Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Author Topic: IPv6 routing on a Cisco ASA 5500 Series device  (Read 31723 times)

sthreei

  • readonly_member
  • Newbie
  • *
  • Posts: 2
IPv6 routing on a Cisco ASA 5500 Series device
« on: July 16, 2008, 07:48:19 AM »

I have an external cisco router connected to the internet and and ASA 5510 behind that.  I have my tunnel setup on the external router.  I can ping from my ASA to my external router.  I can ping the outside interface of the ASA from the external router but I can't ping the inside interface of the ASA from the external router.  I can ping all the interfaces of the ASA from the inside network but I can't ping through the ASA to the external router.

These are the static routes and access-lists I have setup.

Any help or ideas would be greatly appreciated.

2001:xxxx:xxxx:2::2 is the IPv6 address of my internal router.
2001:xxxx:xxxx:1::129 is the IPv6 address of my external router.

ipv6 route inside 2001:xxxx:xxxx:100::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:101::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:105::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:255::/64 2001:xxxx:xxxx:2::2
ipv6 route outside ::/0 2001:xxxx:xxxx:1::129
ipv6 access-list test permit icmp6 any any echo
ipv6 access-list test permit icmp6 any any echo-reply
ipv6 access-list test permit icmp any any
ipv6 access-list test permit icmp6 any any
ipv6 access-list test permit ip any any


***EXTERNAL ROUTER'S ROUTING TABLE***
IPv6 Routing Table - 11 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via ::, Tunnel0
C   2001:xxxx:xxxx:xxxx::/64 [0/0]
     via ::, Tunnel0
L   2001:xxxx:xxxx:xxxx::2/128 [0/0]
     via ::, Tunnel0
C   2001:xxxx:xxxx:1::/64 [0/0]
     via ::, Vlan128
L   2001:xxxx:xxxx:1::129/128 [0/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:2::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:100::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:101::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:105::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:255::/64 [1/0]
     via ::, Vlan128
L   FF00::/8 [0/0]
     via ::, Null0


***ASA'S ROUTING TABLE***
IPv6 Routing Table - 11 entries
Codes: C - Connected, L - Local, S - Static
L   2001:xxxx:xxxx:1::130/128 [0/0]
     via ::, outside
C   2001:xxxx:xxxx:1::/64 [0/0]
     via ::, outside
L   2001:xxxx:xxxx:2::1/128 [0/0]
     via ::, inside
C   2001:xxxx:xxxx:2::/64 [0/0]
     via ::, inside
S   2001:xxxx:xxxx:100::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:101::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:105::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:255::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
L   fe80::/10 [0/0]
     via ::, outside
     via ::, inside
     via ::, DMZ
L   ff00::/8 [0/0]
     via ::, outside
     via ::, inside
     via ::, DMZ
S   ::/0 [0/0]
     via 2001:xxxx:xxxx:1::129, outside


***INTERNAL ROUTER'S ROUTING TABLE***
IPv6 Routing Table - 12 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via 2001:xxxx:xxxx:2::1
C   2001:xxxx:xxxx:2::/64 [0/0]
     via ::, FastEthernet0/0
L   2001:xxxx:xxxx:2::2/128 [0/0]
     via ::, FastEthernet0/0
C   2001:xxxx:xxxx:100::/64 [0/0]
     via ::, FastEthernet0/1.1
L   2001:xxxx:xxxx:100::1/128 [0/0]
     via ::, FastEthernet0/1.1
C   2001:xxxx:xxxx:101::/64 [0/0]
     via ::, FastEthernet0/1.2
L   2001:xxxx:xxxx:101::1/128 [0/0]
     via ::, FastEthernet0/1.2
C   2001:xxxx:xxxx:105::/64 [0/0]
     via ::, FastEthernet0/1.105
L   2001:xxxx:xxxx:105::1/128 [0/0]
     via ::, FastEthernet0/1.105
C   2001:xxxx:xxxx:255::/64 [0/0]
     via ::, FastEthernet0/1.3
L   2001:xxxx:xxxx:255::1/128 [0/0]
     via ::, FastEthernet0/1.3
L   FF00::/8 [0/0]
     via ::, Null0
Logged

stewartclannet

  • Newbie
  • *
  • Posts: 6
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #1 on: July 16, 2008, 08:12:29 AM »

Could you please post a (sanitized) version of the config files for your ASA and your external router?  I would like to take a look at how you have IPv6 enabled on the interfaces.

