ASA & IPv6
Shadow Hawkins on Thursday, 21 May 2009 14:18:58
This may have already been answered, but I haven't been able to find any information...
Is there a way to have my ASA 5520 connect me to the IPv6 Internet? Even if I create the address pools on the ASA, is there some method/protocol that I should follow so Sixxs can continue to ping the endpoint?
ASA & IPv6
Shadow Hawkins on Tuesday, 26 May 2009 14:49:39
Hi.
As far as I know the ASA series does not support tunnels. Therefore you
cannot use your ASA device for tunneling IPv6 with a tunnelbroker. The
device itself supports IPv6. So if you wanna connect your network and
the ASA to the IPv6 internet, you have to use a different device as
your tunnel endpoint.
Regards,
Dennis
ASA & IPv6
Shadow Hawkins on Tuesday, 26 May 2009 16:17:36
So I would need to use the ASA to connect my network segments, then just push all unknown IPv6 traffic to my BSD router and let it connect me to the internet?
ASA & IPv6
Shadow Hawkins on Tuesday, 02 June 2009 17:58:28
So I have it set up, but it's not working.
The default route on my ASA is pointing at the public IPv6 address of my BSD router, but no traffic.
Am I missing something easy?
ASA & IPv6
Shadow Hawkins on Wednesday, 03 June 2009 19:41:26
Is your BSD router accessible on its IPv6 address from the internet?
Can your BSD router reach ipv6 addresses in the internet?
ASA & IPv6
Shadow Hawkins on Wednesday, 03 June 2009 20:17:56
Yes, the BSD router can reach ipv6 addresses on the internet:
[carl@ipv6router ~]$ ping6 ipv6.google.com
PING6(56=40+8+8 bytes) 2001:4978:f:22e::2 --> 2001:4860:b002::68
16 bytes from 2001:4860:b002::68, icmp_seq=0 hlim=55 time=66.675 ms
16 bytes from 2001:4860:b002::68, icmp_seq=1 hlim=55 time=59.682 ms
16 bytes from 2001:4860:b002::68, icmp_seq=2 hlim=55 time=95.117 ms
16 bytes from 2001:4860:b002::68, icmp_seq=3 hlim=55 time=67.954 ms
^C
--- ipv6.l.google.com ping6 statistics ---
4 packets transmitted, 4 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 59.682/72.357/95.117/13.512 ms
I'm not sure if people outside can reach my router; feel free to try.
Prior to moving my IPv6 routing to the ASA firewall, I had the BSD router routing between subnets. The BSD router lives in my DMZ, and any machine on that subnet can ping ipv6.google.com I have a default route in my ASA pointing at the public IPv6 address of the BSD router, but no machine that isn't in the DMZ can ping ipv6.google.com
From the BSD router:
[carl@ipv6router ~]$ cat /etc/rc.conf
....
ifconfig_em0="inet 192.168.102.46 netmask 255.255.254.0"
inetd_enable="YES"
ipv6_enable="YES"
ipv6_defaultrouter="2001:4978:f:22e::1"
ipv6_network_interfaces="em0"
ipv6_gateway_enable="YES"
ipv6_ifconfig_em0="2001:4978:1d8:e000::9"
ipv6_prefix_em0="2001:4978:1d8:e000"
sixxs_aiccu_enable="YES"
....
ASA & IPv6
Shadow Hawkins on Friday, 05 June 2009 23:26:46
Hi.
Well, if the BSD router can reach IPv6 destinations on the internet, the tunnel itself seems to work. I can also reach your IPv6 address from my location.
So I guess there's something wrong with the routing internally.
Have you done this command?
sysctl -w net.inet6.ip6.forwarding=1
There is just a configuration example in SixXS FAQ:
https://www.sixxs.net/faq/connectivity/?faq=ossetup&os=freebsd
The other machines, outside your DMZ, could you please provide a traceroute6 from them to ipv6.google.com/www.ripe.net? Is it stopping on the ASA or the BSD router?
Regards,
Dennis
ASA & IPv6
Shadow Hawkins on Monday, 08 June 2009 16:02:52
I have enabled forwarding in /etc/rc.conf, which should do the same as your sysctl command.
As for the traceroute, it seems to be failing at the ASA...I don't get past the first step.
