ASA 5505 and 1841

yozh · February 17, 2009, 04:40:09 AM

Ok this might not be fully about IPv6 but it involves it.

So I just got an ASA 5505 and it seems I cant make a tunnel from it to the HE so I guess I have to put a router in front of it. I have a Cisco 1841 from which I`m sure I can get a tunnel going, here are few questions that I have regarding v4 and v6

First, when I put an 1841 in front since I have a cable modem and 1 share DHCP ip, I guess I have to do NATing on the 1841 and then on the ASA ? Please correct me if I`m wrong ? this is for v4

Second, when I establish the tunnel where do I assign my subnet /64 ? on the ASA LAN interface ? what about between ASA and 1841, what subnet is used there ?

Please help thank you.

spectre240sx · February 22, 2009, 09:13:19 PM

I'm in exactly the same boat, but I've got a 2621xm + ASA5505. I'm currently doing a static NAT translation from the ASA to the WAN interface of the router. Config snippet below:

Code Select


!
interface FastEthernet0/1
 description Inside Network
 ip address 192.168.101.1 255.255.255.252
 ip nat inside
 duplex auto
 speed auto
 ipv6 address 2001:*::1/64
 ipv6 enable
!
ip nat inside source static 192.168.101.2 interface FastEthernet0/0
!

Unfortunately, this doesn't seem to be working. I can't even ping (v6) the HE side of the tunnel. I'm guessing it's got something to do with the static NAT I have in place. I'm using a /30 between the router and the ASA and a /24 on the inside network of the ASA. V4 is all running fine.

As for the local v6 networking, I requested a routed /48 and I'm using a /64 between the router and the ASA and another /64 on the other side of the ASA. A /64 seems like a complete waste between the router and the ASA, but I'm bad at math and this seemed like the easiest setup for the moment. I might be doing something wrong here, though, as I'm having trouble getting v6 traffic to pass over the ASA, but that's really a different topic. I can't ping the outside interface via v6 from an inside host.

yozh · February 23, 2009, 04:21:44 AM

Can you ping HE or any v6 address from the router ?

spectre240sx · February 26, 2009, 12:07:29 AM

I can't

I'm thinking, at this point, that I might just end up using the firewall in transparent mode behind the router. It's not the best solution as it's less commonly used and I won't gain as much experience from it, but it'll work.

yozh · February 26, 2009, 04:23:59 AM

If you cant ping HE or anything on IPv6 address space from the router, then you have a different issue. If you use the firewall in transperent mode arent you loosing the actually layer 3 firewall functions?

spectre240sx · March 04, 2009, 06:44:23 PM

My thoughts on pinging HE was that it might be having difficulty keeping the tunnel up due to the way I have the static route. It basically bridges F0/0 and F0/1 and may make it difficult for the router to speak for itself.

I realize that transparent mode gets rid of layer 3 functionality, but I'm not sure whether that's really a problem for me. I would certainly like to be able to use it as a layer 3 device just for experience, but in the end, I'm more interested in having IPv6 back.

Have you made any more headway with your setup?

yozh · March 06, 2009, 05:53:58 AM

What do you mean bridged ? You said you are doing static 1-1 nat ?

I still didnt put in my ASA, I`m rethinking the way this will be done. I have an AirPort extreme that I use as a bridge not a router and its able to establish tunnel to HE the problem comes with firewall, its eather allowing all in or none, the exceptions are not working :( so I`m still in the planing/design stage.

spectre240sx · March 09, 2009, 12:47:56 AM

If I understand correctly, the way I have things set up, 192.168.101.2 is essentially speaking for Interface F0/0. Any incoming packets should be getting forwarded straight by the router itself and on to my firewall. This would mean that any replies to pings from the router won't be received by the router and any tunnel traffic will have the same problem. If I'm right, it would mean that I really need a /29 for what I want to do. Unfortunately with my ISP that's not going to happen.

spectre240sx · March 21, 2009, 11:47:08 AM

Well, I needed to bring the ASA into work to test a couple of things (unrelated). As soon as I changed the NAT setup on the router, my tunnel started working again. So, I'm beginning to believe that an ASA and a router with a single public IP really isn't possible unless you set the ASA to function in transparent mode.

I'm actually considering selling the ASA and just implementing access lists to protect my v6 clients.

antillie · July 07, 2010, 12:32:00 AM

Sorry to bring up an old thread but this is quite easy to setup.

I just setup a 2621XM running IOS 12.4(25c) in front of an ASA 5505 running 8.2(2). Both devices are running IPv6/IPv4 dual stack. The 2621XM is performing PAT for IPv4 and terminating the IPv6 tunnel to Hurricane Electric while the ASA is performing stateful firewall filtering for both protocols. My internet connection is a residential cable modem connection with a single fairly static IP and no native IPv6 support from my ISP at all.

I am using /64's from the /48 HE gave me for the IPv6 link between the ASA and the 2621XM and for each of the networks behind the ASA. The ASA is not performing any type of NAT for IPv4 or IPv6.

I have a mix of IPv4 only XP hosts and IPv4/IPv6 dual stacked Win7 hosts behind the ASA. I am hitting ipv6.google.com via IPv6 just fine from the Win7 boxes. While both the Win7 and XP boxes can still access the internet via IPv4 perfectly too.

