I've been trying to figure this out for a while without much success, but now I have it.
If you have more than one public IP address, setting up your ASA to forward protocol 41 is easy; you just forward all IP traffic at your tunnel server (if it's behind a NAT)
If you only have one public IP address (like most home users) this becomes a little harder.
However, with the 8.3 release for the ASA's, this became possible.
object network local_endpoint
host a.b.c.d
object network remote_endpoint
host e.f.g.h
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
access-list tunnel extended permit 41 object remote_endpoint object local_endpoint
access-group tunnel in interface outside
All you need to do is change a.b.c.d and e.f.g.h to the appropriate IP addresses and copy and paste into a SSH/console session.
This setup assumes the following setup
Internet----ASA----tunnel server
The outside interface of the ASA has a public IP address and any device behind it has a private IP address.
That's really cool. The only way I was able to solve this problem (in ASA firmware 8.2(2)) was to place my tunnel server (a 2621xm) in front of the ASA.
Yeah, I had the same problem for a while, and for one of my setup's, it wasn't an option to put the IPv6 router in front of the ASA (vpn stuff ect).
8.3 makes it possible, but be warned, the NAT syntax is completely different and you also have to change the way you do your ACL's.
I've set up my asa 5505 exactly like that. But I don't get any packets through. I've tested with rules to allow my inside ping my side of the ipv6 tunnel, but that doesn't work. So I tried to set a default gateway which I understand shouldn't be needed.
To be true I'm totally lost on how to get traffic through. :o
Let's see a copy of your config.
Here it comes.
Have you done a packet capture to see what's going on? If it's not passing protocol41, it will tell you.
Cannot see how I do that with ipv6 addresses. When I enter ipv6 address it tells me to use a valid netmask. I tried both /128 and 128
just monitor the whole /64
What command did you issue to monitor traffic? It's really easy through the ASDM
I tried to use the packet capture wizard. Maybe the wrong approach. But here is a snippet from the log when I try to ping and traceroute a host om the internet. If it can be to any good.
6|Dec 01 2010|21:32:42|110002|e2::21|33437|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33437
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302021|ff02::1|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:36|302015|afrodite.gflygt.se|123|17.72.255.11|123|Built outbound UDP connection 5530 for outside:17.72.255.11/123 (17.72.255.11/123) to inside:afrodite.gflygt.se/123 (wall.gflygt.se/210)
6|Dec 01 2010|21:32:36|305011|afrodite.gflygt.se|123|wall.gflygt.se|210|Built dynamic UDP translation from inside:afrodite.gflygt.se/123 to outside:wall.gflygt.se/210
6|Dec 01 2010|21:32:35|302020|fe80::223:5eff:fe23:8b7f|0|ff02::1|0|Built outbound ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:26|110002|e2::21|33435|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33435
6|Dec 01 2010|21:32:04|110002|e2::21|0|||Failed to locate egress interface for IPv6-ICMP from inside:2001:470:28:277:223:32ff:fe9d:7763/22292 to 2001:67c:d8:e2::21/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
Don't you need a default IPv6 route?
Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.
Quote from: gflygt on December 01, 2010, 12:53:06 PM
Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.
Right, you'd need to make it point to 2001:470:27:277::1
As I said I'm a routing moron. :-) Of course I route my ipv4 to my default gw not my outsinde interface, and when I route ::0/0 to 2001:470:27:277::1 it works. BUT I still don't get any traffic through!
:) At least I see new things in the log When I ping and traceroute the same host I see this now:
afrodite:~ gunnar$ cat ping-o-trace-ipv6
2|Dec 01 2010|22:09:26|106006|2001:470:28:277:223:32ff:fe9d:7763|59452|2001:67c:d8:e2::21|33437|Deny inbound UDP from 2001:470:28:277:223:32ff:fe9d:7763/59452 to 2001:67c:d8:e2::21/33437 on interface inside
3|Dec 01 2010|22:09:09|106014|fe9d||e2::21||Deny inbound icmp src inside:2001:470:28:277:223:32ff:fe9d:7763 dst inside:2001:67c:d8:e2::21 (type 128, code 0)
And this is also confusing, since I have a ipv6 rule saying allow inside net to any protocol any.