/Eric
http://ipv6.breezy.ca
http://www.NetTiki.com
Logged

sthreei

  • readonly_member
  • Newbie
  • *
  • Posts: 2
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #2 on: July 16, 2008, 08:40:37 AM »

***External router config***

Current configuration : 4540 bytes
!
! Last configuration change at 14:16:03 UTC Wed Jul 16 2008
! NVRAM config last updated at 14:16:07 UTC Wed Jul 16 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname deleted
!
boot-start-marker
boot-end-marker
!
enable secret 5 deleted
!
no aaa new-model
ip dhcp excluded-address xxx.xxx.xxx.129 xxx.xxx.xxx.132
ip dhcp excluded-address xxx.xxx.xxx.135 xxx.xxx.xxx.142
!
!
ip cef
!
!
ip name-server xxx.xxx.xxx.20
ip name-server xxx.xxx.xxx.3
!
ipv6 unicast-routing
multilink bundle-name authenticated
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
 log config
  hidekeys
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Loopback0
 no ip address
!
interface Tunnel0
 description Hurricane Electric IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:xxxx:xxxx:xxxx::2/64
 ipv6 enable
 tunnel source xxx.xxx.xxx.174
 tunnel destination xxx.xxx.xxx.2
 tunnel mode ipv6ip
!
interface GigabitEthernet0/0
 ip address xxx.xxx.xxx.174 255.255.255.252
 duplex auto
 speed auto
 media-type rj45
 ids-service-module monitoring
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface FastEthernet1/0
 no switchport
 ip address xxx.xxx.xxx.254 255.255.255.0
!
interface FastEthernet1/1
 switchport access vlan 128
!
interface FastEthernet1/2
 switchport access vlan 128
!
interface FastEthernet1/3
 switchport access vlan 128
!
interface FastEthernet1/4
 switchport access vlan 128
!
interface FastEthernet1/5
 switchport access vlan 128
!
interface FastEthernet1/6
 switchport access vlan 128
!
interface FastEthernet1/7
 switchport access vlan 128
!
interface FastEthernet1/8
 switchport access vlan 128
!
interface FastEthernet1/9
 switchport access vlan 128
!
interface FastEthernet1/10
 switchport access vlan 128
!
interface FastEthernet1/11
 switchport access vlan 128
!
interface FastEthernet1/12
 switchport access vlan 128
!
interface FastEthernet1/13
 switchport access vlan 128
 shutdown
!
interface FastEthernet1/14
 switchport access vlan 128
!
interface FastEthernet1/15
 switchport access vlan 128
!
interface IDS-Sensor2/0
 ip address xxx.xxx.xxx.1 255.255.255.0
 hold-queue 60 out
!
interface Vlan1
 no ip address
!
interface Vlan128
 ip address xxx.xxx.xxx.129 255.255.255.240
 ids-service-module monitoring
 ipv6 address 2001:xxxx:xxxx:1::129/64
 ipv6 enable
!
interface Vlan200
 no ip address
 shutdown
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.173
ip route xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.139
!
!
no ip http server
no ip http secure-server
!
ip access-list extended internet
 permit tcp xxx.xxx.xxx.128 0.0.0.15 any eq telnet
ip access-list extended web
 permit tcp xxx.xxx.xxx.0 0.0.0.135 any range ftp-data ftp
 deny   tcp xxx.xxx.xxx.0 0.0.0.135 any neq www
 deny   tcp any host xxx.xxx.xxx.132 eq 8003
 deny   udp any host xxx.xxx.xxx.132 eq 8003
 deny   udp any host xxx.xxx.xxx.135 eq 8003
 deny   tcp any host xxx.xxx.xxx.135 eq 8003
 deny   tcp any host xxx.xxx.xxx.132 eq 41443
 deny   tcp any host xxx.xxx.xxx.135 eq 41443
 deny   udp any host xxx.xxx.xxx.132 eq 41443
 deny   udp any host xxx.xxx.xxx.135 eq 41443
 permit esp any any
 permit ip any any
!
access-list 10 permit xxx.xxx.xxx.141
access-list 10 permit xxx.xxx.xxx.138
access-list 10 permit xxx.xxx.xxx.130
access-list 180 permit udp any host xxx.xxx.xxx.132 eq 5008
access-list 180 deny   ip any any
!
!
ipv6 route 2001:xxxx:xxxx:1::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:2::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:100::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:101::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:105::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:255::/64 Vlan128
ipv6 route ::/0 Tunnel0
!
!
!
!
ipv6 access-list telnetaccess
 permit ipv6 host 2001:xxxx:xxxx:1::130 any
 permit ipv6 host 2001:xxxx:xxxx:2::1 any
 permit ipv6 host 2001:xxxx:xxxx:101::1 any
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line 130
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
 access-class 10 in
 exec-timeout 0 0
 password 7 deleted
 ipv6 access-class telnetaccess in
 login
!
scheduler allocate 20000 1000
ntp clock-period 17179987
ntp server xxx.xxx.xxx.209

