03-31-2012 02:55 AM - edited 03-01-2019 05:34 PM
Hello everyone,
I'm going to implement IPv6 and for the past few weeks I've been looking for designs, documentation and tips to make the best of it and take full advantage of IPv6. However, even Cisco's documentation is based mostly on IPv4 and IPv6 is mentioned just as additional option. Also my experiences are mostly with IPv4 and therefore I would greatly appreciate advice, tips and recommendation specifically on design and best practices.
Though I need to keep some IPv4 in place just to have interoperability with those who don't have IPv6, I could use IPv6 only as I'm fully IPv6 'ready'.
The requirements are very simple and straightforward - all is based on ASA 5520 with two external and two internal interfaces and good 90% of traffic is VPN. On the external interfaces I need some 200 site-to-site VPN connections mostly with Cisco 800 series, around 400 remote-access VPN connections and access to DMZ with email server. On the internal interfaces I've got all the servers, all internet/web traffic should go through proxy.
external/VPN <----> \
external/VPN <----> - ASA 5520 = SG300 - internal servers
management <----> / |
DMZ / external servers
All internal servers and communication can use IPv6 only, the management IP address is IPv4, the external server can have IPv4 as well as IPv6 because not everyone is on IPv6, backup IPv4 VPN in case someone will have to connect through ISP without IPv6 support.
In IPv4 world I would keep the ASA 5520 routed mode, all internal traffic with private address ranges and NAT/proxy if external access required. However, not sure if that is the best for IPv6 as well, therefore I would appreciate any suggestions, recommendations and configuration tips.
Many thanks,
Dan
03-31-2012 05:44 AM
Hi,
See below an excellent White Paper on what Enterprises should do about IPv6
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6553/whitepaper_c11-586154.html
As recommended in this document I suggest that you purchase a global Internet routeable IPv6 address block from your ISP. Assign these addresses to your internal network.
If you still need to support legacy IPv4 then configure your devices for dual stack. See below
http://www.cisco.com/web/strategy/docs/gov/IPV6at_a_glance_c45-625859.pdf
See below a quick guide for configuring IPv6 on your ASA firewall.
https://supportforums.cisco.com/docs/DOC-15973
Don't forget to rate all posts that are helpful.
04-01-2012 08:57 AM
hi Dan,
I highly recommend this IPv6 Internet edge design guide:
Keep in mind that there's currently no NAT66, so for now there's no NAT to translate between public & private IPv6 addresses like how most are used to.
Whether you use provider assigned, or provider independent IPv6 blocks, you'll need to carefully design the ACL's to protect your network.
HTH
KH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide