Allowing an IPv6 Tunnel Broker to passthrough ASA

Unanswered Question
Jan 18th, 2012

I am in the process of setting up an IPv6 Tunnel Broker on a 1811 router I have in my home lab so I can start working with IPv6 and getting access to IPv6 only websites and/or content.  I believe that I have the 1811 setup correctly but am having problems getting the Tunnel Broker traffic (which is IPv4 based) to pass through my ASA.  I know that I need to allow protocol 41 to come through from the outside but cant seem to find a way to get it to go through.

I am using 8.2.5 firmware on my 5505.  I would prefer to not have to upgrade to 8.3 or 8.4 because of the way the NAT rules and some other things change.  My ISP only offers me a single IP address.  Would prefer not to have to upgrade to business service to get multiple ip addresses.  I have been looking for docs on how to do this but so far havent found anything that points me in the right direction.

Ran a protocol capture and noticed this error in the ASDM log - 3Jan 18 2012 19:16:20209.51.181.2regular translation creation failed for protocol 41 src Inside:192.168.1.100 dst Outside:209.51.181.2

In looking at the rules, it appears that I need an access rule to allow the protocol 41 traffic to go outbound.

Added these lines to the ASA config -

object-group protocol IPV6inIP

protocol-object 41

access-list inside_access_in line 2 extended permit object-group IPV6inIP any any

Still getting the above error after putting the config lines just listed.  Beginning to suspect that the 8.2.5 binary doesnt support protocol forwarding.  I dont see the traffic leaving the ASA, so that would seem to indicate that 8.2.5 cant do protocol forwarding in the NAT rules.

Any suggestions/links appreciated,

Ron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4 (1 ratings)
ihoogend Wed, 02/15/2012 - 14:53

Ronald,

did you get anything working with this?

I am actually trying the same and expieriencing the same problems ...

Let me know what you find out ...

Thanks,

Iwan Hoogendoorn

etamminga Sat, 02/18/2012 - 14:06

You really need to upgrade to 8.3 or later in order to setup a NAT rule that specifies both the tunnel broker-ip and inside 1811 ip to do this. I've been trying what you are trying for a long time but did get it working (without natting everything to the inside, which disables the Asa's VPN features).

Don't be afraid of the 8.3+ NAT feature change, you'll get used to it and love it.

Regards,

Erik

Sent from Cisco Technical Support iPad App

ihoogend Sat, 02/18/2012 - 16:18

Erik,

Thanks for your reply ...

I have upgraded the software on my ASA 5505 yesterday from 8.2 to 8.4, and I have to tell you ... I have never been so excited by an ASA upgrade ... anyway ... I triend to use a Cisco 3560G-PS-S as a tunnel endpoing on the inside of my network but appearently the software on this hardware does not support this command "tunnel mode ipv6ip" which makes it impossible to set up a tunnel ... I got the tunnel up but there is no way to ping the other site of the IPv6 tunnel ...

Anyway ... I discoveren what NAT rules / object groups / access-lists I need in order to create the NAT rule ... but there is something wlse that I don;t understand...

What IPv6 addresses have you configured on the inside/outside of your ASA?

And what IPv6 addresses have you configured on your iternal hosts on the "inside" of your network?

I recon that the "inside" hosts uses your Ipv6 endpoint device as a defaut gateway and that this tunnel endpoint uses the tunnel interface as a default gateway ... and that this device is also handing out the IPv6 addressesin your "inside" network right?

And what IPv6 address do you have configured on the outside/inside of the ASA? is that the /64 you get from the tunnel provider (Hurricane Electric or Sixxs) and I guess this traffic is routed to the tunnel endpoint device as well?

So IPv6 firewalling is not possible?

Let me know if I have it correct ...

Thanks,

Iwan

etamminga Sun, 02/19/2012 - 14:20

Hi Iwan,

Please understand that my network was a test/lab network and not mend for production use.

For tunnel endpoints you generally need a router. A low end switch is not capable of encapsulating packets for ipv6-over-ipv4 tunnels.

My network was setup like this:

- ISP providing Internet connectivity, 1 public ip.

- ASA 5505 connects to the Internet using interface 'outside', dhcp.

- A Cisco 871 connects using FastEthernet4 to the ASA on the 'inside' interface (dot1q trunk, VLAN 10). Using private ipv4 addresses and a single /64 block from the ipv6 subnet assigned by tunnel broker.

- 871 is configured with the tunnel to hurricane electric (my ipv6 tunnel broker). Using ipv6 addresses assigned to the tunnel.

- tunnel on 871 uses a different VRF.

- 2nd VLAN on Fe4.20 of 871 connects to VLAN used by ASA on interface 'outside6' and uses the created VRF on the router. Using a single /64 block from the ipv6 subnet assigned by tunnel broker.

- Static routing to connect all networks.

- ACL's on 871 in the VRF to deny all uninteresting traffic to the 871.

In the end, ASA directly connects to the Internet for ipv4, is able to firewall the ipv6 traffic natively, and all VPN functions of the ASA are still available.

Regards,

Erik

Sent from Cisco Technical Support iPad App

Actions

Login or Register to take actions

This Discussion

Posted January 18, 2012 at 10:33 AM
Stats:
Replies:4 Avg. Rating:4
Views:1399 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,165
4 1,473
5 1,446