Sorry to bring up an old thread but this is quite easy to setup.
I just setup a 2621XM running IOS 12.4(25c) in front of an ASA 5505 running 8.2(2). Both devices are running IPv6/IPv4 dual stack. The 2621XM is performing PAT for IPv4 and terminating the IPv6 tunnel to Hurricane Electric while the ASA is performing stateful firewall filtering for both protocols. My internet connection is a residential cable modem connection with a single fairly static IP and no native IPv6 support from my ISP at all.
I am using /64's from the /48 HE gave me for the IPv6 link between the ASA and the 2621XM and for each of the networks behind the ASA. The ASA is not performing any type of NAT for IPv4 or IPv6.
I have a mix of IPv4 only XP hosts and IPv4/IPv6 dual stacked Win7 hosts behind the ASA. I am hitting ipv6.google.com via IPv6 just fine from the Win7 boxes. While both the Win7 and XP boxes can still access the internet via IPv4 perfectly too.
ASA 5505 config:
firewall# sho run
: Saved
:
ASA Version 8.2(2)
!
hostname firewall
domain-name x.lan
names
!
interface Vlan2
nameif outside
security-level 1
ip address 10.1.1.2 255.255.255.252
ipv6 address 2001:X:X:1::/64 eui-64
ipv6 enable
!
interface Vlan100
nameif inside
security-level 99
ip address 192.168.100.1 255.255.255.0
ipv6 address 2001:X:X:100::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:X:X:100::/64
!
interface Vlan200
nameif guestDMZ
security-level 50
ip address 192.168.200.1 255.255.255.0
ipv6 address 2001:X:X:200::/64 eui-64
ipv6 enable
ipv6 nd prefix 2001:X:X:200::/64
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport trunk allowed vlan 1,100,200
switchport trunk native vlan 1
switchport mode trunk
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
boot system disk0:/asa822-k8.bin
boot config disk0:/startup-config
ftp mode passive
clock timezone cst -6
dns domain-lookup inside
dns server-group DefaultDNS
name-server 192.168.100.8
domain-name x.lan
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network homelan
network-object 192.168.100.0 255.255.255.0
network-object 192.168.200.0 255.255.255.0
network-object 10.1.1.0 255.255.255.252
access-list 101 extended permit icmp any any
access-list dmz extended permit udp 192.168.200.0 255.255.255.0 host 192.168.100.8 eq domain
access-list dmz extended permit tcp 192.168.200.0 255.255.255.0 host 192.168.100.8 eq domain
access-list dmz extended deny ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list dmz extended deny tcp any any range 6881 6889
access-list dmz extended deny udp any any range 6346 6347
access-list dmz extended deny tcp any any range 6346 6347
access-list dmz extended permit ip any any
access-list 100 extended permit ip any any
pager lines 24
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu guestDMZ 1500
ipv6 route outside ::/0 fe80::20e:XXXX:XXXX:XXXX
ipv6 access-list IPv6-Out permit ip any any
ipv6 access-list IPv6-In permit icmp6 any any
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-625.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
access-group IPv6-In in interface outside
access-group 100 in interface inside
access-group IPv6-Out in interface inside
access-group dmz in interface guestDMZ
!
router eigrp 150
no auto-summary
network 10.1.1.0 255.255.255.252
network 192.168.100.0 255.255.255.0
network 192.168.200.0 255.255.255.0
passive-interface guestDMZ
redistribute connected
redistribute static
!
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL
http server enable 8443
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
no snmp-server enable
telnet timeout 1440
ssh scopy enable
ssh 0.0.0.0 0.0.0.0 inside
ssh ::/0 inside
ssh timeout 60
ssh version 2
console timeout 0
management-access inside
dhcpd dns 192.168.100.8
dhcpd domain x.lan
dhcpd auto_config outside
!
dhcpd address 192.168.200.10-192.168.200.254 guestDMZ
dhcpd enable guestDMZ
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 198.60.73.8
ntp server 64.236.96.53
ntp server 68.216.79.113
!
!
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http
https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8ba01603fe576e85423effc4f725c248
: end
2621XM config:
cerberus#sho run
Building configuration...
Current configuration : 5193 bytes
!
! Last configuration change at 01:16:10 CST Wed Jul 7 2010 by x
! NVRAM config last updated at 01:16:11 CST Wed Jul 7 2010 by x
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cerberus
!
boot-start-marker
boot-end-marker
!
no logging console
!
aaa new-model
!
aaa authentication login userauth local
aaa authorization network groupauth local
!
aaa session-id common
clock timezone CST -5
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
no ip bootp server
ip domain name x.lan
ip name-server 192.168.100.8
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
ipv6 unicast-routing
no ipv6 source-route
!
ip ssh version 2
!
interface Tunnel0
description Hurricane Electric IPv6 Tunnel Broker
no ip address
ipv6 address 2001:XXXX:XXXX:XXXX::2/64
ipv6 enable
ipv6 traffic-filter Block-IPv6-SSH in
no ipv6 redirects
tunnel source x.x.x.x
tunnel destination y.y.y.y
tunnel mode ipv6ip
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.252
no ip redirects
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2001:X:X:1::/64 eui-64
ipv6 mtu 1480
no ipv6 redirects
ipv6 nd prefix 2001:X:X:1::/64
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address dhcp
no ip redirects
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no ipv6 redirects
!
router eigrp 150
redistribute static
passive-interface FastEthernet0/1
network 10.1.1.0 0.0.0.3
no auto-summary
!
no ip forward-protocol nd
!
no ip http server
no ip http secure-server
ip nat inside source list 2000 interface FastEthernet0/1 overload
!
access-list 2000 permit ip any any
no cdp run
ipv6 route 2001:X:X:100::/64 FastEthernet0/0 FE80::21F:XXXX:XXXX:XXXX
ipv6 route 2001:X:X:200::/64 FastEthernet0/0 FE80::21F:XXXX:XXXX:XXXX
ipv6 route ::/0 Tunnel0
!
ipv6 access-list Block-IPv6-SSH
deny tcp any any eq 22
permit ipv6 any any
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login authentication userauth
transport input ssh
line vty 5 15
login authentication userauth
transport input ssh
!
ntp clock-period 17180109
ntp server 198.60.73.8
ntp server 64.236.96.53
ntp server 68.216.79.113
!
end