Cisco ASA 8.3 now allows you to selectively forward protocol 41
Shadow Hawkins on Saturday, 20 March 2010 13:10:12
Just to let you know what I did that I couldn't do with previous ASA versions in my situation.
My Situation:
Cable-provider (1 IP) -> ASA -> IOS Router -> (W)LAN.
My problem with this is that the previous ASA firmwares did not allow you to NAT ip protocol-41 to the inside IOS router without natting ALL traffic to the IOS and loose all additional features of the ASA. So no IPv6! :(
Now with 8.3(1) you have additonal NAT options that allow you to specify a source/destination combination per NAT entry.
I now have my ASA doing the NATting to the IOS and have the IOS loop the IPv6 traffic natively back to the ASA which will then in turn firewall the traffic natively and offer it back to the LAN.
In short:
---------
Outside ASA connected to the Internet
Inside ASA connected to the IOS router
NAT to translate SixXS-Pop to internal address of IOS router.
ASA Firewall rule to only allow ICMP and Protocol-41 from the SixXS-Pop.
Tunnel interface on the router, using a different VRF to separate unfirewalled IPv6 traffic from the rest.
Separate (or Dot1q) link back to the ASA in same VRF as Tunnel interface with addresses from assigned subnet.
Outside6 interface on ASA connected to the previous link, native ipv6.
Inside interface on ASA with native IPv6 addresses from assigned subnet.
ASA Firewall rules to permit/deny native IPv6 traffic from internet to LAN.
This of course loops the traffic around, but performance wise I still have been able to get 15+Mbps throughput, so who cares. It's still a test/home network so....
Anyhow, I know have my ASA doing native IPv6, my IOS doing the tunneling and still use 1 public IPv4 IP.
Components used: ASA5505 Security Plus license, 8.3(1) release, Cisco 871W Adv IP Services, 12.4(24)T.
Regards,
Erik
Cisco ASA 8.3 now allows you to selectively forward protocol 41
Carmen Sandiego on Saturday, 01 May 2010 22:04:01
Hi Erik,
Can you give example lines for the nat you are doing in the ASA?
I am just trying the same and not getting it to work.
Br.
Jan Vestergaard
Cisco ASA 8.3 now allows you to selectively forward protocol 41
Shadow Hawkins on Monday, 21 February 2011 15:57:47
Jan,
Here's an extract from my ASA 5505 config. You static-nat all traffic from the sixxs PoP to your tunnel endpoint, but allow only proto 41 to pass.
object network sixxs-pop
host 94.75.219.73
description SixXS PoP nlhaa01
object network ipv6gw.example.com
host 10.10.0.100
nat (inside,outside) source static ipv6gw.example.com interface destination static sixxs-pop sixxs-pop
access-list outside_access_in remark Allow proto 41 (6in4) traffic from SixXS PoP to internal tunnel endpoint.
access-list outside_access_in extended permit 41 object sixxs-pop object ipv6gw.example.com
access-group outside_access_in in interface outside
Cisco ASA 8.3 now allows you to selectively forward protocol 41
Shadow Hawkins on Tuesday, 22 February 2011 14:06:58
Here's a post I made about this on HE's forums
http://www.tunnelbroker.net/forums/index.php?topic=1193.0
Posting is only allowed when you are logged in. |