• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

How to make a Cisco ASA work with only one public IP address

Started by cholzhauer, September 21, 2010, 01:05:21 PM

Previous topic - Next topic

cholzhauer

I've been trying to figure this out for a while without much success, but now I have it.

If you have more than one public IP address, setting up your ASA to forward protocol 41 is easy; you just forward all IP traffic at your tunnel server (if it's behind a NAT)

If you only have one public IP address (like most home users) this becomes a little harder.

However, with the 8.3 release for the ASA's, this became possible.


object network local_endpoint
   host a.b.c.d
object network remote_endpoint
   host e.f.g.h
nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint
access-list tunnel extended permit 41 object remote_endpoint object local_endpoint
access-group tunnel in interface outside


All you need to do is change a.b.c.d and e.f.g.h to the appropriate IP addresses and copy and paste into a SSH/console session.

This setup assumes the following setup

Internet----ASA----tunnel server

The outside interface of the ASA has a public IP address and any device behind it has a private IP address.

antillie

That's really cool. The only way I was able to solve this problem (in ASA firmware 8.2(2)) was to place my tunnel server (a 2621xm) in front of the ASA.

cholzhauer

Yeah, I had the same problem for a while, and for one of my setup's, it wasn't an option to put the IPv6 router in front of the ASA (vpn stuff ect).

8.3 makes it possible, but be warned, the NAT syntax is completely different and you also have to change the way you do your ACL's.

gflygt

I've set up my asa 5505 exactly like that. But I don't get any packets through. I've tested with rules to allow my inside ping my side of the ipv6 tunnel, but that doesn't work. So I tried to set a default gateway which I understand shouldn't be needed.

To be true I'm totally lost on how to get traffic through.  :o

cholzhauer


gflygt


cholzhauer

Have you done a packet capture to see what's going on? If it's not passing protocol41, it will tell you.

gflygt

Cannot see how I do that with ipv6 addresses. When I enter ipv6 address it tells me to use a valid netmask. I tried both /128 and 128

cholzhauer

just monitor the whole /64

What command did you issue to monitor traffic?  It's really easy through the ASDM

gflygt

I tried to use the packet capture wizard. Maybe the wrong approach. But here is a snippet from the log when I try to ping and traceroute a host om the internet. If it can be to any good.


6|Dec 01 2010|21:32:42|110002|e2::21|33437|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33437
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:39|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:37|302021|ff02::1|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:36|302015|afrodite.gflygt.se|123|17.72.255.11|123|Built outbound UDP connection 5530 for outside:17.72.255.11/123 (17.72.255.11/123) to inside:afrodite.gflygt.se/123 (wall.gflygt.se/210)
6|Dec 01 2010|21:32:36|305011|afrodite.gflygt.se|123|wall.gflygt.se|210|Built dynamic UDP translation from inside:afrodite.gflygt.se/123 to outside:wall.gflygt.se/210
6|Dec 01 2010|21:32:35|302020|fe80::223:5eff:fe23:8b7f|0|ff02::1|0|Built outbound ICMP connection for faddr ff02::1/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:34|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:32|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:26|110002|e2::21|33435|||Failed to locate egress interface for UDP from inside:2001:470:28:277:223:32ff:fe9d:7763/49822 to 2001:67c:d8:e2::21/33435
6|Dec 01 2010|21:32:04|110002|e2::21|0|||Failed to locate egress interface for IPv6-ICMP from inside:2001:470:28:277:223:32ff:fe9d:7763/22292 to 2001:67c:d8:e2::21/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:03|302021|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Teardown ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:32ff:fe9d:7763|0|fe80::223:5eff:fe23:8b7f|0|Built inbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0
6|Dec 01 2010|21:32:01|302020|fe80::223:5eff:fe23:8b7f|0|fe80::223:32ff:fe9d:7763|0|Built outbound ICMP connection for faddr fe80::223:32ff:fe9d:7763/0 gaddr fe80::223:5eff:fe23:8b7f/0 laddr fe80::223:5eff:fe23:8b7f/0

cholzhauer


gflygt

Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.

cholzhauer

Quote from: gflygt on December 01, 2010, 12:53:06 PM
Actually I tried to add a default route ::0/0 pointing to 2001:470:27:277::2 which is my side of the tunnel. But the ASA doesn't like that. (Routing is not my best skill:) It says that I cannot route to myself, but that's what I'm doing for ipv4 and that works fine I point 0.0.0.0 to my external interface.

Right, you'd need to make it point to 2001:470:27:277::1

gflygt

As I said I'm a routing moron. :-) Of course I route my ipv4 to my default gw not my outsinde interface, and when I route ::0/0 to 2001:470:27:277::1 it works. BUT I still don't get any traffic through!


gflygt

 :) At least I see new things in the log When I ping and traceroute the same host I see this now:


afrodite:~ gunnar$ cat ping-o-trace-ipv6
2|Dec 01 2010|22:09:26|106006|2001:470:28:277:223:32ff:fe9d:7763|59452|2001:67c:d8:e2::21|33437|Deny inbound UDP from 2001:470:28:277:223:32ff:fe9d:7763/59452 to 2001:67c:d8:e2::21/33437 on interface inside

3|Dec 01 2010|22:09:09|106014|fe9d||e2::21||Deny inbound icmp src inside:2001:470:28:277:223:32ff:fe9d:7763 dst inside:2001:67c:d8:e2::21 (type 128, code 0)

And this is also confusing, since I have a ipv6 rule saying allow inside net to any protocol any.