Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8513
Views
6
Helpful
5
Replies

ASA 8.3(1) is NAT-ing protocol-41 supported?

Go to solution
etamminga
Spotlight
Spotlight

‎03-19-2010 10:49 AM - edited ‎03-11-2019 10:23 AM

Hi,

Does anybody know if the NAT changes introduced in 8.3(1) now allow me to pass protocol-41 traffic (ipv6-in-ipv4, ipv6 tunnel) through the ASA to my IPv6 tunnel broker?

On the inside of my ASA I have a Cisco 871 configured with a tunnel interface to SixXS for IPv6. The ASA only has one public-IP.

Regards,

Erik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rfugina99
Level 1
Level 1

‎07-20-2010 03:11 PM

I think I just figured this out myself.  The crux is that a service specified in a NAT rule has to be a UDP or TCP service, not something altogether different.  This solution may not be possible at all before 8.3, but this is what I'm in the middle of testing, and it seems to work so far.

object network local_endpoint

   host A.A.A.A

object network remote_endpoint

   host B.B.B.B

nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint

access-list abcde extended permit 41 object remote_endpoint object local_endpoint

access-group abcde in interface outside

Some of this is copied right out of my config, and some is off the top of my head.  If there's something here that's not right, please do correct me...

Rob

View solution in original post

5 Replies 5

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎03-19-2010 03:22 PM

Here is the release note for 8.3: http://www.cisco.com/en/US/docs/security/asa/asa83/release/notes/asarn83.html#wp229690

See if this answers your question.

IPv6 support for IKEv1 LAN-to-LAN VPN connections

For LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Specifically, the following topologies are supported when both peers are Cisco ASA 5500 series adaptive security appliances:

The adaptive security appliances have IPv4 inside networks and the outside network is IPv6 (IPv4 addresses on the inside interfaces and IPv6 addresses on the outside interfaces).

The adaptive security appliances have IPv6 inside networks and the outside network is IPv4 (IPv6 addresses on the inside interface and IPv4 addresses on the outside interfaces).

The adaptive security appliances have IPv6 inside networks and the outside network is IPv6 (IPv6 addresses on the inside and outside interfaces).

Note The defect CSCtd38078 currently prevents the Cisco ASA 5500 series from connecting to a Cisco IOS device as the peer device of a LAN-to-LAN connection.

The following commands were modified or introduced: isakmp enable, crypto map, crypto dynamic-map, tunnel-group, ipv6-vpn-filter, vpn-sessiondb, show crypto isakmp sa, show crypto ipsec sa, show crypto debug-condition, show debug crypto, show vpn-sessiondb, debug crypto condition, debug menu ike.

-KS

Go to solution
etamminga
Spotlight
Spotlight
In response to Kureli Sankar

‎03-19-2010 03:29 PM

Thanks for the quick answer, but the IPv6 LAN-2-LAN VPN's was not what I was looking for.

I found out ASA 8.3(1) now allows you to do a static nat with source AND destination specified. So I translated the internal router to the public IP of the asa, only for the tunnel endpoint destination of my tunnel broker. This works!

On the router I did a VRF with the tunnel and a VLAN interface to feed the public IPv6 traffic back to the ASA. The ASA inside interface now has IPv4 and IPv6 natively which is what I was trying to get!! Not a real-world production setup ofcourse but a nice setup to play with. As the ASA and router are fast enough, this doesn't bother me for my test network.


Regards,

Erik

0 Helpful

Go to solution
rfugina99
Level 1
Level 1

‎07-20-2010 03:11 PM

I think I just figured this out myself.  The crux is that a service specified in a NAT rule has to be a UDP or TCP service, not something altogether different.  This solution may not be possible at all before 8.3, but this is what I'm in the middle of testing, and it seems to work so far.

object network local_endpoint

   host A.A.A.A

object network remote_endpoint

   host B.B.B.B

nat (inside,outside) source static local_endpoint interface destination static remote_endpoint remote_endpoint

access-list abcde extended permit 41 object remote_endpoint object local_endpoint

access-group abcde in interface outside

Some of this is copied right out of my config, and some is off the top of my head.  If there's something here that's not right, please do correct me...

Rob

Go to solution
etamminga
Spotlight
Spotlight
In response to rfugina99

‎07-21-2010 05:29 AM

Hi Rob,

Thanks for the reply. Indeed the solution you suggest is the correct answer, I figured that out myself in the mean time.

The thing that changed in ASA 8.3 is that you can now incorporate source AND destination in a NAT rule, which in turn allows you to NAT all trafic and filter on port 41.

With this option available; I know have a setup with one ASA, one ISR and two tunnels from IPv6 tunnelbrokers. The ASA doing native IPv6 and the internal network secure! (vrf on the router hairpinnning the tunnels to the ASA on a dedicated VLAN).

Regards,

Erik Tamminga

0 Helpful

Go to solution
chris_slaterwalker
Level 1
Level 1
In response to etamminga

‎12-08-2011 07:39 AM

Interestingly - especially for those using an ASA without sufficient memory for later software versions - you can do this with ASA 8.0(3). It may have been an oversight or a "bug" with positive consequences in that version, because, it doesn't work in 8.0(5).

So I have a Cat4948 doing all the routing for my internal network. Now of course the 4948 doesn't support NAT, and since I'm on a domestic broadband service with only 1 public IPv4 address, I need something to do NAT, and that is an ASA, which of course is connected directly to my broadband.

The IPv6in4 tunnel remote endpoint (at the tunnel broker) is 216.66.80.26. The inside address of my end of the IPv6in4 tunnel is x.x.x.1/30.

The config is like this:

interface GigabitEthernet0/0

description Broadband Service

nameif outside

security-level 0

ip address dhcp setroute

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address x.x.x.2 255.255.255.252

ipv6 address 2001:x:x:ff::2/64

ipv6 enable

ipv6 nd suppress-ra

!

object-group protocol IPV6inIP

protocol-object 41

!

access-list OUTSIDE-IN extended permit object-group IPV6inIP host 216.66.80.26 interface outside

!

access-list STATIC-IPV6TUNNEL extended permit object-group IPV6inIP host x.x.x.1 host 216.66.80.26

!

static (inside,outside) interface  access-list STATIC-IPV6TUNNEL

!

access-group OUTSIDE-IN in interface outside

When I configure this, I get a warning about all traffic being translated to the interface address (IIRC) but it doesn't matter of course. I presume the warning applies only to protocol 41 traffic.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card