• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Has anyone been able to use a Cisco SA520 Small Business Firewall/Router?

Started by core3software, February 04, 2011, 10:56:54 AM

Previous topic - Next topic

core3software

Greetings! I have spent a few hours mucking about in the Cisco SA520 IPv6 configuration screens, but can't make heads or tails of how to go about setting up my tunnel to Hurricane Electric.  I can't find anywhere to set up the IPv4 Server address for the HE side of the tunnel.  It seems as though this particular Cisco device will only support IPv6 provided directly by my ISP (Verizon FIOS Small Business).  Unfortunately, the SA520 has no console port, no access to the CLI, and doesn't run IOS, so I have no chance at creating the tunnel using the Cisco config listed on the HE site.  I upgraded the SA520 to firmware revision Primary Firmware Version: 2.1.18 Secondary Firmware Version: 1.0.15

Any ideas? Thanks!

cholzhauer

I haven't used one of these before, but at first glance, it looks much like the bigger ASA platform; the ASA platform is not a "routing platform" and as such, does not have the ability to host/terminate tunnels

galfert

I too own a Cisco SA520W and I've tried to configure an IPv6 tunnel to HE and other IPv6 tunnel brokers and I haven't had any luck.   It just seems like the SA500 series is lacking this functionality.  I'm also running the latest 2.1.18 firmware.  The SA500 series supports 6to4 tunneling but I think this was intended to bridge two IPv6 networks via a couple of SA500 routers and not for WAN IPv6 Internet connectivity.

Hopefully a future firmware will bring more IPv6 features to this line.  I do very much like the SA500 series.  In some ways better than the ASA....but the ASA sure has its advantages too depending on the network needs.

I also have extensive experience deploying ASA505 and ASA5510 and they are nothing like the SA500 series.   And I'm not sure why anyone would say that the ASA or the SA500 series is not a routing platform.  So I disagree with the previous post on this.

cholzhauer

Yes, the platform will route.  You can terminate an HE tunnel on a Cisco router, but you can not do it on an ASA.  If you need a router, you buy a router, not an ASA...that's why I say that.

galfert

We are talking about an SA500 Series ROUTER, not an ASA....totally different.   I already told you it is a totally different line than the ASA....not similar in the least bit....and I am familiar with both.  So the SA500 Series and in my case an SA520W is a router.  It is able to terminate tunnels. This conversation is not about ASA but a totally different line called SA500 Series.  So bringing up the ASA and what it can or can't do is irrelevant.

We need some help with the SA500 Series .... In the Cisco forum I got the following response which is an incomplete solution and I still couldn't make heads or tails of this recomendation but I'll post it below to see if someone else can expand or correct this:

https://supportforums.cisco.com/message/3313621#3313621

Quoted text below from weilia on Cisco forum:
Quote
Hi George,

Please Find the steps to configure SA520 compatible with Tunnel Broker(Hurricane Electric).

-> Configure the IPv4 ISP address(In our case we have used Static Configuration) by opening Networking -> WAN -> IPv4 config.
-> Change SA520 device routing mode to IPv6 and IPv4 (Dual Stack) mode.
-> Enable 6to4 tunneling by selecting option in Networking -> IPv6 -> 6to4 Tunneling -> Enable Automatic Tunneling.
-> Configure/create IPv6 Regular Tunnel in Tunnel Broker site by choosing "Create Regular Tunnel option present. Please choose Linux-Net-Tools and show   config.
  For now we would recommend you to select the server option as "New York, NY, US" or "Dallas, TX, US" or "Chicago, IL, US" in Hurricane Electric Tunnel Broker site.
-> Go to -> SA520 -> Networking -> IPv6 -> IPv6 Static Routing page. Add Static route saying Destination as "Server IPv6 address",Prefix Length as "64", Gateway as "Relay mentioned in Linux-net-Tools mentioned in Tunnel Broker site. Configure metric as "3"
-> Enabled RADVD by selecting options in Networking -> IPv6 -> Router Advertisement page. Select Advertise Mode as "Unsolicited Multicast"
-> Add Advertisement Prefix for 6to4 with SLA ID as 123.
-> Enable IPv6 LAN DHCPv6 server in stateless mode.
-> Configure SA500 IPv4 ip address and DNS address. If your ISP won't support IPv6 DNS, please use the "Anycasted IPv4 Caching Nameserver:" mentioned under section "Available DNS Resolvers" in tunnel broker site.
-> Run dibbler client or IPv6 native client in stateless mode from IPv6 only aware LAN host. LAN host will receive IPv6 DNS information from SA500. You can verify it by checking "cat /etc/resolv.conf".
-> Check the connectivity between SA500 IPv6 LAN host and Tunnel Broker Server IPv6 address.
-> Try to resolve and browse IPv6 websites like "http://ipv6.google.com" or "www.kame.net"


Regards,
Wei

cholzhauer


galfert

Someone is confused... as when you use 6to4 you are in fact using 6in4 as a subset function.

I can't believe I'm feeding the trolls.

So anyway ....back to the subject at hand.   If you read my response to the Cisco engineer on the Cisco forum you'll see some of my comments on Cisco's recommended configuration where I've asked for clarification.  Hopefully we'll have this problem solved soon.

cholzhauer

Relax, I'm not trolling for anything; I wasn't calling you confused, I was calling Cisco confused.

All I was simply trying to say was that I have never seen a router list the configuration page for a 6to4 setup and then also use that 6to4 configuration page to also do 6in4

Can you post some screen shots of the configuration page on the SA520?

galfert

Well I appreciate the interest in helping.  I guess you came off the wrong way with your short comments.  My apologies.

I've taken 13 screen shots (in order and numbered) ...pardon the quality as I'm limited to the kb size per file in this forum per post and I didn't know how other to link images.

The following are all the IPv6 related configuration screens for the Cisco SA500 Series.  There really is no mention of IPv6 anywhere else in the router configuration other than status screens and logs....Cisco did a nice job keeping all IPv6 related configuration options together.


galfert


galfert


galfert


galfert


galfert


galfert