Quote
And this is also confusing, since I have a ipv6 rule saying allow inside net to any protocol any.
Maybe it's too early in the morning still, but I don't see anything like that in the config you sent
When I run packet tracer on the external interface from my side of the tunnel to the other with protocol 41, everything looks fine (all green) But I get (rpf-violated) Reverse-path verify failed.
Maybe I should upload a new config. I've been saving so many different that I might have choosen the wrong one.
What does this mean?
I had that problem before and I'm trying to remember how I fixed it. I'm pretty sure it means that the ASA can't determine where the packet originated. So if you're doing a trace from your outside interface to the other end of your tunnel and you use an address that should be located on an inside interface, you'll receive that error.
: Saved
:
ASA Version 8.3(2)
!
hostname wall
domain-name gflyg.se
enable password 86jCl42PVQo encrypted
passwd 2KFQnbNIdI.KYOU encrypted
names
name 192.168.0.21 enigma.gflygt.se
name 192.168.0.22 mac.gflyg.se
name 192.168.0.101 ns1.gflyg.se description Mailhost och DNS
name 192.168.0.111 wall-2.gflyg.se description ASA 5505
name 83.227.135.66 wall.gflyg.se description External interface
name 134.25.0.33 portos description Proxy SR
name 192.168.0.31 afrodite.gflyg.se description Stora MAC-en
name 2001:470:28:277::1 Inside-v6.gflyg.se description Inside of ASA
name 2001:470:27:277::2 wall-v6.gflyg.se description My side of the tunnel
!
interface Vlan1
nameif inside
security-level 100
ip address wall-2.gflyg.se 255.255.255.0
ipv6 address 2001:470:28:277::/64 eui-64
ipv6 address fe80::223:5eff:fe23:8b7f link-local
ipv6 address autoconfig
ipv6 enable
!
interface Vlan2
nameif outside
security-level 0
ip address wall.gflygt.se 255.255.255.192
ipv6 address wall-v6.gflyg.se/64
ipv6 address fe80::223:5eff:fe23:8b7f link-local
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server ns1.gflyg.se
domain-name gflyg.se
object network ns1.gflyg.se
host 192.168.0.101
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network wall.gflyg.se
host 83.227.135.66
description Created during name migration
object network portos
host 134.25.0.133
description Created during name migration
object network local_endpoint
host 83.227.135.66
description External interface
object network remote_endpoint
host 216.66.80.90
description Endpoint at HE
object network HE_Server
host 2001:470:27:277::1
description HE Andra sidan tunnel
object service 6in4
service 41
object network Inside-network
subnet 2001:470:28:277::/64
description Internal Network
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 time-exceeded
service-object icmp6 unreachable
access-list outside_access_in remark Incoming DNS requests
access-list outside_access_in extended permit object-group TCPUDP any object wall.gflygt.se eq domain
access-list outside_access_in remark Incoming mail to gflygt.se
access-list outside_access_in extended permit tcp any object wall.gflygt.se eq smtp
access-list outside_access_in remark Acess Portos -> ns1.gflygt.se
access-list outside_access_in extended permit 222 object portos object ns1.gflygt.se
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list tunnel extended permit object 6in4 object remote_endpoint object local_endpoint
access-list Access_Mac webtype permit url ssh://mac.gflygt.se log default
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Pool-1 192.168.0.141-192.168.0.149 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 enforce-eui64 inside
ipv6 route inside ::/0 2001:470:27:277::1
ipv6 access-list inside_access_ipv6_in remark Access till min sida
ipv6 access-list inside_access_ipv6_in permit object-group TCPUDP object Inside-network any
ipv6 access-list inside_access_ipv6_in permit object-group DM_INLINE_SERVICE_1 object Inside-network any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
!
object network ns1.gflyg.se
nat (inside,outside) static interface service tcp smtp smtp
object network ns1.gflyg.se-01
nat (inside,outside) static interface service tcp domain domain
object network ns1.gflyg.se-02
nat (inside,outside) static interface service udp domain domain
object network ns1.gflyg.se-03
nat (inside,outside) static interface service tcp ssh 222
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
access-group inside_access_ipv6_in in interface inside
access-group tunnel in interface outside
route outside 0.0.0.0 0.0.0.0 83.227.135.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email gunnar.flyg@bredband.net
subject-name CN=wall.gflyg.se
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 8ec54d49
30820324 3082020c a0030201 0202048e c54d4930 0d06092a 864886f7 0d010104
05003054 31173015 06035504 03130e77 616c6c2e 67666c79 67742e73 65313930
1a06092a 864886f7 0d010908 130d3833 2e323237 2e313335 2e363630 1b06092a
38b9a8ef c9cb7f0d 2f552633 9471bf71 d0cdebcd 6ed09c5a 4528fa39 fff218a5
9e7481c0 e918a43f e3bc8b12 d0983302 03010001 300d0609 2a864886 f70d0101
04050003 82010100 1edbd3f8 0772e955 6f583074 b8d257e2 ed078e1c 6f6bbc12
0a6a1a0e 1078c30f feda23c3 f08d1159 4447b517 a24ddef8 191cc3a5 a73a60b5
84be1100 8857f338 db55d67f 48238c6d 888c0a0d dc1de65d 0b385709 3cb86223
d18fbbc4 0170370d 4b1e8627 eaa03e39 3cccd575 768e41e0 b4c8abf9 a6f33070
d354b5f3 a778094d b3018619 76466c8b 26e0452b d147eaf5 3cbe8750 21194fd0
98293c86 2f2044b9 e1849837 97fdc48b b45ac2f4 073d350d 2006ad76 38bd5ca4
870efd89 73043e8f 0f5e46fb 5adeff9a e279e542 ac6d5a58 0af89972 6f6bea96
f58d3126 bc4075ef 8d25c600 89f196af a237d088 94a30fe0 7ea96e3e b12369f9
ac3a7cc2 e10cfe76
quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh enigma.gflygt.se 255.255.255.255 inside
ssh mac.gflygt.se 255.255.255.255 inside
ssh afrodite.gflygt.se 255.255.255.255 inside
ssh 192.168.0.41 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 195.54.122.200
dhcpd option 15 ascii gflygt.se
!
dhcpd address 192.168.0.2-192.168.0.10 inside
dhcpd dns ns1.gflygt.se interface inside
dhcpd domain gflygt.se interface inside
dhcpd enable inside
!
threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 195.54.122.168 source outside prefer
ntp server 195.54.122.100 source outside
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7f1e6ed191875dc729367
: end
asdm image disk0:/asdm-634-53.bin
asdm location enigma.gflygt.se 255.255.255.255 inside
asdm location mac.gflygt.se 255.255.255.255 inside
asdm location ns1.gflygt.se 255.255.255.255 inside
asdm location wall-2.gflygt.se 255.255.255.255 inside
asdm location wall.gflygt.se 255.255.255.255 inside
asdm location portos 255.255.255.255 inside
asdm location afrodite.gflygt.se 255.255.255.255 inside
asdm location wall-v6.gflygt.se/128 inside
asdm location Inside-v6.gflygt.se/128 inside
no asdm history enable
Both your inside and outside interfaces have the same link-local addresses (vlan1 & 2)
interface Vlan1
nameif inside
ipv6 address fe80::223:5eff:fe23:8b7f link-local
!
interface Vlan2
nameif outside
ipv6 address fe80::223:5eff:fe23:8b7f link-local
Is this valid?
Your rpf errors are "reverse path forwarding" errors being generated by this config
ip verify reverse-path interface outside
as cholzhauer states...
rgds
lukec
Hmm, dont know why it became like that. But when I remove both link local addresses I get the same error.
I slight difference occurs when I reboot. Then it says like this in the log:
Deny IPv6 reverse path check from wall-v6.gflygt.se to 2001:470:27:277::1 on interface outside
I don't know if this matters or not, but wall-v6.gflygt.se only seems to have a IPv4 address
In the config it says:
name 2001:470:27:277::2 wall-v6.gflygt.se description My side of the tunnel
So I disagree. :)
I gave this up, and now have a full working tunnel environment, using my old OpenBSD firewall. ;D
Easy to set up and working like a charm.
/Gunnar