• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to make a Cisco ASA work with only one public IP address

Started by cholzhauer, September 21, 2010, 01:05:21 PM

Previous topic - Next topic

cholzhauer

Quote
And this is also confusing, since I have a ipv6 rule saying allow inside net to any protocol any.

Maybe it's too early in the morning still, but I don't see anything like that in the config you sent

gflygt

When I run packet tracer on the external interface from my side of the tunnel to the other with protocol 41, everything looks fine (all green) But I get (rpf-violated) Reverse-path verify failed.

Maybe I should upload a new config. I've been saving so many different that I might have choosen the wrong one.

What does this mean?

cholzhauer

I had that problem before and I'm trying to remember how I fixed it.  I'm pretty sure it means that the ASA can't determine where the packet originated.  So if you're doing a trace from your outside interface to the other end of your tunnel and you use an address that should be located on an inside interface, you'll receive that error.

gflygt

: Saved
:
ASA Version 8.3(2)
!
hostname wall
domain-name gflyg.se
enable password 86jCl42PVQo encrypted
passwd 2KFQnbNIdI.KYOU encrypted
names
name 192.168.0.21 enigma.gflygt.se
name 192.168.0.22 mac.gflyg.se
name 192.168.0.101 ns1.gflyg.se description Mailhost och DNS
name 192.168.0.111 wall-2.gflyg.se description ASA 5505
name 83.227.135.66 wall.gflyg.se description External interface
name 134.25.0.33 portos description Proxy SR
name 192.168.0.31 afrodite.gflyg.se description Stora MAC-en
name 2001:470:28:277::1 Inside-v6.gflyg.se description Inside of ASA
name 2001:470:27:277::2 wall-v6.gflyg.se description My side of the tunnel
!
interface Vlan1
nameif inside
security-level 100
ip address wall-2.gflyg.se 255.255.255.0
ipv6 address 2001:470:28:277::/64 eui-64
ipv6 address fe80::223:5eff:fe23:8b7f link-local
ipv6 address autoconfig
ipv6 enable
!
interface Vlan2
nameif outside
security-level 0
ip address wall.gflygt.se 255.255.255.192
ipv6 address wall-v6.gflyg.se/64
ipv6 address fe80::223:5eff:fe23:8b7f link-local
ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa832-k8.bin
ftp mode passive
clock timezone CEST 1
clock summer-time CEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
dns domain-lookup inside
dns server-group DefaultDNS
name-server ns1.gflyg.se
domain-name gflyg.se
object network ns1.gflyg.se
host 192.168.0.101
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network obj_any-01
subnet 0.0.0.0 0.0.0.0
object network obj-0.0.0.0
host 0.0.0.0
object network wall.gflyg.se
host 83.227.135.66
description Created during name migration  
object network portos
host 134.25.0.133
description Created during name migration  
object network local_endpoint
host 83.227.135.66
description External interface  
object network remote_endpoint
host 216.66.80.90
description Endpoint at HE  
object network HE_Server
host 2001:470:27:277::1
description HE Andra sidan tunnel  
object service 6in4
service 41
object network Inside-network
subnet 2001:470:28:277::/64
description Internal Network
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp6 echo
service-object icmp6 echo-reply
service-object icmp6 neighbor-advertisement
service-object icmp6 neighbor-redirect
service-object icmp6 time-exceeded
service-object icmp6 unreachable
access-list outside_access_in remark Incoming DNS requests
access-list outside_access_in extended permit object-group TCPUDP any object wall.gflygt.se eq domain
access-list outside_access_in remark Incoming mail to gflygt.se
access-list outside_access_in extended permit tcp any object wall.gflygt.se eq smtp
access-list outside_access_in remark Acess Portos -> ns1.gflygt.se
access-list outside_access_in extended permit 222 object portos object ns1.gflygt.se
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list tunnel extended permit object 6in4 object remote_endpoint object local_endpoint
access-list Access_Mac webtype permit url ssh://mac.gflygt.se log default
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool Pool-1 192.168.0.141-192.168.0.149 mask 255.255.255.0
ip verify reverse-path interface outside
ipv6 enforce-eui64 inside
ipv6 route inside ::/0 2001:470:27:277::1
ipv6 access-list inside_access_ipv6_in remark Access till min sida
ipv6 access-list inside_access_ipv6_in permit object-group TCPUDP object Inside-network any
ipv6 access-list inside_access_ipv6_in permit object-group DM_INLINE_SERVICE_1 object Inside-network any
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634-53.bin
no asdm history enable
arp timeout 14400
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
!
object network ns1.gflyg.se
nat (inside,outside) static interface service tcp smtp smtp
object network ns1.gflyg.se-01
nat (inside,outside) static interface service tcp domain domain
object network ns1.gflyg.se-02
nat (inside,outside) static interface service udp domain domain
object network ns1.gflyg.se-03
nat (inside,outside) static interface service tcp ssh 222
object network obj_any
nat (inside,outside) dynamic interface
object network obj_any-01
nat (inside,outside) dynamic obj-0.0.0.0
access-group inside_access_ipv6_in in interface inside
access-group tunnel in interface outside
route outside 0.0.0.0 0.0.0.0 83.227.135.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.0.0 255.255.255.0 inside
http redirect outside 80
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime seconds 28800
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set security-association lifetime kilobytes 4608000
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
email gunnar.flyg@bredband.net
subject-name CN=wall.gflyg.se
crl configure
crypto ca certificate chain ASDM_TrustPoint0
certificate 8ec54d49
   30820324 3082020c a0030201 0202048e c54d4930 0d06092a 864886f7 0d010104
   05003054 31173015 06035504 03130e77 616c6c2e 67666c79 67742e73 65313930
   1a06092a 864886f7 0d010908 130d3833 2e323237 2e313335 2e363630 1b06092a
   38b9a8ef c9cb7f0d 2f552633 9471bf71 d0cdebcd 6ed09c5a 4528fa39 fff218a5
   9e7481c0 e918a43f e3bc8b12 d0983302 03010001 300d0609 2a864886 f70d0101
   04050003 82010100 1edbd3f8 0772e955 6f583074 b8d257e2 ed078e1c 6f6bbc12
   0a6a1a0e 1078c30f feda23c3 f08d1159 4447b517 a24ddef8 191cc3a5 a73a60b5
   84be1100 8857f338 db55d67f 48238c6d 888c0a0d dc1de65d 0b385709 3cb86223
   d18fbbc4 0170370d 4b1e8627 eaa03e39 3cccd575 768e41e0 b4c8abf9 a6f33070
   d354b5f3 a778094d b3018619 76466c8b 26e0452b d147eaf5 3cbe8750 21194fd0
   98293c86 2f2044b9 e1849837 97fdc48b b45ac2f4 073d350d 2006ad76 38bd5ca4
   870efd89 73043e8f 0f5e46fb 5adeff9a e279e542 ac6d5a58 0af89972 6f6bea96
   f58d3126 bc4075ef 8d25c600 89f196af a237d088 94a30fe0 7ea96e3e b12369f9
   ac3a7cc2 e10cfe76
 quit
crypto isakmp enable outside
crypto isakmp policy 5
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh scopy enable
ssh enigma.gflygt.se 255.255.255.255 inside
ssh mac.gflygt.se 255.255.255.255 inside
ssh afrodite.gflygt.se 255.255.255.255 inside
ssh 192.168.0.41 255.255.255.255 inside
ssh timeout 5
ssh version 2
console timeout 0
dhcpd dns 195.54.122.200
dhcpd option 15 ascii gflygt.se
!
dhcpd address 192.168.0.2-192.168.0.10 inside
dhcpd dns ns1.gflygt.se interface inside
dhcpd domain gflygt.se interface inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 195.54.122.168 source outside prefer
ntp server 195.54.122.100 source outside
ssl trust-point ASDM_TrustPoint0
ssl trust-point ASDM_TrustPoint0 outside
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
 message-length maximum 512
policy-map global_policy
class inspection_default
 inspect dns preset_dns_map
 inspect ftp
 inspect h323 h225
 inspect h323 ras
 inspect rsh
 inspect rtsp
 inspect esmtp
 inspect sqlnet
 inspect skinny  
 inspect sunrpc
 inspect xdmcp
 inspect sip  
 inspect netbios
 inspect tftp
 inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
 no active
 destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
 destination address email callhome@cisco.com
 destination transport-method http
 subscribe-to-alert-group diagnostic
 subscribe-to-alert-group environment
 subscribe-to-alert-group inventory periodic monthly
 subscribe-to-alert-group configuration periodic monthly
 subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:7f1e6ed191875dc729367
: end
asdm image disk0:/asdm-634-53.bin
asdm location enigma.gflygt.se 255.255.255.255 inside
asdm location mac.gflygt.se 255.255.255.255 inside
asdm location ns1.gflygt.se 255.255.255.255 inside
asdm location wall-2.gflygt.se 255.255.255.255 inside
asdm location wall.gflygt.se 255.255.255.255 inside
asdm location portos 255.255.255.255 inside
asdm location afrodite.gflygt.se 255.255.255.255 inside
asdm location wall-v6.gflygt.se/128 inside
asdm location Inside-v6.gflygt.se/128 inside
no asdm history enable

lukec

Both your inside and outside interfaces have the same link-local addresses (vlan1 & 2)

interface Vlan1
nameif inside
ipv6 address fe80::223:5eff:fe23:8b7f link-local
!
interface Vlan2
nameif outside
ipv6 address fe80::223:5eff:fe23:8b7f link-local

Is this valid?
Your rpf errors are "reverse path forwarding" errors being generated by this config
ip verify reverse-path interface outside as cholzhauer states...

rgds
lukec

gflygt

Hmm, dont know why it became like that. But when I remove both link local addresses I get the same error.

gflygt

I slight difference occurs when I reboot. Then it says like this in the log:

Deny IPv6 reverse path check from wall-v6.gflygt.se to 2001:470:27:277::1 on interface outside

cholzhauer

I don't know if this matters or not, but wall-v6.gflygt.se only seems to have a IPv4 address

gflygt

In the config it says:

name 2001:470:27:277::2 wall-v6.gflygt.se description My side of the tunnel

So I disagree. :)

gflygt

I gave this up, and now have a full working tunnel environment, using my old OpenBSD firewall.  ;D

Easy to set up and working like a charm.

/Gunnar