!
webvpn cef
!
end


***ASA config ***

: Saved
:
ASA Version 8.0(2)
!
hostname deleted
domain-name deleted
enable password deleted
names
dns-guard
!
interface Ethernet0/0
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.130 255.255.255.240
 ipv6 address 2001:xxxx:xxxx:1::130/64
 ipv6 enable
 ospf cost 10
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address xxx.xxx.xxx.1 255.255.255.0
 ipv6 address 2001:xxxx:xxxx:2::1/64
 ipv6 enable
 ospf cost 10
!
interface Ethernet0/2
 nameif deleted
 security-level 100
 ip address xxx.xxx.xxx.254 255.255.255.0
 ipv6 enable
 ospf cost 10
!
interface Ethernet0/3
 nameif DMZ
 security-level 50
 ip address xxx.xxx.xxx.254 255.255.255.0
 ipv6 enable
 ospf cost 10
!
interface Management0/0
 shutdown
 nameif mgmt
 security-level 0
 ip address xxx.xxx.xxx.xxx 255.255.255.0
 ospf cost 10
 management-only
!

**** Object groups deleted ****

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

**** IPv4 access-lists deleted ****

tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging asdm-buffer-size 512
logging console notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu deleted 1500
mtu DMZ 1500
mtu mgmt 1500
ipv6 icmp permit any outside
ipv6 icmp permit any inside
ipv6 route inside 2001:xxxx:xxxx:100::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:101::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:105::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:255::/64 2001:xxxx:xxxx:2::2
ipv6 route outside ::/0 2001:xxxx:xxxx:1::129
ipv6 access-list test permit icmp6 any any echo
ipv6 access-list test permit icmp6 any any echo-reply
ipv6 access-list test permit icmp any any
ipv6 access-list test permit icmp6 any any
ipv6 access-list test permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.BIN
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (inside) 1 xxx.xxx.xxx.2-xxx.xxx.xxx.100 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.136 insideEX1 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.137 deleted netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.132 xxx.xxx.105.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group deleted_access_in in interface deleted
!
router ospf xxx
 network xxx.xxx.xxx.0 255.255.255.0 area 0
 area 0
 log-adj-changes
!
router eigrp xxx
 no auto-summary
 network xxx.xxx.xxx.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 router 1
route outside xxx.xxx.100.0 255.255.255.0 router 1
route outside xxx.xxx.0.2 255.255.255.255 router 1
route deleted xxx.xxx.0.0 255.255.0.0 10.1.253.1 1
route inside xxx.xxx.0.0 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.0.128 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.1.0 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.1.128 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.100.0 255.255.255.0 xxx.xxx.0.254 1
route inside xxx.xxx.101.0 255.255.255.0 xxx.xxx.0.254 1
route inside xxx.xxx.101.64 255.255.255.255 xxx.xxx.0.254 1
route inside xxx.xxx.102.0 255.255.255.128 xxx.xxx.0.254 1
route outside xxx.xxx.151.0 255.255.255.0 router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host insideDC1
 key deleted
 radius-common-pw
http server enable
http 2001:xxxx:xxxx:2::/64 inside
http 2001:xxxx:xxxx:101::/64 inside
http 2001:xxxx:xxxx:100::/64 inside
http xxx.xxx.101.17 255.255.255.255 inside
http xxx.xxx.0.254 255.255.255.255 deleted
http xxx.xxx.0.129 255.255.255.255 inside
http xxx.xxx.101.3 255.255.255.255 deleted
http xxx.xxx.1.0 255.255.255.0 inside
http xxx.xxx.101.60 255.255.255.255 inside
http xxx.xxx.101.56 255.255.255.255 inside
http xxx.xxx.100.0 255.255.255.0 inside
http xxx.xxx.101.61 255.255.255.255 inside
http xxx.xxx.101.57 255.255.255.255 inside
http xxx.xxx.101.62 255.255.255.255 inside
http xxx.xxx.101.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http xxx.xxx.0.128 255.255.255.192 inside
http xxx.xxx.101.63 255.255.255.255 inside
snmp-server host inside xxx.xxx.100.11 community deleted
snmp-server location
snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set vpn_3des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-MD5
crypto dynamic-map remotedyn 10 set transform-set vpn ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 vpn
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn 1 match address outside_1_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer xxx.xxx.xxx.53
crypto map vpn 1 set transform-set ESP-AES-256-SHA
crypto map vpn 10 ipsec-isakmp dynamic remotedyn
crypto map vpn interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable deleted
crypto isakmp enable DMZ
crypto isakmp policy 10
 authentication pre-share
 encryption aes
 hash sha
 group 5
 lifetime none
crypto isakmp policy 30
 authentication pre-share
 encryption 3des
 hash sha
 group 1
 lifetime 86400
crypto isakmp policy 50
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime none
crypto isakmp policy 70
 authentication pre-share
 encryption aes-256
 hash sha
 group 5
 lifetime 86400
no crypto isakmp nat-traversal
telnet xxx.xxx.0.129 255.255.255.255 inside
telnet xxx.xxx.100.0 255.255.255.0 inside
telnet xxx.xxx.101.0 255.255.255.0 inside
telnet xxx.xxx.101.17 255.255.255.255 inside
telnet 2001:xxxx:xxxx:101::/64 inside
telnet 2001:xxxx:xxxx:100::/64 inside
telnet 2001:xxxx:xxxx:2::/64 inside
telnet timeout 30
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcprelay server insideDC1 inside
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
 match default-inspection-traffic
class-map http-map1
 match any
!
!
policy-map type inspect dns migrated_dns_map_1
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
policy-map http-map1
 class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
ntp server xxx.xxx.xxx.140 source outside prefer
ntp server xxx.xxx.xxx.250 source outside
group-policy insidevpn internal
group-policy insidevpn attributes
 vpn-tunnel-protocol IPSec webvpn
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Tunnlednets
 default-domain value inside.local
group-policy insidevpn_1 internal
group-policy insidevpn_1 attributes
 dns-server value xxx.xxx.xxx.10 xxx.xxx.xxx.11
 vpn-tunnel-protocol IPSec
 default-domain value inside.local
tunnel-group DefaultL2LGroup ipsec-attributes
 pre-shared-key *
 peer-id-validate nocheck
 isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
 isakmp keepalive threshold 60 retry 2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
 pre-shared-key *
 isakmp keepalive threshold 60 retry 2
tunnel-group insidevpn type remote-access
tunnel-group insidevpn general-attributes
 address-pool inside
 default-group-policy insidevpn_1
tunnel-group insidevpn ipsec-attributes
 pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
 pre-shared-key *
smtp-server xxx.xxx.xxx.11
prompt hostname context
Cryptochecksum:bc1088fe02834e3b4d707bb65a82fc43
: end
asdm image disk0:/asdm-602.BIN
asdm history enable

