• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

News:

Welcome to Hurricane Electric's Tunnelbroker.net forums!

Main Menu

Proxy NDP on Cisco ASAs?

Started by kirbini, March 09, 2011, 12:24:12 PM

Previous topic - Next topic

kirbini

Hi all,

Does anyone know if the Cisco ASA firewalls support IPv6 Proxy NDP similar to IPv4 Proxy Arp?  We're a co-lo/hosting provider with dual-homed BGP on the edge and a bank of ASAs and PIXen in front of the servers.  Our public subnets are striped across all of the firewalls so we rely on the proxy-arp feature for the routers to be able to find which firewall has which address for inbound packets.  For instance, VLAN 2 is the layer-2 interconnect between everything and in the routers there's just one statement:  ip route 216.12.180.0 255.255.255.0 VLAN 2

Don't judge, I inherited this setup...      :(

So here's what I'm wondering:  can we use Proxy NDP for the same behavior or should I be looking to some other solution?  We have a /32 allocation (2604:7a00::/32 if anyone cares).  The NAT for IPv6 will only be transparent (ie, no nat) so subnet striping will no longer be a problem.  Should I add static routes for each new DMZ subnet created, rely on Proxy NDP or start using dynamic routing (shudder) on the ASAs?

antillie

As far as I know the ASA won't do proxy NDP for IPv6. And I know that it won't do dynamic routing of any kind in IPv6.

So you will most likely need to specify the IPv6 address of the ASA in question as your next hop instead of the interface name. Fortunately you can use the link local address which never changes. I work for a large hosting provider with a similar setup to yours and we specify the IP of the destination ASA as the next hop for both IPv4 and IPv6 routes in the aggregation routers.

kirbini

#2
Good points.  Having the firewalls silently drop packets for non existent hosts is preferable to having the routers process and filter ICMP "host not found" packets, at least IMO.  A noble goal to aspire to anyway.

As for pointing the static routes from the edge to the link local address, I assume it's possible to use the Link local for HA failover on the ASAs (that is, it will float like an IPv4 will)?  In practice, do you also set any other unicast addresses on the interface to also float in a failover?