ASA 8.3(1) is NAT-ing protocol-41 supported?

Answered Question
Mar 19th, 2010
User Badges:
  • Bronze, 100 points or more

Hi,


Does anybody know if the NAT changes introduced in 8.3(1) now allow me to pass protocol-41 traffic (ipv6-in-ipv4, ipv6 tunnel) through the ASA to my IPv6 tunnel broker?


On the inside of my ASA I have a Cisco 871 configured with a tunnel interface to SixXS for IPv6. The ASA only has one public-IP.


Regards,

Erik

Correct Answer by rfugina99 about 6 years 8 months ago

I think I just figured this out myself.  The crux is that a service specified in a NAT rule has to be a UDP or TCP service, not something altogether different.  This solution may not be possible at all before 8.3, but this is what I'm in the middle of testing, and it seems to work so far.


object network local_endpoint

   host A.A.A.A

object network remote_endpoint

   host B.B.B.B


nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint


access-list abcde extended permit 41 object remote_endpoint object local_endpoint


access-group abcde in interface outside


Some of this is copied right out of my config, and some is off the top of my head.  If there's something here that's not right, please do correct me...


Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
Kureli Sankar Fri, 03/19/2010 - 15:22
User Badges:
  • Cisco Employee,

Here is the release note for 8.3: http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp229690

See if this answers your question.


IPv6 support for IKEv1 LAN-to-LAN VPN connections

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:

The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).

The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).

The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces).


Note The defect CSCtd38078 currently prevents the Cisco ASA 5500 series from connecting to a Cisco IOS device as the peer device of a LAN-to-LAN connection.


The following commands were modified or introduced: isakmp enable, crypto map, crypto dynamic-map, tunnel-group, ipv6-vpn-filter, vpn-sessiondb, show crypto isakmp sa, show crypto ipsec sa, show crypto debug-condition, show debug crypto, show vpn-sessiondb, debug crypto condition, debug menu ike.



-KS

etamminga Fri, 03/19/2010 - 15:29
User Badges:
  • Bronze, 100 points or more

Thanks for the quick answer, but the IPv6 LAN-2-LAN VPN's was not what I was looking for.


I found out ASA 8.3(1) now allows you to do a static nat with source AND destination specified. So I translated the internal router to the public IP of the asa, only for the tunnel endpoint destination of my tunnel broker. This works!

On the router I did a VRF with the tunnel and a VLAN interface to feed the public IPv6 traffic back to the ASA. The ASA inside interface now has IPv4 and IPv6 natively which is what I was trying to get!! Not a real-world production setup ofcourse but a nice setup to play with. As the ASA and router are fast enough, this doesn't bother me for my test network.


Regards,

Erik

Correct Answer
rfugina99 Tue, 07/20/2010 - 15:11
User Badges:

I think I just figured this out myself.  The crux is that a service specified in a NAT rule has to be a UDP or TCP service, not something altogether different.  This solution may not be possible at all before 8.3, but this is what I'm in the middle of testing, and it seems to work so far.


object network local_endpoint

   host A.A.A.A

object network remote_endpoint

   host B.B.B.B


nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint


access-list abcde extended permit 41 object remote_endpoint object local_endpoint


access-group abcde in interface outside


Some of this is copied right out of my config, and some is off the top of my head.  If there's something here that's not right, please do correct me...


Rob

etamminga Wed, 07/21/2010 - 05:29
User Badges:
  • Bronze, 100 points or more

Hi Rob,


Thanks for the reply. Indeed the solution you suggest is the correct answer, I figured that out myself in the mean time.


The thing that changed in ASA 8.3 is that you can now incorporate source AND destination in a NAT rule, which in turn allows you to NAT all trafic and filter on port 41.


With this option available; I know have a setup with one ASA, one ISR and two tunnels from IPv6 tunnelbrokers. The ASA doing native IPv6 and the internal network secure! (vrf on the router hairpinnning the tunnels to the ASA on a dedicated VLAN).


Regards,

Erik Tamminga

chris_slaterwalker Thu, 12/08/2011 - 07:39
User Badges:

Interestingly - especially for those using an ASA without sufficient memory for later software versions - you can do this with ASA 8.0(3). It may have been an oversight or a "bug" with positive consequences in that version, because, it doesn't work in 8.0(5).


So I have a Cat4948 doing all the routing for my internal network. Now of course the 4948 doesn't support NAT, and since I'm on a domestic broadband service with only 1 public IPv4 address, I need something to do NAT, and that is an ASA, which of course is connected directly to my broadband.


The IPv6in4 tunnel remote endpoint (at the tunnel broker) is 216.66.80.26. The inside address of my end of the IPv6in4 tunnel is x.x.x.1/30.


The config is like this:


interface GigabitEthernet0/0

description Broadband Service

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address x.x.x.2 255.255.255.252

ipv6 address 2001:x:x:ff::2/64

ipv6 enable

ipv6 nd suppress-ra

!

object-group protocol IPV6inIP

protocol-object 41

!

access-list OUTSIDE-IN extended permit object-group IPV6inIP host 216.66.80.26 interface outside

!

access-list STATIC-IPV6TUNNEL extended permit object-group IPV6inIP host x.x.x.1 host 216.66.80.26

!

static (inside,outside) interface  access-list STATIC-IPV6TUNNEL

!

access-group OUTSIDE-IN in interface outside


When I configure this, I get a warning about all traffic being translated to the interface address (IIRC) but it doesn't matter of course. I presume the warning applies only to protocol 41 traffic.

Actions

This Discussion

Related Content