ASA 5505 config:

firewall# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname firewall
domain-name x.lan
names
!
interface Vlan2
nameif outside
security-level 1
ip address 10.1.1.2 255.255.255.252
ipv6 address 2001:X:X:1::/64 eui-64
ipv6 enable
!
interface Vlan100
nameif inside
security-level 99
ip address 192.168.100.1 255.255.255.0
ipv6 address 2001:X:X:100::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:X:X:100::/64
!
interface Vlan200
nameif guestDMZ
security-level 50
ip address 192.168.200.1 255.255.255.0
ipv6 address 2001:X:X:200::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:X:X:200::/64
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,100,200
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone cst -6
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.8
domain-name x.lan
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network homelan
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 10.1.1.0 255.255.255.252
access-list 101 extended permit icmp any any
access-list dmz extended permit udp 192.168.200.0 255.255.255.0 host 192.168.100.8 eq domain
access-list dmz extended permit tcp 192.168.200.0 255.255.255.0 host 192.168.100.8 eq domain
access-list dmz extended deny ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz extended deny tcp any any range 6881 6889
access-list dmz extended deny udp any any range 6346 6347
access-list dmz extended deny tcp any any range 6346 6347
access-list dmz extended permit ip any any
access-list 100 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guestDMZ 1500
ipv6 route outside ::/0 fe80::20e:XXXX:XXXX:XXXX
ipv6 access-list IPv6-Out permit ip any any
ipv6 access-list IPv6-In permit icmp6 any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
access-group IPv6-In in interface outside
access-group 100 in interface inside
access-group IPv6-Out in interface inside
access-group dmz in interface guestDMZ
!
router eigrp 150
no auto-summary
network 10.1.1.0 255.255.255.252
network 192.168.100.0 255.255.255.0
network 192.168.200.0 255.255.255.0
passive-interface guestDMZ
redistribute connected
redistribute static
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable 8443
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh ::/0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 192.168.100.8
dhcpd domain x.lan
dhcpd auto_config outside
!
dhcpd address 192.168.200.10-192.168.200.254 guestDMZ
dhcpd enable guestDMZ
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.60.73.8
ntp server 64.236.96.53
ntp server 68.216.79.113
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8ba01603fe576e85423effc4f725c248
: end

2621XM config:

cerberus#sho run
Building configuration...

Current configuration : 5193 bytes
!
! Last configuration change at 01:16:10 CST Wed Jul 7 2010 by x
! NVRAM config last updated at 01:16:11 CST Wed Jul 7 2010 by x
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
no logging console
!
aaa new-model
!
aaa authentication login userauth local
aaa authorization network groupauth local
!
aaa session-id common
clock timezone CST -5
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
no ip bootp server
ip domain name x.lan
ip name-server 192.168.100.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
no ipv6 source-route
!
ip ssh version 2
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:XXXX:XXXX:XXXX::2/64
ipv6 enable
ipv6 traffic-filter Block-IPv6-SSH in
no ipv6 redirects
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:X:X:1::/64 eui-64
ipv6 mtu 1480
no ipv6 redirects
ipv6 nd prefix 2001:X:X:1::/64
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no ipv6 redirects
!
router eigrp 150
redistribute static
passive-interface FastEthernet0/1
network 10.1.1.0 0.0.0.3
no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 2000 interface FastEthernet0/1 overload
!
access-list 2000 permit ip any any
no cdp run
ipv6 route 2001:X:X:100::/64 FastEthernet0/0 FE80::21F:XXXX:XXXX:XXXX
ipv6 route 2001:X:X:200::/64 FastEthernet0/0 FE80::21F:XXXX:XXXX:XXXX
ipv6 route ::/0 Tunnel0
!
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login authentication userauth
transport input ssh
line vty 5 15
login authentication userauth
transport input ssh
!
ntp clock-period 17180109
ntp server 198.60.73.8
ntp server 64.236.96.53
ntp server 68.216.79.113
!
end

chenson · February 28, 2011, 01:27:21 PM

Digging up the same old thread.....

I am working on the same scenario. A few quick questions:

1. Your 802.1q on the ASA e0/1 is not relative to the setup right? That's just cause you're running a guest DMZ?

2. Have you done anything with DHCPv6 behind the ASA?

cholzhauer · February 28, 2011, 01:28:21 PM

I"m sure you know this, but just in case, the ASA does not support DHCPv6. It will pass the traffic, but it won't act as a DHCP server for v6

antillie · February 28, 2011, 06:14:50 PM

The 802.1q trunking on the ASA doesn't affect the IPv6 config at all. Its just how I choose to setup my vlan topology.

Cholzhauer is correct, the ASA does not support DHCPv6 in any capacity, client or server. See this post for other limitations of the ASA's IPv6 implementation. I don't use DHCPv6 myself, I prefer stateless auto config.

UltraZero · March 01, 2011, 04:44:32 PM

I don't understand why A double nat needs to occur. Why no thave a nat on the router and leave it at that? Can someone explain? Just another way of jumbling IP Addresses for the Bad Guys??

Thanks

cholzhauer · March 01, 2011, 04:46:59 PM

You can...you don't need (and shouldn't) run a double NAT setup.

Ex. use 192.168.0.0/30 on your inside router interface (GE0/1)and outside ASA interface (GE0/0)

User 192.168.1.0/24 on your inside ASA interface (GE0/1)

The default route on your ASA should point to the inside interface of your router.

News:

ASA 5505 and 1841