 IPv6 ASA Tunnel Setup I turned up a 6over4 tunnel to Hurricane Electric with the IPv6 traffic from the tunnel passing through a Cisco ASA firewall. The stability and performance of the HE tunnel have been fantastic. Here is how it is setup:
While the Cisco ASA doesn’t support direct termination of IPv6 tunnels, it does have very rich support for IPv6 firewalling. The approach would be to take another external router which would sit outside of the ASA firewall and use that for tunnel termination. From there, bring the IPv6 inside interface of the router terminating the tunnel and connect that to an ASA interface which only has an IPv6 address. You will need at least one additional static IP address on your outside network in order for this to work. Many Cable ISPs will offer this if you sign up for business level services usually for a nominal additional fee. It may still work with a dynamic address if it doesn't change all that much. When you signup with HE they will provide two /64 networks and a /48. The first /64 IPv6 network is for the actual tunnel going from your external tunnel router to the HE tunnel server. The second /64 is for the connection between the inside interface of your tunnel router and the ASA. The final /48 is for internal subnets behind the ASA firewall. As far as software goes, the ASA should be running software 8.2 or higher while the external IOS router could be running a recent image of 12.4T or Release 15. In my case I am using an 1800 series router running release 15.1.3T Advanced Enterprise. Cisco ASA Firewall Configuration: interface Vlan6 description ipv6 to HE Tunnel nameif ipv6-tunnel security-level 25 no ip address ipv6 address 2001:DB8:2222::1/64 interface Vlan1 description Internal Protected nameif inside security-level 100 ip address 192.168.100.1 255.255.255.0 ipv6 address 2001:DB8:F1F1::1/64 ipv6 enable ipv6 nd prefix 2001:DB8:F1F1::/64 43200 43200 !!! The above /64 is taken from the /48 network assigned to you by HE interface Vlan2 description IPv4 Internet nameif outside security-level 0 ip address 50.50.50.60 255.255.255.248 route outside 0.0.0.0 0.0.0.0 50.50.50.57 ipv6 route ipv6-tunnel ::/0 2001:DB8:2222::2 Outside Tunnel Router IOS Configuration: ipv6 unicast-routing ipv6 cef interface Tunnel0 description Hurricane Electric IPv6 Tunnel Broker no ip address ip flow ingress ipv6 address 2001:DB8:1111::2/64 ipv6 enable tunnel source 50.50.50.59 tunnel mode ipv6ip tunnel destination 209.51.161.14 interface FastEthernet0 ip address 50.50.50.59 255.255.255.248 ip access-group inbound in no ip redirects ip flow ingress duplex auto speed auto no ip address ipv6 address 2001:DB8:1111:1/64 ipv6 enable ipv6 route 2001:DB8:F1F1::/48 2001:DB8:2222::1 ipv6 route ::/0 Tunnel0 ip access-list extended inbound permit 41 host 209.51.161.14 host 50.50.50.59 permit tcp any host 50.50.50.59 eq 22 permit udp any eq domain host 50.50.50.59 permit icmp any host 50.50.50.59 |
Categories
All
|
RSS Feed