• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

IPv6 routing on a Cisco ASA 5500 Series device

Started by sthreei, July 16, 2008, 07:48:19 AM

Previous topic - Next topic

sthreei

I have an external cisco router connected to the internet and and ASA 5510 behind that.  I have my tunnel setup on the external router.  I can ping from my ASA to my external router.  I can ping the outside interface of the ASA from the external router but I can't ping the inside interface of the ASA from the external router.  I can ping all the interfaces of the ASA from the inside network but I can't ping through the ASA to the external router.

These are the static routes and access-lists I have setup.

Any help or ideas would be greatly appreciated.

2001:xxxx:xxxx:2::2 is the IPv6 address of my internal router.
2001:xxxx:xxxx:1::129 is the IPv6 address of my external router.

ipv6 route inside 2001:xxxx:xxxx:100::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:101::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:105::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:255::/64 2001:xxxx:xxxx:2::2
ipv6 route outside ::/0 2001:xxxx:xxxx:1::129
ipv6 access-list test permit icmp6 any any echo
ipv6 access-list test permit icmp6 any any echo-reply
ipv6 access-list test permit icmp any any
ipv6 access-list test permit icmp6 any any
ipv6 access-list test permit ip any any


***EXTERNAL ROUTER'S ROUTING TABLE***
IPv6 Routing Table - 11 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via ::, Tunnel0
C   2001:xxxx:xxxx:xxxx::/64 [0/0]
     via ::, Tunnel0
L   2001:xxxx:xxxx:xxxx::2/128 [0/0]
     via ::, Tunnel0
C   2001:xxxx:xxxx:1::/64 [0/0]
     via ::, Vlan128
L   2001:xxxx:xxxx:1::129/128 [0/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:2::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:100::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:101::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:105::/64 [1/0]
     via ::, Vlan128
S   2001:xxxx:xxxx:255::/64 [1/0]
     via ::, Vlan128
L   FF00::/8 [0/0]
     via ::, Null0


***ASA'S ROUTING TABLE***
IPv6 Routing Table - 11 entries
Codes: C - Connected, L - Local, S - Static
L   2001:xxxx:xxxx:1::130/128 [0/0]
     via ::, outside
C   2001:xxxx:xxxx:1::/64 [0/0]
     via ::, outside
L   2001:xxxx:xxxx:2::1/128 [0/0]
     via ::, inside
C   2001:xxxx:xxxx:2::/64 [0/0]
     via ::, inside
S   2001:xxxx:xxxx:100::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:101::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:105::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
S   2001:xxxx:xxxx:255::/64 [0/0]
     via 2001:xxxx:xxxx:2::2, inside
L   fe80::/10 [0/0]
     via ::, outside
     via ::, inside
     via ::, DMZ
L   ff00::/8 [0/0]
     via ::, outside
     via ::, inside
     via ::, DMZ
S   ::/0 [0/0]
     via 2001:xxxx:xxxx:1::129, outside


***INTERNAL ROUTER'S ROUTING TABLE***
IPv6 Routing Table - 12 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
       U - Per-user Static route, M - MIPv6
       I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
       O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
       ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
       D - EIGRP, EX - EIGRP external
S   ::/0 [1/0]
     via 2001:xxxx:xxxx:2::1
C   2001:xxxx:xxxx:2::/64 [0/0]
     via ::, FastEthernet0/0
L   2001:xxxx:xxxx:2::2/128 [0/0]
     via ::, FastEthernet0/0
C   2001:xxxx:xxxx:100::/64 [0/0]
     via ::, FastEthernet0/1.1
L   2001:xxxx:xxxx:100::1/128 [0/0]
     via ::, FastEthernet0/1.1
C   2001:xxxx:xxxx:101::/64 [0/0]
     via ::, FastEthernet0/1.2
L   2001:xxxx:xxxx:101::1/128 [0/0]
     via ::, FastEthernet0/1.2
C   2001:xxxx:xxxx:105::/64 [0/0]
     via ::, FastEthernet0/1.105
L   2001:xxxx:xxxx:105::1/128 [0/0]
     via ::, FastEthernet0/1.105
C   2001:xxxx:xxxx:255::/64 [0/0]
     via ::, FastEthernet0/1.3
L   2001:xxxx:xxxx:255::1/128 [0/0]
     via ::, FastEthernet0/1.3
L   FF00::/8 [0/0]
     via ::, Null0

stewartclannet

Could you please post a (sanitized) version of the config files for your ASA and your external router?  I would like to take a look at how you have IPv6 enabled on the interfaces.