Like I've mentioned though, I have a default route set...
ipv6 route DMZ ::/0 2001:4978:1d8:e000:21b:21ff:fe2e:fca
ASA & IPv6
Shadow Hawkins on Tuesday, 09 June 2009 15:10:04
It does look like it's a problem with the BSD router. I'm not able to communicate over IPv6 to this box from a different network segment. I think this is because I do not have a route for that subnet; but when I try to add it, it doesn't work (e000 is the subnet that the freebsd router is on, f000 is the my inside subnet)
netstat -nr
Internet6:
Destination Gateway Flags Netif Expire
::/96 ::1 UGRS lo0 =>
default 2001:4978:f:22e::1 UGS tun0
::1 ::1 UHL lo0
::ffff:0.0.0.0/96 ::1 UGRS lo0
2001:4978:f:22e::1 link#6 UHL tun0
2001:4978:f:22e::2 link#6 UHL lo0
2001:4978:1d8:e000:: 00:e0:18:9e:55:66 UHL lo0 =>
2001:4978:1d8:e000::/64 link#3 UC fxp0
2001:4978:1d8:e000::9 00:e0:18:9e:55:66 UHL lo0
2001:4978:1d8:e000:20c:29ff:xxxx:51b7 00:0c:29:26:51:b7 UHLW fxp0
2001:4978:1d8:f000::/0 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd UGS fxp0
I think the /0 in the last entry is incorrect, but that's what freebsd adds if I run this command "route add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd"
ASA & IPv6
Jeroen Massar on Tuesday, 09 June 2009 15:23:26
That /0 is definitely incorrect, as that makes it effectively ::/0 (default)
route add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd"
Why are you adding host routes (-host)?
Note that the various BSDs do not really understand the CIDR notation, you need to use "-prefixlen XX" instead.
Try using the following command:
route add -inet6 2001:4978:1d8:f000:: -prefixlen 64 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd
Don't forget to clean out the wrong ones.
Also, you will want to route the complete /48 into 'lo', that way any prefixes that you do not route to other hosts will directly return !N instead of the packets being sent back up stream (over the tunnel), which will send it back your way etc...
ASA & IPv6
Shadow Hawkins on Tuesday, 09 June 2009 16:25:05
I didn't see your reply till just now...guess the RSS feed is slow.
I did manage to figure it out. The command that worked for me was
route -n add -inet6 2001:4978:1d8:f000::/64 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd
Before, I had been trying to use
route -n add -inet6 -net 2001:4978:1d8:f000::/64 -host 2001:4978:1d8:e000:21d:a2ff:xxxx:2ffd
Thanks for the help.
(What exactly is a host route?)
ASA & IPv6
Carmen Sandiego on Saturday, 06 June 2009 00:14:36
I have a similar setup in my lab, the BSD station acts as the router and the LAN (Cisco equp.) uses that box to go outside. The BSD box is the only dual-stack equipment in that LAN. It also resolves DNS queries. I don't have an ASA but perhaps you can make something out of my setup.
Here's an snippet from my rc.conf if it helps:
ipv6_enable="YES"
ipv6_gateway_enable="YES"
rtadvd_enable="YES"
rtadvd_interfaces="xl0"
named_enable="YES"
in my named.conf (remove the comment for that line):
listen-on-v6 { any; };
My xl0 ifconfig:
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=9<RXCSUM,VLAN_MTU>
ether 00:0a:5e:20:c9:15
inet6 fe80::20a:5eff:xxxx:c915%xl0 prefixlen 64 scopeid 0x2
inet6 2001:5c0:xxxx:b900::1 prefixlen 64
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
and on the Cisco device:
ip routing
ip name-server 2001:5C0:xxxx:B900::1
interface FastEthernet1/0/48
no switchport
no ip address
ipv6 address 2001:5C0:xxxx:B900::/64 eui-64
ipv6 enable
!
and show ipv6 interface:
IPv6 is enabled, link-local address is FE80::21B:2BFF:FEB1:7741
Global unicast address(es):
2001:5C0:xxxx:B900:21B:2BFF:FEB1:7741, subnet is 2001:5C0:xxxx:B900::/64 [EUI]
Joined group address(es):
FF02::1
FF02::1:FFB1:7741
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
Output features: Check hwidb
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
Default router is FE80::20A:5EFF:xxxx:C915 on FastEthernet1/0/48
Not sure if this can be of any help to you...
Posting is only allowed when you are logged in. |