Hurricane Electric's IPv6 Tunnel Broker Forums

Advanced search  

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Pages: [1] 2

Author Topic: How to make a Cisco ASA work with only one public IP address  (Read 33380 times)

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
How to make a Cisco ASA work with only one public IP address
« on: September 21, 2010, 01:05:21 PM »

I've been trying to figure this out for a while without much success, but now I have it.

If you have more than one public IP address, setting up your ASA to forward protocol 41 is easy; you just forward all IP traffic at your tunnel server (if it's behind a NAT)

If you only have one public IP address (like most home users) this becomes a little harder.

However, with the 8.3 release for the ASA's, this became possible.

Code: [Select]
object network local_endpoint
   host a.b.c.d
object network remote_endpoint
   host e.f.g.h
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
access-list tunnel extended permit 41 object remote_endpoint object local_endpoint
access-group tunnel in interface outside

All you need to do is change a.b.c.d and e.f.g.h to the appropriate IP addresses and copy and paste into a SSH/console session.

This setup assumes the following setup

Internet----ASA----tunnel server

The outside interface of the ASA has a public IP address and any device behind it has a private IP address.
Logged

antillie

  • Full Member
  • ***
  • Posts: 104
Re: How to make a Cisco ASA work with only one public IP address
« Reply #1 on: September 30, 2010, 09:05:24 PM »

That's really cool. The only way I was able to solve this problem (in ASA firmware 8.2(2)) was to place my tunnel server (a 2621xm) in front of the ASA.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #2 on: October 01, 2010, 05:00:52 AM »

Yeah, I had the same problem for a while, and for one of my setup's, it wasn't an option to put the IPv6 router in front of the ASA (vpn stuff ect).

8.3 makes it possible, but be warned, the NAT syntax is completely different and you also have to change the way you do your ACL's.
Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #3 on: December 01, 2010, 09:28:41 AM »

I've set up my asa 5505 exactly like that. But I don't get any packets through. I've tested with rules to allow my inside ping my side of the ipv6 tunnel, but that doesn't work. So I tried to set a default gateway which I understand shouldn't be needed.

To be true I'm totally lost on how to get traffic through.  :o
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #4 on: December 01, 2010, 09:37:52 AM »

Let's see a copy of your config.

Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #5 on: December 01, 2010, 11:51:07 AM »

Here it comes.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #6 on: December 01, 2010, 11:58:53 AM »

Have you done a packet capture to see what's going on? If it's not passing protocol41, it will tell you.
Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #7 on: December 01, 2010, 12:09:23 PM »

Cannot see how I do that with ipv6 addresses. When I enter ipv6 address it tells me to use a valid netmask. I tried both /128 and 128
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #8 on: December 01, 2010, 12:14:43 PM »

just monitor the whole /64

What command did you issue to monitor traffic?  It's really easy through the ASDM
Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #9 on: December 01, 2010, 12:39:06 PM »

I tried to use the packet capture wizard. Maybe the wrong approach. But here is a snippet from the log when I try to ping and traceroute a host om the internet. If it can be to any good.


6|Dec 01 2010|21:32:42|110002|e2::21|33437|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33437
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302021|ff02::1|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:36|302015|afrodite.gflygt.se|123|17.72.255.11|123|Built outbound UDP connection 5530 for outside:17.72.255.11/123 (17.72.255.11/123) to inside:afrodite.gflygt.se/123 (wall.gflygt.se/210)
6|Dec 01 2010|21:32:36|305011|afrodite.gflygt.se|123|wall.gflygt.se|210|Built dynamic UDP translation from inside:afrodite.gflygt.se/123 to outside:wall.gflygt.se/210
6|Dec 01 2010|21:32:35|302020|fe80::223:5eff:fe23:8b7f|0|ff02::1|0|Built outbound ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:26|110002|e2::21|33435|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33435
6|Dec 01 2010|21:32:04|110002|e2::21|0|||Failed to locate egress interface for IPv6-ICMP from inside:2001:470:28:277:223:32ff:fe9d:7763/22292 to 2001:67c:d8:e2::21/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #10 on: December 01, 2010, 12:40:45 PM »

Don't you need a default IPv6 route?
Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #11 on: December 01, 2010, 12:53:06 PM »

Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.
Logged

cholzhauer

  • Hero Member
  • *****
  • Posts: 2724
Re: How to make a Cisco ASA work with only one public IP address
« Reply #12 on: December 01, 2010, 12:55:33 PM »

Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.

Right, you'd need to make it point to 2001:470:27:277::1
Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #13 on: December 01, 2010, 01:02:21 PM »

As I said I'm a routing moron. :-) Of course I route my ipv4 to my default gw not my outsinde interface, and when I route ::0/0 to 2001:470:27:277::1 it works. BUT I still don't get any traffic through!

Logged

gflygt

  • Newbie
  • *
  • Posts: 13
Re: How to make a Cisco ASA work with only one public IP address
« Reply #14 on: December 01, 2010, 01:15:12 PM »

 :) At least I see new things in the log When I ping and traceroute the same host I see this now:


afrodite:~ gunnar$ cat ping-o-trace-ipv6
2|Dec 01 2010|22:09:26|106006|2001:470:28:277:223:32ff:fe9d:7763|59452|2001:67c:d8:e2::21|33437|Deny inbound UDP from 2001:470:28:277:223:32ff:fe9d:7763/59452 to 2001:67c:d8:e2::21/33437 on interface inside

3|Dec 01 2010|22:09:09|106014|fe9d||e2::21||Deny inbound icmp src inside:2001:470:28:277:223:32ff:fe9d:7763 dst inside:2001:67c:d8:e2::21 (type 128, code 0)

And this is also confusing, since I have a ipv6 rule saying allow inside net to any protocol any.
Logged
Pages: [1] 2