/Eric
http://ipv6.breezy.ca
http://www.nettiki.com

sthreei

#2
***External router config***

Current configuration : 4540 bytes
!
! Last configuration change at 14:16:03 UTC Wed Jul 16 2008
! NVRAM config last updated at 14:16:07 UTC Wed Jul 16 2008
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname deleted
!
boot-start-marker
boot-end-marker
!
enable secret 5 deleted
!
no aaa new-model
ip dhcp excluded-address xxx.xxx.xxx.129 xxx.xxx.xxx.132
ip dhcp excluded-address xxx.xxx.xxx.135 xxx.xxx.xxx.142
!
!
ip cef
!
!
ip name-server xxx.xxx.xxx.20
ip name-server xxx.xxx.xxx.3
!
ipv6 unicast-routing
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
archive
log config
  hidekeys
!
vlan internal allocation policy ascending
!
!
!
!
!
interface Loopback0
no ip address
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:xxxx:xxxx:xxxx::2/64
ipv6 enable
tunnel source xxx.xxx.xxx.174
tunnel destination xxx.xxx.xxx.2
tunnel mode ipv6ip
!
interface GigabitEthernet0/0
ip address xxx.xxx.xxx.174 255.255.255.252
duplex auto
speed auto
media-type rj45
ids-service-module monitoring
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface FastEthernet1/0
no switchport
ip address xxx.xxx.xxx.254 255.255.255.0
!
interface FastEthernet1/1
switchport access vlan 128
!
interface FastEthernet1/2
switchport access vlan 128
!
interface FastEthernet1/3
switchport access vlan 128
!
interface FastEthernet1/4
switchport access vlan 128
!
interface FastEthernet1/5
switchport access vlan 128
!
interface FastEthernet1/6
switchport access vlan 128
!
interface FastEthernet1/7
switchport access vlan 128
!
interface FastEthernet1/8
switchport access vlan 128
!
interface FastEthernet1/9
switchport access vlan 128
!
interface FastEthernet1/10
switchport access vlan 128
!
interface FastEthernet1/11
switchport access vlan 128
!
interface FastEthernet1/12
switchport access vlan 128
!
interface FastEthernet1/13
switchport access vlan 128
shutdown
!
interface FastEthernet1/14
switchport access vlan 128
!
interface FastEthernet1/15
switchport access vlan 128
!
interface IDS-Sensor2/0
ip address xxx.xxx.xxx.1 255.255.255.0
hold-queue 60 out
!
interface Vlan1
no ip address
!
interface Vlan128
ip address xxx.xxx.xxx.129 255.255.255.240
ids-service-module monitoring
ipv6 address 2001:xxxx:xxxx:1::129/64
ipv6 enable
!
interface Vlan200
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.173
ip route xxx.xxx.xxx.0 255.255.255.0 xxx.xxx.xxx.139
!
!
no ip http server
no ip http secure-server
!
ip access-list extended internet
permit tcp xxx.xxx.xxx.128 0.0.0.15 any eq telnet
ip access-list extended web
permit tcp xxx.xxx.xxx.0 0.0.0.135 any range ftp-data ftp
deny   tcp xxx.xxx.xxx.0 0.0.0.135 any neq www
deny   tcp any host xxx.xxx.xxx.132 eq 8003
deny   udp any host xxx.xxx.xxx.132 eq 8003
deny   udp any host xxx.xxx.xxx.135 eq 8003
deny   tcp any host xxx.xxx.xxx.135 eq 8003
deny   tcp any host xxx.xxx.xxx.132 eq 41443
deny   tcp any host xxx.xxx.xxx.135 eq 41443
deny   udp any host xxx.xxx.xxx.132 eq 41443
deny   udp any host xxx.xxx.xxx.135 eq 41443
permit esp any any
permit ip any any
!
access-list 10 permit xxx.xxx.xxx.141
access-list 10 permit xxx.xxx.xxx.138
access-list 10 permit xxx.xxx.xxx.130
access-list 180 permit udp any host xxx.xxx.xxx.132 eq 5008
access-list 180 deny   ip any any
!
!
ipv6 route 2001:xxxx:xxxx:1::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:2::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:100::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:101::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:105::/64 Vlan128
ipv6 route 2001:xxxx:xxxx:255::/64 Vlan128
ipv6 route ::/0 Tunnel0
!
!
!
!
ipv6 access-list telnetaccess
permit ipv6 host 2001:xxxx:xxxx:1::130 any
permit ipv6 host 2001:xxxx:xxxx:2::1 any
permit ipv6 host 2001:xxxx:xxxx:101::1 any
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line 130
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line vty 0 4
access-class 10 in
exec-timeout 0 0
password 7 deleted
ipv6 access-class telnetaccess in
login
!
scheduler allocate 20000 1000
ntp clock-period 17179987
ntp server xxx.xxx.xxx.209

