Overblog Follow this blog
Edit post Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

A Basic ASA Setup for a Native IPv6 Network

September 3 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

For the ASA firewall, IPv6 feature support has been available and can be set up quickly. In this article it focuses on a basic ASA setup for a native IPv6 network.   As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity. 

BASIC CONFIGURATION

STEP#1-Enable IPv6 on the interface and configure up the global IPv6 address.

interface vlan 2

ipv6 enable

ipv6 address 2001:db8:2:3::1/64

 

This will assign the IPv6 global address to the interface.  When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).  With the IPv6 address command above, you are manually specifying the global, however the ASA also allows for autoconfig which will receive stateless configurations based on RA router advertisement messages. 

 

For more details, you can review the following reference guide document:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html#wp1897428

 

STEP#2-Verify IPv6 configuration.

show ipv6 interface

Example:

outside is up, line protocol is up

  IPv6 is enabled, link-local address is fe80::21e:7aff:fe11:45c 

  Global unicast address(es):

            2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 

  Joined group address(es):

            ff02::1

            ff02::2

            ff02::1:ff00:1

            ff02::1:ff11:45c

  ICMP error messages limited to one every 100 milliseconds

  ICMP redirects are enabled

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 1000 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

  Hosts use stateless autoconfig for addresses

 

STEP#3-Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivelant to “any”.  The IPv6 route command is functionally similar to the IPv4 route.

 

STEP#4-Define IPv6 access-lists (optional).

IPv6 access-lists are functionally the same as IPv4.  They are parsed sequentially and have an implicit deny at the end.

 

Example:

ipv6 access-list test permit tcp any host 2001:db8::203:A0FF:FED6:162D

access-group test in interface outside

 

The above is permitting traffic to a specific server 2001:db8::203:A0FF:FED6:162D.

 

Securing the Firewall:

If you plan to configure auto-config for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network.  This will help prevent the ASA from being auto configured from unknown routers.

 

ipv6 access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

ipv6 access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface vlan2

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable 

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified.  All other RAs will be denied.

 

If you wish to prevent the ASA from sending out router advertisements (RA) on a specific interface, you may suppress them with the following interface command:

interface vlan2

ipv6 nd suppress-ra 

Neighbor discovery will continue to be operational even though RA suppression has been configured.

 

For further information, please check out the following documentation on cisco.com:

ASA 8.3 IPv6 configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html

ASA 8.3 IPv6 command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html

Reference from https://supportforums.cisco.com/docs/DOC-15973

More Related:

How to Enable IPv6 Support on a Cisco Catalyst 3560 Switch?

First Hop Redundancy Protocols in IPv6 HSRP + GLBP

What Hardware Vendor IPv6 Support

IPv6 OSPF/v3: Case Study

Cisco IPv6 Static Address Configuration Tech Tips

Share this post

Repost 0

Comment on this post