First off....I am really stymied by IPv6. I am sure I am over-analyzing all this....but I'm really not even sure where to begin. Is there someplace I can go to help me get this going forward so I can grasp what is going on?
I have a Cisco ASA and a Windows 2008 server. My Windows server already has an IPv6 address (fe80::3909:df10:b5f4:ccd4%10) that has been there since day one. The Windows 2008 server is the DHCP server for my network.
I have an account here at HE and they gave me a routed /64. I understand I put that information into the ASA with the config it generates for me. They gave me 2001:470:X:XXX::2/64. Am I correct in assuming that is the IPv6 gateway for my internal clients and my clients would be say 2001:470:X:XXX::10 through 2001:470:X:XXX::whatever?
Do I need to add anything to the ASA to make sure IPv6 clients behind the firewall are protected since it is more of a routing situation opposed to a NAT situation?
Look again at the allocation.
I don't really know what that means.
He meant you have 2 different ranges. One is strictly for the tunnel interface on whatever device you configured the tunnel on and on HE's side (henceforth: router). The routed range is what you configure on your "router"'s LAN facing interface, and your equipment on the LAN will configure out of. If you are familiar with IPv4 routing, imagine that the "router" and HE.NET side are using a /30 for the tunnel/link. And that a /24 has been statically routed to your side of that /30.
In this case with IPv6, that /30 is now a /64. By default you get a second /64 statically routed to your Client Side IPv6 address. That is the range your "router" or I guess Win2k8 DHCP server will use to hand out to the lan.
I just noticed the differences
IPv6 Tunnel Endpoints
Server IPv4 Address:66.220.18.42
Server IPv6 Address:2001:470:C....:1/64
Client IPv6 Address:2001:470:C....:2/64
Then there is a routed /64
2001:470:D....:1/64
I want to set up my DHCP and other internal IPv6 with the 2001:470:D range correct?
Would I assign the D range on my ASA as well?
Available DNS Resolvers
Anycasted IPv6 Caching Nameserver:2001:470:20::2
Anycasted IPv4 Caching Nameserver:74.82.42.42
Routed IPv6 Prefixes
Routed /64:2001:470:d:c0f::/64
Routed /48:
You only assign the d range in one place...which device do you want to use?
I have a Windows 2008 server that will give out IPv4 and IPv6 DHCP. I have a Cisco ASA that will be the tunnel endpoint.
The info I got when I signed up shows
Server IPv6 address: 2001:470:C....:1/64
Client IPv6 address: 2001:470:C....:2/64
Routed /64: 2001:470:D..../64
I see the config generated for the ASA. I'm just not clear on what IPs I assign to machines inside the network. Is it the 2001:470:D range?
Unfortunately that won't work...you cannot host the tunnel on the asa as the asa does not support it
Well that stinks. I replaced a Sonicwall TZ210 with the ASA since I could not find any of the IPv6 setup on the Sonicwall even though lots of places said it was there. Now I am in the same place!
You can host the tunnel on the win2k8 machine though
I thought the tunnel WAS getting hosted on the win2k8 machine in the first place, since you mentioned it handles all your DHCP to begin with.
If I host the tunnel on the Windows 2008 machine, I would need to use that as a router then correct? If so I would rather just use a firewall.
I'm sort of irritated that a higher end firewall won't support being a tunnel endpoint. I see that an Apple Airport Extreme will host a tunnel but I am not a huge fan of those. What else can I pick up that supports VPN that can be an endpoint? I don't want to have to run any commands on the Windows clients. I just want them to get DHCPv6 addresses from the server and the heavy lifting is handled by the firewall/router. This would be connected to a 35/5 cable modem on Cox residential.
This is more for proof of concept to roll out to other locations should the need arise.
You could grab a cisco router and use that to host the tunnel...just place the router in front of the asa
By default, windows clients don't pick up dhcpv6 addresses, so you would need to run some comands :)
That is something else I can't get a straight answer on. I read that it will work on Vista SP2 and Windows 7. I have also read there are commands you have to run. Frustrating. I have a couple of Windows 2008 R2 SP1 machines and they picked up a DHCPv6 address.....and a few Windows 7 machines that didn't.....so WTF? LOL
I'm looking to just have one device to all this is transparent to the users. Router + ASA sounds like fun.....but I need to keep it a little more simple at home.
Looks like a router that support Tomato will work well....and not have to do anything too fancy with scripts like on DD-WRT.
http://troywitthoeft.com/get-your-home-network-connected-with-ipv6/
You just have to change the m and o flags (I think that's that they are)
This has been quite frustrating. I set up DHCPv6 on my Windows 2008 R2 server and none of the clients would get an IPv6 address. I had to run "netsh interface ipv6 set int ## advertise=enable managed=enable" to get an IPv6 address that wasn't a seemingly random router advertised address. Problem is, those would not work. Ping any IPv6 address and it would give a general failure. Remove those commands and I would get a crazy address again, but everything would flow. I just wanted to have a nice managed list of sequential IPv6 addresses.
I tried combinations of router advertisements on/off, DNS settings in the scope, no DNS settings in the scope and the only way it seems to work is advertisements on and no options defined in DHCPv6. Then I see there is no way to configure a gateway on DHCPv6. I don't get it!
In a strange way, I almost feel like IPv6 is a step back in the DHCP aspect. Unless I am totally missing something....
I think I understand a little more now. The RA tells the client what to get from where. If the RA doesn't tell the client to get an IPv6 address from another server....it won't. It will auto-configure. So now I need to see how to change the M flag on the RA on this TomatoUSB router. Might not be likely....
At least I have a little better understanding now.
The only easy way that I know of to make Windows 7 boxes use DHCPv6 is if the prefix advertisements they get from the gateway tell them to do so via the managed config flags in said prefix advertisements. Unfortunately the ASA cannot do this either as both of the config flags in the prefix advertisements sent from any ASA are hard set to 0 and cannot be changed. A Cisco router lets you set the config flags though. Hopefully Cisco will correct this discrepancy soon.