!
webvpn cef
!
end


***ASA config ***

: Saved
:
ASA Version 8.0(2)
!
hostname deleted
domain-name deleted
enable password deleted
names
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
ip address xxx.xxx.xxx.130 255.255.255.240
ipv6 address 2001:xxxx:xxxx:1::130/64
ipv6 enable
ospf cost 10
!
interface Ethernet0/1
nameif inside
security-level 100
ip address xxx.xxx.xxx.1 255.255.255.0
ipv6 address 2001:xxxx:xxxx:2::1/64
ipv6 enable
ospf cost 10
!
interface Ethernet0/2
nameif deleted
security-level 100
ip address xxx.xxx.xxx.254 255.255.255.0
ipv6 enable
ospf cost 10
!
interface Ethernet0/3
nameif DMZ
security-level 50
ip address xxx.xxx.xxx.254 255.255.255.0
ipv6 enable
ospf cost 10
!
interface Management0/0
shutdown
nameif mgmt
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.0
ospf cost 10
management-only
!

**** Object groups deleted ****

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

**** IPv4 access-lists deleted ****

tcp-map mss-map
  exceed-mss allow
!
pager lines 24
logging enable
logging asdm-buffer-size 512
logging console notifications
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu deleted 1500
mtu DMZ 1500
mtu mgmt 1500
ipv6 icmp permit any outside
ipv6 icmp permit any inside
ipv6 route inside 2001:xxxx:xxxx:100::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:101::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:105::/64 2001:xxxx:xxxx:2::2
ipv6 route inside 2001:xxxx:xxxx:255::/64 2001:xxxx:xxxx:2::2
ipv6 route outside ::/0 2001:xxxx:xxxx:1::129
ipv6 access-list test permit icmp6 any any echo
ipv6 access-list test permit icmp6 any any echo-reply
ipv6 access-list test permit icmp any any
ipv6 access-list test permit icmp6 any any
ipv6 access-list test permit ip any any
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
asdm image disk0:/asdm-602.BIN
asdm history enable
arp timeout 14400
nat-control
global (outside) 10 interface
global (inside) 1 xxx.xxx.xxx.2-xxx.xxx.xxx.100 netmask 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 10 0.0.0.0 0.0.0.0
static (inside,outside) xxx.xxx.xxx.136 insideEX1 netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.137 deleted netmask 255.255.255.255
static (inside,outside) xxx.xxx.xxx.132 xxx.xxx.105.2 netmask 255.255.255.255
access-group outside_access_in in interface outside
access-group inside_access_in in interface inside
access-group deleted_access_in in interface deleted
!
router ospf xxx
network xxx.xxx.xxx.0 255.255.255.0 area 0
area 0
log-adj-changes
!
router eigrp xxx
no auto-summary
network xxx.xxx.xxx.0 255.255.255.0
!
route outside 0.0.0.0 0.0.0.0 router 1
route outside xxx.xxx.100.0 255.255.255.0 router 1
route outside xxx.xxx.0.2 255.255.255.255 router 1
route deleted xxx.xxx.0.0 255.255.0.0 10.1.253.1 1
route inside xxx.xxx.0.0 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.0.128 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.1.0 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.1.128 255.255.255.128 xxx.xxx.253.126 1
route inside xxx.xxx.100.0 255.255.255.0 xxx.xxx.0.254 1
route inside xxx.xxx.101.0 255.255.255.0 xxx.xxx.0.254 1
route inside xxx.xxx.101.64 255.255.255.255 xxx.xxx.0.254 1
route inside xxx.xxx.102.0 255.255.255.128 xxx.xxx.0.254 1
route outside xxx.xxx.151.0 255.255.255.0 router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host insideDC1
key deleted
radius-common-pw
http server enable
http 2001:xxxx:xxxx:2::/64 inside
http 2001:xxxx:xxxx:101::/64 inside
http 2001:xxxx:xxxx:100::/64 inside
http xxx.xxx.101.17 255.255.255.255 inside
http xxx.xxx.0.254 255.255.255.255 deleted
http xxx.xxx.0.129 255.255.255.255 inside
http xxx.xxx.101.3 255.255.255.255 deleted
http xxx.xxx.1.0 255.255.255.0 inside
http xxx.xxx.101.60 255.255.255.255 inside
http xxx.xxx.101.56 255.255.255.255 inside
http xxx.xxx.100.0 255.255.255.0 inside
http xxx.xxx.101.61 255.255.255.255 inside
http xxx.xxx.101.57 255.255.255.255 inside
http xxx.xxx.101.62 255.255.255.255 inside
http xxx.xxx.101.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 inside
http xxx.xxx.0.128 255.255.255.192 inside
http xxx.xxx.101.63 255.255.255.255 inside
snmp-server host inside xxx.xxx.100.11 community deleted
snmp-server location
snmp-server contact
snmp-server community
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set vpn_3des esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set vpn esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec df-bit clear-df outside
crypto ipsec df-bit clear-df inside
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 40 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 60 match address outside_cryptomap_dyn_60
crypto dynamic-map outside_dyn_map 60 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 80 match address outside_cryptomap_dyn_80
crypto dynamic-map outside_dyn_map 80 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 100 match address outside_cryptomap_dyn_100
crypto dynamic-map outside_dyn_map 100 set transform-set ESP-AES-256-SHA
crypto dynamic-map outside_dyn_map 120 match address outside_cryptomap_dyn_120
crypto dynamic-map outside_dyn_map 120 set transform-set ESP-AES-256-MD5
crypto dynamic-map remotedyn 10 set transform-set vpn ESP-AES-256-SHA
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 vpn
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map vpn 1 match address outside_1_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer xxx.xxx.xxx.53
crypto map vpn 1 set transform-set ESP-AES-256-SHA
crypto map vpn 10 ipsec-isakmp dynamic remotedyn
crypto map vpn interface outside
crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map inside_map interface inside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp enable inside
crypto isakmp enable deleted
crypto isakmp enable DMZ
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime none
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash sha
group 1
lifetime 86400
crypto isakmp policy 50
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime none
crypto isakmp policy 70
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400
no crypto isakmp nat-traversal
telnet xxx.xxx.0.129 255.255.255.255 inside
telnet xxx.xxx.100.0 255.255.255.0 inside
telnet xxx.xxx.101.0 255.255.255.0 inside
telnet xxx.xxx.101.17 255.255.255.255 inside
telnet 2001:xxxx:xxxx:101::/64 inside
telnet 2001:xxxx:xxxx:100::/64 inside
telnet 2001:xxxx:xxxx:2::/64 inside
telnet timeout 30
ssh timeout 5
ssh version 1
console timeout 0
dhcpd ping_timeout 750
dhcpd auto_config outside
!
dhcprelay server insideDC1 inside
threat-detection basic-threat
threat-detection statistics
!
class-map inspection_default
match default-inspection-traffic
class-map http-map1
match any
!
!
policy-map type inspect dns migrated_dns_map_1
parameters
  message-length maximum 512
policy-map global_policy
class inspection_default
  inspect dns migrated_dns_map_1
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny 
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip 
  inspect xdmcp
policy-map http-map1
class http-map1
  set connection advanced-options mss-map
!
service-policy global_policy global
service-policy http-map1 interface outside
ntp server xxx.xxx.xxx.140 source outside prefer
ntp server xxx.xxx.xxx.250 source outside
group-policy insidevpn internal
group-policy insidevpn attributes
vpn-tunnel-protocol IPSec webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value Tunnlednets
default-domain value inside.local
group-policy insidevpn_1 internal
group-policy insidevpn_1 attributes
dns-server value xxx.xxx.xxx.10 xxx.xxx.xxx.11
vpn-tunnel-protocol IPSec
default-domain value inside.local
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
peer-id-validate nocheck
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultRAGroup ipsec-attributes
isakmp keepalive threshold 60 retry 2
tunnel-group DefaultWEBVPNGroup ipsec-attributes
isakmp keepalive threshold 60 retry 2
tunnel-group 0.0.0.0 type ipsec-l2l
tunnel-group 0.0.0.0 ipsec-attributes
pre-shared-key *
isakmp keepalive threshold 60 retry 2
tunnel-group insidevpn type remote-access
tunnel-group insidevpn general-attributes
address-pool inside
default-group-policy insidevpn_1
tunnel-group insidevpn ipsec-attributes
pre-shared-key *
tunnel-group xxx.xxx.xxx.xxx type ipsec-l2l
tunnel-group xxx.xxx.xxx.xxx ipsec-attributes
pre-shared-key *
smtp-server xxx.xxx.xxx.11
prompt hostname context
Cryptochecksum:bc1088fe02834e3b4d707bb65a82fc43
: end
asdm image disk0:/asdm-602.BIN
asdm history enable


stewartclannet

Interestingly, my layout is very similar.  I have a Cisco 871 connected to the Internet via DSL and like you am terminating my IPv6to4 tunnel using HE as my tunnel broker on the 871's tunnel0 interface.  I also have an ASA 5505 running 8.0(2) code and the Security Plus license inside the 871.

I have wireless clients who use the ASA 5505 as their default gateway and they're connecting to the Internet fine.

I noticed a couple of small differences between my config and yours.  One is that I have the "ipv6 address autoconfig" interface config command for all my IPv6 interfaces in addition to static IPv6 addresses.  I'm wondering if this might allow the ASA to discover neighbor IPv6 routers.  The other thing is that the ASA probably doesn't allow ICMPv6 redirects by default on its interfaces.  I'm speaking off the top of my head, but it wouldn't hurt explicitly allowing ICMPv6 on your ASA's inside interface, e0/1.  The command to do this is "ipv6 icmp permit any inside".  I'm thinking that if your internal router is the default gateway for hosts that the ASA might be refusing ICMPv6 redirects arriving on that inside interface.

Finally, one stupid question.  Is it just icmp that you're having trouble with?  Can hosts on the inside network connect to the Internet?

/Eric

aldorian

My inside hosts can only connect to the internet via IPv4 addresses not IPv6.  Thanks for your suggestions.  I'll try them and let you know if that works.

stewartclannet

Quote from: aldorian on July 19, 2008, 12:39:30 PM
My inside hosts can only connect to the internet via IPv4 addresses not IPv6.  Thanks for your suggestions.  I'll try them and let you know if that works.
Posting here that might help-> http://www.nettiki.com/?q=node/275#comment-262

/Eric

UltraZero

Does any one know what happened to this old topic??

If anyone knows, i'd like to find the answer. 

From what I see, the TEST ACL was not applied.

Thanks

antillie

I think you hit it on the head UltraZero. That's the only issue I see with the config.