this.

Step 2.1.    

You can manually assign a global IPv6 address to the interface.

interface GigabitEthernet 0/0
ipv6 address 2001::db8:2:3::1/64

With the IPv6 address command above, you are manually specifying the global IPv6 address for the interface. You can specify more than one IPv6 addresses for the interface using the command.


Step 2.2.    

You can configure the interface to obtain the address automatically using stateless address autoconfiguration.

interface GigabitEthernet 0/0
ipv6 address autoconfig

Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.


NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.

Step 3     

Verify IPv6 configuration.

Example:

show ipv6 interface

inside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2  
  Global unicast address(es):
    2001:db8:2:3::1, subnet is 2001:db8:2:3::/64  
  Joined group address(es):
    ff02::1:ff00:1
    ff02::1:ff84:eb2
    ff02::2
    ff02::1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

Step 4     (Optional)

Suppress Router Advertisement messages on an interface.

By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).


Enter the following command to suppress Router Advertisement messages on an interface:

ipv6 nd suppress-ra

Neighbor discovery will continue to be operational even though RA suppression has been configured.

Step 5     

Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivalent to “any”.  The IPv6 route command is functionally similar to the IPv4 route.

Step 6     

Define access-lists.

Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.


Example:

access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d
access-group test in interface outside

The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.

SECURING THE FIREWALL

If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network.  This will help prevent the ASA from being auto configured from unknown routers.

access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement
access-list outsideACL deny icmp6 any any router-advertisement
access-group outsideACL in interface outside
interface GigabitEthernet 0/0
nameif outside
security-level 0
ipv6 address autoconfig
ipv6 enable

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified.  All other RAs will be denied.

Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA

The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.

Stateful dynamic address assignment

For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.


To configure the DHCPv6 relay agent the following configuration is needed:

ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701
ipv6 dhcprelay enable inside

The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.

Stateless dynamic address assignment  

In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.

IPv6 Prefix delegation

ASA added support for a DHCP-PD client in 9.6(2) .This feature is documented at http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-routed-tfw.html#id_23218 under the heading Configure the IPv6 Prefix Delegation Client.

Prior to 9.6(2), ff the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode.
The following must be configured on the ASA:

 

firewall transparent
interface BVI1
no ip address
ipv6 enable

interface GigabitEthernet0/0
nameif outside
bridge-group 1
security-level 0

interface GigabitEthernet0/1
nameif inside
bridge-group 1
security-level 100

access-list permit_icmp6 extended permit icmp6 any6 any6
access-group permit_icmp6 global

This example uses a link-local IPv6 address on the BVI interface. You can also configure an explicit IPv6 address for in-band management purposes.

 

 

Comments
mhankus
Level 1
Level 1

Adding more details about ICMP would be a good thing. For example what should be allowed, and what should be blocked for inside http server protected by ASA.

Marvin Rhoads
Hall of Fame
Hall of Fame

Wondering when OSPF v3 will be supported on the ASA so that one can actually participate in an IPv6 routing protocol.

Good article about setting up IPv6 on Cisco ASA. May I know whether Cisco ASA version 8.4(4)1 supports IPv6 prefix delegation? Or I need to upgrade to latest software in order to get that feature.

Thank you.

Alex.

thierrymasson
Level 1
Level 1

Dear all,

Thanks for this article, I'm trying to have a functional IPv6 config.

I can ping/trace/packetrace from cisco to wan IPv6 adresses or lan adresses, but I can't deseperatly have any access from lan to wan in IPv6 :-/

I have an ASA 5506-X 9.6(1), ADSM 7.6(1) with a Bbox3 belgacom/proximus in front of it.

Here is my config, if somebody can help me to solve this issue (IPv6 is not my "cup of tea")?

And I don't understand why is not functionning....

Result of the command: "sh ipv6 interface"

inside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::278:88ff:fe51:87b3  
  No global unicast address is configured
  Joined group address(es):
    ff02::2
    ff02::1:ff51:87b3
    ff02::1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.
outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::278:88ff:fe51:87b9  
  Global unicast address(es):
    2a02:a018:144:2500:278:88ff:fe51:87b9, subnet is 2a02:a018:144:2500::/64 [AUTOCONFIG]
      valid lifetime 222883 preferred lifetime 222883
  Joined group address(es):
    ff02::1:ff51:87b9
    ff02::2
    ff02::1
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

-------- (I can view all IPv6 device on the inside interface, as outside interface)

Result of the command: "sh ipv6 neigh"

IPv6 Address                              Age Link-layer Addr State  Interface
fe80::95dc:2c7e:4744:27                    27 28b2.bd85.0fc5  STALE inside
fe80::95dc:2c7e:4744:27                   127 28b2.bd85.0fc5  STALE outside
fe80::9e97:26ff:fe40:ffec                   0 9c97.2640.ffec  REACH outside
fe80::211:32ff:fe32:4a15                   77 0011.3232.4a15  STALE inside
fe80::9d68:c56:8f1b:2dd6                  439 0027.10c7.e6a0  STALE inside
fe80::95d9:8730:8bd7:dbc4                  85 08d4.0c31.35f8  STALE outside
fe80::211:32ff:fe1b:cbe1                  336 0011.321b.cbe1  STALE inside
fe80::6819:a75:2a:f858                     26 382c.4a72.21b8  STALE inside
fe80::211:32ff:fe42:8587                  281 0011.3242.8587  STALE inside
fe80::8fd:2318:d732:6d80                  441 54ea.a8d0.1727  STALE inside

-------- (I can ping IPv6 Google, or the Bbox3 ("gateway"), or inside devices,...)

Result of the command: "ping ipv6.google.com"

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2a00:1450:400c:c04::8b, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/42/50 ms

--------

packet-tracer input inside tcp 2a02:a018:144:2500:95dc:2c7e:4744:27 80 2001:4860:4860::8888 80 detailed

Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: outside
output-status: up
output-line-status: up
Action: allow

--------

All work from ASA...nothing from lan

Thanks you.

Thierry.

Phillip Remaker
Cisco Employee
Cisco Employee

Bonjour Thierry!

Based on http://blog.dupondje.be/?p=7, it looks like the BBOX3 does support DHCP Prefix delegation, which the ASA does not support (yet).

In IPv4, the ASA gets a single address and the ASA uses a private RFC1918 address and NAT for connectivity.

In IPv6, the ASA gets a /64 prefix for the link to the ISP and then is assigned an IPv6 prefix (usually /60, /56 or /48) for the internal networks. All networks get global addresses, no NAT needed! Unfortunately, the router (ASA) needs to support DHCP-PD. As a result, your inside interface has no network assigned. You can ping from the ASA, but not beyond since the interface has no IPv6 address.

IOS supports DHCP-PD: https://www.cisco.com/c/en/us/support/docs/ip/ip-version-6-ipv6/113141-DHCPv6-00.html but that won't help you much.

thierrymasson
Level 1
Level 1

Dear Philippe,

Many thanks for your reply (and your "bonjour" in french :D, I hope my english is not to bad).

So if I understood well, I need a modem "without DHCP prefix delegation" to only have one IPv6 for the ASA (as well IPv4)?

Another possibility could be to configure the BBOX3 in bridge mode, so the routeur (the ASA) as to be configured to establish the connection (PPOE)... But I don't think It will work (and if the BBOX3 is ok for this config in IPv6 (IPv4 > ok)), as the ASA as no DHCPv6...(or I have to put a router DHCPv6 inside the network)

Or, always in bridge mode, establish the connection with router between the modem and the ASA (I have a cisco RV082 in stock for testing purpose...)

But in booth case (a router in front of, or behind the ASA), I lose the fonctionnality to make firewall policies rules on ASA based on IP (wan side, or lan site) :-/

....very complicate situation....and these solution is not conceivable.

The best way I think, is to have a modem IPv4/IPv6 "compatible" with ASA.

Do you know any modem compatible (with VDSL2 connectivity) for ASA? (a Cisco ?)

In replacement of the BBOX3, I only know the Fritz BOX 3490 or 7490 (for Belgium ISP) with VDSL-VDSL2 connectivity.

http://en.avm.de/products/fritzbox/fritzbox-3490/technical-data/

But I don't find any technical specification about "prefix delegation".

Thanks you again for your help.

Phillip Remaker
Cisco Employee
Cisco Employee

It is that nature of IPv6 that both a link address and a network "prefix" is assigned. This comes from Belgacom, not the BBOX itself. Bridging won't help, since you still needs DHCP-PD.

What I am saying is you need a router that supports DHCP-PD between the modem and ASA to make it all work.

Unfortunately, that then causes issues for IPv4. And other complications, as you noted.

The RV082 supports DHCP-PD.

What you REALLY need is for the ASA to support DHCP-PD. Make sure you tell everyone you know at Cisco that you want that.

thierrymasson
Level 1
Level 1

Thanks you again for your reply.

In short, it's not possible to have a full IPv4 & IPv6 connectivity with :

- IPv4 Inbound AND Outbound / IP based policies rules (and some NAT rules)

- IPv6 Inbound AND Outbound policies rules

Without a DHCP-PD support by the ASA.

Phillip Remaker
Cisco Employee
Cisco Employee

That is correct, unfortunately.

I can assure you that the ASA team is aware of this limitation and understands the market need for DHCP-PD. Watch for future announcements on this topic.

thierrymasson
Level 1
Level 1

I have tried to make this (to "bypassed" the problem, despite the fact that this drop the possibility of outbound policies rules):

BBOX3 (bridge mode) > ASA (transparent mode*) > RV082 (PPPOE  / IPv4-IPv6 dual stack)

> Impossible to establish a connection ! (no connection between RV082 and the BBOX3)

and I don't understand why....???

IF :

BBOX3 (PPPEO) > ASA (transparent mode*) > RV082 (Fixed Ip Wan side)

> Connection is establish without problem (but no IPv6....)

IF :

BBOX3(Bridge mode) > RV082 (PPPOE  / IPv4-IPv6 dual stack)

> Everything is ok IPv4 & IPv6 connectivity

*A simple bridge-group inside/outside, base configuration, no firewall rules (accept all)

:-/

I'm very disapointed ! I found no solution !

I hope Cisco will make the DHCP-PD functionnality ASAP for the Cisco ASA 5506...

Any suggestion why it doesn't work in this configuration :

BBOX3 (bridge mode) > ASA (transparent mode*) > RV082 (PPPOE  / IPv4-IPv6 dual stack)

?

Phillip Remaker
Cisco Employee
Cisco Employee

DHCP-PD is not yet available on the ASA as of April 2016. This document will be updated if/when DHCP-PD support is added, though there is no committed date for that happening.

Phillip Remaker
Cisco Employee
Cisco Employee

I share your disappointment.

So the RV082 can make the PPPOE connection but no IPv6? Or is the PPPOE not passing through the ASA? I'm not sure why it wouldn't work, you may need to get a better ASA expert.

Cisco does not comment on unreleased features, but this article will be updated if/when DHCP-PD is available on the ASA.

thierrymasson
Level 1
Level 1

No the PPPOE not passing trough the ASA at all.

BBOX3 (bridge mode) > ASA (transparent mode*) > RV082 (PPPOE  / IPv4-IPv6 dual stack)

> Not Working (no connection at all : RV082 couln't establish a PPPOE connection)

(and without ASA between, that's work of course)

BBOX3 (PPPEO) > ASA (transparent mode*) > RV082 (Fixed Ip Wan side)

> Working (but not IPv6)

? Strange....

Phillip Remaker
Cisco Employee
Cisco Employee

Seems strange, yes. However, PPPOE will not fix your problem here anyway. You need DHCP-PD on the ASA for things to work.

Maybe this will help: https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/interface-routed-tfw.html#ID-2214-00000064 ;

"PPPoE is not supported in multiple context mode."

thierrymasson
Level 1
Level 1

Thanks for your reply again,

PPPOE could "partially" fix my problem as with the RV082, I have DHCP-PD, So I have IPv6 connectivity.

And "normaly" the ASA between the BBOX (in bridge mode) and the RV082 shouldn't affect this connectivity...

Except...I have no connectivity at all :D

I will have a look to the given link.

Thanks !

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco