08-07-2009 06:47 AM
Dear all,
we followed the instructions on how to enable anyconnect for IPv6. They seem to be dated since they mention that ASDM does not support IPv6 but it does.
The problem is as follows: when an anyconnect client connects to the external IPv6 address of the ASA then the ASA does not see that as SSL VPN connection but drops it.
3 Aug 07 2009 13:54:17 710003 2001:610:b20:b02:21b:63ff:fe01:601c 50756 ochre6-ext 443 TCP access denied by ACL from 2001:610:b20:b02:21b:63ff:fe01:601c/50756 to outside:ochre6-ext/443
It seems as if the SSL VPN option on the interface doesnot apply to IPv6. Does anyone know how I could enable this for IPv6 SSL VPNs to be accepted?
Also there is a difference in the way Anyconnect works on VISTA and on OS X.
On OS X the Anyconnect Client accepts IPv6 adresses as VPN gateway and tries to establish a native IPv6 SSL VPN. But it does not work because of the above described. If an IPv4 VPN is established the IPv4 client does not get an IPv6 pool address.
On VISTA the Anyconnect client does not seem to accept native IPv6 addresses for the VPN Gateway address. However if an IPv4 tunnel is established clients get both an IPv4 and an IPv6 pool address.
I am now confused as to what is supposed to work and how. Our goal would be to establish native IPv6 anyconnect VPNs.
08-13-2009 10:23 AM
The AnyConnect client allows access to IPv6 resources over a public IPv4 connection (only for Windows XP SP2, Windows Vista, Mac OS X, and Linux). You must use the command line interface to configure IPv6 access. ASDM does not support IPv6. You enable IPv6 access using the ipv6 enable command as part of enabling SSL VPN connections.
09-06-2010 06:48 AM
I am running into the same problem.
The previous answer is just a collection of phrases from the manual (which all are true and valid sentences), but they are beside the point.
The answer is: Too bad, the ASA does not support native IPv6 VPN connections.
09-23-2010 11:56 AM
Do you know if that's the case for all VPN connections or just Any Connect connections?
I'm trying to setup a VPN over IPv6 (site to site) between my 5505 and 5520. I think I have everything set up correctly, but the VPN won't start. If I reboot the 5505, it will ping the 5520 via IPv6 when it's back online, but nothing else happens.
12-29-2011 05:50 AM
I think the best to check this out to use the socker table on the ASA (like on Linux OS)
ciscoasa(config)# show asp table socket
Protocol Socket Local Address Foreign Address State
SSL 0000ca9f 192.84.221.15:443 0.0.0.0:* LISTEN
DTLS 0001148f 192.84.221.15:443 0.0.0.0:* LISTEN
TCP 001320ef 192.84.221.15:22 0.0.0.0:* LISTEN
TCP 0013c12f 2a00:1860:108::18:15:22 :::* LISTEN
So I have configured SSH access for some IPv6 network and have webvpn enabled.
Since there is no entry in the socket table .. only IPV6 as passenger protocol is possible.
02-01-2012 03:36 PM
I'm seeing the same problem. When I try to access the WebVPN service with a browser I get denies in the logs claiming "TCP access denied by ACL from ..." although "self originated" traffic doesn't go through interface ACLs (well at least on IPv4). And I'm seeing the same as you on the asp table. No sockets other than management are listening on the IPv6 adresses. Even the "Packet Tracer" claims that access gets denied by an implicit rule, although the interface access list doesn't use implicit rules at all.
Has anybody at Cisco ever tried to run WebVPN over IPv6 on an ASA?
02-02-2012 07:24 AM
Just got the confirmation. Today ASA/AnyConnect only supports IPv4 for transportation. Within the tunnel there can be IPv6 packets. Forthcoming releases will support also IPv6 as transportation media. But don't know when.
03-19-2012 08:47 AM
I'm looking for an ASA/AnyConnect IPv6 over IPv4 SSL/DTLS configuration example (command line).
We followed the basic instructions on how to enable IPv6 on the ASA 5500 (SW 8.4.3 ED) and finally
assigned a IPv6 Pool to a existing Group-Policy. After the VPN connection is established no IPv6 address
is assigned to the AnyConnect Client.
Can anyone help?
PS: Please don't ask me for my current configuration. I don't have access to the affected ASA - It's just a try
to support a colleague. I need only a working tunnel connection for IPv6 testing to the internet.
03-20-2012 01:22 AM
Hallo,
You need to set the MTU in Windows 7 to a higher value
netsh interface ipv4 set interface "Interface-Index" mtu=1374
and to enable BOTH an IPv4 and and IPv6 address pool.
This works:
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.222.1 255.255.255.0
ipv6 address fd00:1865:108:690::1/64
ipv6 local pool ipv6pool fd00:1865:108:690::100/64 128
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ssl-client
tunnel-group DefaultWEBVPNGroup general-attributes
address-pool ipv4pool
ipv6-address-pool ipv6pool
ip local pool ipv4pool 192.168.222.100-192.168.222.200
webvpn
enable outside
enable inside
anyconnect image disk0:/anyconnect-win-3.0.5075-k9.pkg 1
Ciao,
Herbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: