Author: Scott Nishimura.
IPv6 Feature Support on the Cisco ASA Firewall
There has been a lot of discussion recently with the push towards IPv6. For the ASA firewall, IPv6 feature support has been available and can be set up quickly. This document focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.
Here is a quick way to configure up your ASA firewall for IPv6 connectivity.
STEP#1 - Enable IPv6 on the interface and configure up the global IPv6 address.
interface vlan 2
ipv6 address 2001:db8:2:3::1/64
This will assign the IPv6 global address to the interface. When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address). With the IPv6 address command above, you are manually specifying the global, however the ASA also allows for autoconfig which will receive stateless configurations based on RA router advertisement messages.
For more details, you can review the following reference guide document:
STEP#2 - Verify IPv6 configuration.
show ipv6 interface
outside is up, line protocol is up
IPv6 is enabled, link-local address is fe80::21e:7aff:fe11:45c
Global unicast address(es):
2001:db8:2:3::1, subnet is 2001:db8:2:3::/64
Joined group address(es):
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
STEP#3 - Define an IPv6 default route.
ipv6 route outside ::/0 next_hop_ipv6_addr
Using ::/0 is equivelant to “any”. The IPv6 route command is functionally similar to the IPv4 route.
STEP#4 - Define IPv6 access-lists (optional).
IPv6 access-lists are functionally the same as IPv4. They are parsed sequentially and have an implicit deny at the end.
ipv6 access-list test permit tcp any host 2001:db8::203:A0FF:FED6:162D
access-group test in interface outside
The above is permitting traffic to a specific server 2001:db8::203:A0FF:FED6:162D.
SECURING THE FIREWALL:
If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.
ipv6 access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement
ipv6 access-list outsideACL deny icmp6 any any router-advertisement
access-group outsideACL in interface outside
ipv6 address autoconfig
The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.
If you wish to prevent the ASA from sending out router advertisements (RA) on a specific interface, you may suppress them with the following interface command:
ipv6 nd suppress-ra
Neighbor discovery will continue to be operational even though RA suppression has been configured.
For further information, please check out the following documentation on cisco.com:
ASA 8.3 IPv6 configuration guide:
ASA 8.3 IPv6 command reference:
Cisco Support Community: