SixXS::Sunset 2017-06-06

ASA & IPv6
[us] Shadow Hawkins on Thursday, 21 May 2009 14:18:58
This may have already been answered, but I haven't been able to find any information... Is there a way to have my ASA 5520 connect me to the IPv6 Internet? Even if I create the address pools on the ASA, is there some method/protocol that I should follow so Sixxs can continue to ping the endpoint?
ASA & IPv6
[de] Shadow Hawkins on Tuesday, 26 May 2009 14:49:39
Hi. As far as I know the ASA series does not support tunnels. Therefore you cannot use your ASA device for tunneling IPv6 with a tunnelbroker. The device itself supports IPv6. So if you wanna connect your network and the ASA to the IPv6 internet, you have to use a different device as your tunnel endpoint. Regards, Dennis
ASA & IPv6
[us] Shadow Hawkins on Tuesday, 26 May 2009 16:17:36
So I would need to use the ASA to connect my network segments, then just push all unknown IPv6 traffic to my BSD router and let it connect me to the internet?
ASA & IPv6
[us] Shadow Hawkins on Tuesday, 02 June 2009 17:58:28
So I have it set up, but it's not working. The default route on my ASA is pointing at the public IPv6 address of my BSD router, but no traffic. Am I missing something easy?
ASA & IPv6
[de] Shadow Hawkins on Wednesday, 03 June 2009 19:41:26
Is your BSD router accessible on its IPv6 address from the internet? Can your BSD router reach ipv6 addresses in the internet?
ASA & IPv6
[us] Shadow Hawkins on Wednesday, 03 June 2009 20:17:56
Yes, the BSD router can reach ipv6 addresses on the internet: [carl@ipv6router ~]$ ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2001:4978:f:22e::2 --> 2001:4860:b002::68 16 bytes from 2001:4860:b002::68, icmp_seq=0 hlim=55 time=66.675 ms 16 bytes from 2001:4860:b002::68, icmp_seq=1 hlim=55 time=59.682 ms 16 bytes from 2001:4860:b002::68, icmp_seq=2 hlim=55 time=95.117 ms 16 bytes from 2001:4860:b002::68, icmp_seq=3 hlim=55 time=67.954 ms ^C --- ipv6.l.google.com ping6 statistics --- 4 packets transmitted, 4 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 59.682/72.357/95.117/13.512 ms I'm not sure if people outside can reach my router; feel free to try. Prior to moving my IPv6 routing to the ASA firewall, I had the BSD router routing between subnets. The BSD router lives in my DMZ, and any machine on that subnet can ping ipv6.google.com I have a default route in my ASA pointing at the public IPv6 address of the BSD router, but no machine that isn't in the DMZ can ping ipv6.google.com From the BSD router: [carl@ipv6router ~]$ cat /etc/rc.conf .... ifconfig_em0="inet 192.168.102.46 netmask 255.255.254.0" inetd_enable="YES" ipv6_enable="YES" ipv6_defaultrouter="2001:4978:f:22e::1" ipv6_network_interfaces="em0" ipv6_gateway_enable="YES" ipv6_ifconfig_em0="2001:4978:1d8:e000::9" ipv6_prefix_em0="2001:4978:1d8:e000" sixxs_aiccu_enable="YES" ....
ASA & IPv6
[de] Shadow Hawkins on Friday, 05 June 2009 23:26:46
Hi. Well, if the BSD router can reach IPv6 destinations on the internet, the tunnel itself seems to work. I can also reach your IPv6 address from my location. So I guess there's something wrong with the routing internally. Have you done this command? sysctl -w net.inet6.ip6.forwarding=1 There is just a configuration example in SixXS FAQ: https://www.sixxs.net/faq/connectivity/?faq=ossetup&os=freebsd The other machines, outside your DMZ, could you please provide a traceroute6 from them to ipv6.google.com/www.ripe.net? Is it stopping on the ASA or the BSD router? Regards, Dennis
ASA & IPv6
[us] Shadow Hawkins on Monday, 08 June 2009 16:02:52
I have enabled forwarding in /etc/rc.conf, which should do the same as your sysctl command. As for the traceroute, it seems to be failing at the ASA...I don't get past the first step. Like I've mentioned though, I have a default route set... ipv6 route DMZ ::/0 2001:4978:1d8:e000:21b:21ff:fe2e:fca
ASA & IPv6
[us] Shadow Hawkins on Tuesday, 09 June 2009 15:10:04
It does look like it's a problem with the BSD router. I'm not able to communicate over IPv6 to this box from a different network segment. I think this is because I do not have a route for that subnet; but when I try to add it, it doesn't work (e000 is the subnet that the freebsd router is on, f000 is the my inside subnet) netstat -nr Internet6: Destination Gateway Flags Netif Expire ::/96 ::1 UGRS lo0 => default 2001:4978:f:22e::1 UGS tun0 ::1 ::1 UHL lo0 ::ffff:0.0.0.0/96 ::1 UGRS lo0 2001:4978:f:22e::1 link#6 UHL tun0 2001:4978:f:22e::2 link#6 UHL lo0 2001:4978:1d8:e000:: 00:e0:18:9e:55:66 UHL lo0 => 2001:4978:1d8:e000::/64 link#3 UC fxp0 2001:4978:1d8:e000::9 00:e0:18:9e:55:66 UHL lo0 2001:4978:1d8:e000:20c:29ff:xxxx:51b7 00:0c:29:26:51:b7 UHLW fxp0 2001:4978:1d8:f000::/0 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd UGS fxp0 I think the /0 in the last entry is incorrect, but that's what freebsd adds if I run this command "route add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd"
ASA & IPv6
[ch] Jeroen Massar SixXS Staff on Tuesday, 09 June 2009 15:23:26
That /0 is definitely incorrect, as that makes it effectively ::/0 (default)
route add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd"
Why are you adding host routes (-host)? Note that the various BSDs do not really understand the CIDR notation, you need to use "-prefixlen XX" instead. Try using the following command:
route add -inet6 2001:4978:1d8:f000:: -prefixlen 64 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd
Don't forget to clean out the wrong ones. Also, you will want to route the complete /48 into 'lo', that way any prefixes that you do not route to other hosts will directly return !N instead of the packets being sent back up stream (over the tunnel), which will send it back your way etc...
ASA & IPv6
[us] Shadow Hawkins on Tuesday, 09 June 2009 16:25:05
I didn't see your reply till just now...guess the RSS feed is slow. I did manage to figure it out. The command that worked for me was route -n add -inet6 2001:4978:1d8:f000::/64 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd Before, I had been trying to use route -n add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd Thanks for the help. (What exactly is a host route?)
ASA & IPv6
[ca] Carmen Sandiego on Saturday, 06 June 2009 00:14:36
I have a similar setup in my lab, the BSD station acts as the router and the LAN (Cisco equp.) uses that box to go outside. The BSD box is the only dual-stack equipment in that LAN. It also resolves DNS queries. I don't have an ASA but perhaps you can make something out of my setup. Here's an snippet from my rc.conf if it helps:
ipv6_enable="YES" ipv6_gateway_enable="YES" rtadvd_enable="YES" rtadvd_interfaces="xl0" named_enable="YES"
in my named.conf (remove the comment for that line):
listen-on-v6 { any; };
My xl0 ifconfig:
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=9<RXCSUM,VLAN_MTU> ether 00:0a:5e:20:c9:15 inet6 fe80::20a:5eff:xxxx:c915%xl0 prefixlen 64 scopeid 0x2 inet6 2001:5c0:xxxx:b900::1 prefixlen 64 media: Ethernet autoselect (100baseTX <full-duplex>) status: active
and on the Cisco device:
ip routing ip name-server 2001:5C0:xxxx:B900::1 interface FastEthernet1/0/48 no switchport no ip address ipv6 address 2001:5C0:xxxx:B900::/64 eui-64 ipv6 enable !
and show ipv6 interface:
IPv6 is enabled, link-local address is FE80::21B:2BFF:FEB1:7741 Global unicast address(es): 2001:5C0:xxxx:B900:21B:2BFF:FEB1:7741, subnet is 2001:5C0:xxxx:B900::/64 [EUI] Joined group address(es): FF02::1 FF02::1:FFB1:7741 MTU is 1500 bytes ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled Output features: Check hwidb ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds Default router is FE80::20A:5EFF:xxxx:C915 on FastEthernet1/0/48
Not sure if this can be of any help to you...

Please note Posting is only allowed when you are logged in.

Static Sunset Edition of SixXS
©2001-2017 SixXS - IPv6 Deployment & Tunnel Broker