« Last Edit: July 16, 2008, 09:35:43 AM by sthreei »
Logged

stewartclannet

  • Newbie
  • *
  • Posts: 6
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #3 on: July 19, 2008, 12:16:05 PM »

Interestingly, my layout is very similar.  I have a Cisco 871 connected to the Internet via DSL and like you am terminating my IPv6to4 tunnel using HE as my tunnel broker on the 871's tunnel0 interface.  I also have an ASA 5505 running 8.0(2) code and the Security Plus license inside the 871.

I have wireless clients who use the ASA 5505 as their default gateway and they're connecting to the Internet fine.

I noticed a couple of small differences between my config and yours.  One is that I have the "ipv6 address autoconfig" interface config command for all my IPv6 interfaces in addition to static IPv6 addresses.  I'm wondering if this might allow the ASA to discover neighbor IPv6 routers.  The other thing is that the ASA probably doesn't allow ICMPv6 redirects by default on its interfaces.  I'm speaking off the top of my head, but it wouldn't hurt explicitly allowing ICMPv6 on your ASA's inside interface, e0/1.  The command to do this is "ipv6 icmp permit any inside".  I'm thinking that if your internal router is the default gateway for hosts that the ASA might be refusing ICMPv6 redirects arriving on that inside interface.

Finally, one stupid question.  Is it just icmp that you're having trouble with?  Can hosts on the inside network connect to the Internet?

/Eric
Logged

aldorian

  • readonly_member
  • Newbie
  • *
  • Posts: 1
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #4 on: July 19, 2008, 12:39:30 PM »

My inside hosts can only connect to the internet via IPv4 addresses not IPv6.  Thanks for your suggestions.  I'll try them and let you know if that works.
Logged

stewartclannet

  • Newbie
  • *
  • Posts: 6
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #5 on: August 04, 2008, 06:02:21 PM »

My inside hosts can only connect to the internet via IPv4 addresses not IPv6.  Thanks for your suggestions.  I'll try them and let you know if that works.
Posting here that might help-> http://www.nettiki.com/?q=node/275#comment-262

/Eric
Logged

UltraZero

  • Full Member
  • ***
  • Posts: 153
  • Feed Me Input... Input...
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #6 on: March 06, 2012, 10:03:38 AM »

Does any one know what happened to this old topic??

If anyone knows, i'd like to find the answer. 

From what I see, the TEST ACL was not applied.

Thanks
Logged

antillie

  • Full Member
  • ***
  • Posts: 104
Re: IPv6 routing on a Cisco ASA 5500 Series device
« Reply #7 on: March 17, 2012, 11:34:53 AM »

I think you hit it on the head UltraZero. That's the only issue I see with the config.
Logged