ASA-PIX/FWSM: IPV6 Configuration

Document

Apr 4, 2010 5:51 AM
Apr 4th, 2010


Documentation

This configuration example is meant to be interpreted with the aid of the official documentation from the configuration guide located here:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/route_ipv6_neighbor.html

and

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/ref_ports.html#wp1007606

Overview

IPv6 is the next generation of the Internet Protocol after IPv4. It provides an expanded address space, a simplified header format, improved support for extensions and options, flow labeling capability, and authentication and privacy capabilities. IPv6 is described in RFC 2460. The IPv6 addressing architecture is described in RFC 3513.

Prerequisite

ipv6 address command was introduced in 7.0.1 code. 8.2.1 code introduced support for transparent mode and in 8.2.2 the support for standby IP address was intoduced.  In the latest 8.3 code, support has been added for LAN-to-LAN connections using mixed IPv4 and IPv6 addressing, or all IPv6 addressing, the security appliance supports VPN tunnels if both peers are Cisco ASA 5500 series security appliances, and if both inside networks have matching addressing schemes (both IPv4 or both IPv6).

Limitation

IPV6-IPV4  (Network Address Translation – Protocol Translation) bi-directional connectivity between IPv4 and IPv6 domains is not supported on the ASA platform.

ASA: Failover support for IPV6 has been added in ASA 8.2.2 and above.

Please refer this link: http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1090421

If an interface has IPv4 and IPv6 addresses configured on it, the  adaptive security appliance uses the IPv4 addresses to perform the  health monitoring.

If an interface has only IPv6  addresses configured on it, then the adaptive security appliance uses  IPv6 neighbor discovery instead of ARP to perform the health monitoring  tests. For the broadcast ping test, the adaptive security appliance uses  the IPv6 all nodes address (FE02::1).

FWSM: There still is no support for FWSM failover for ipv6. But following enhancement request exists:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtl77322

PIX: PIX platforms cannot run 8.2.2 code the latest that a PIX can run is 8.04(28) so, failover suport for IPV6 is not available for PIX platforms.

Difference between IPV4 and IPV6

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:12.0pt; font-family:"Times New Roman"; mso-ascii-font-family:Cambria; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Cambria; mso-hansi-theme-font:minor-latin;}

  1. Address space is quadrupled to 16 bytes (128 bits) – IPV4 is 4 byes (32 bits)
  2. Fixed Length Header
  3. No checksumming
  4. No hop-by-hop segmentation (Path MTU discovery)
  5. Flow label/priority (integrated QoS support)
  6. No more broadcast (Multicast in IPV6)

    How IPV6 is written

    • IPv6 address is represented as a series of 16-bits( 2 bytes ) separated by colons : for example X1:X2:X3:X4:X5:X6:X7:X8 where Xn is a 16-bit value
    • A series of consecutive hexadecimal fields of zero could be replaced by two colons :: for example FF12:0:0:0:0:FF24:ABC2:AB24:2356 will be FF12::FF24:ABC2:AB24:2356
    • Default route is noted as ::

    Types of IPV6 address

    1. Unicast address

    • This is the address of a single interface.
    • The first three octets are taken from Organization Unique Identifier ( OUI ) of the 48-bit of link layer and flipping the U/L bit.
    • The forth and fifth octet are fixed of value FFFE
    • The Last three octets are taken from the last three octets of the Mac address
    • The 64-bit Interface identifier is constructed in the modified EUI- 64 format:

    ASA(config)# sh run int vlan1
    !
    interface Vlan1
    nameif inside
    security-level 100
    ip address 192.168.2.1 255.255.255.0

    ipv6 address 2001:4800:0:1::1/64
    ipv6 enable


    ASA(config)# sh int vlan1

    Interface Vlan1 "inside", is up, line protocol is up
      Hardware is EtherSVI, BW 100 Mbps, DLY 100 usec
       MAC address 0019.0725.94ab, MTU 1500

    ASA(config)# sh ipv6 interface inside
    inside is up, line protocol is up
      IPv6 is enabled, link-local address is fe80::219:7
    ff:fe25:94ab 
      Global unicast address(es):
        2001:4800:0:1::1, subnet is 2001:4800:0:1::/64 
      Joined group address(es):
        ff02::1
        ff02::2

       ff02::1:ff25:94ab -------------> Solicited node multicast address


        .

        .

        .

       Hosts use stateless autoconfig for addresses.


    For more info see http://wwwin.cisco.com/ios/tech/ipv6/docs/EUI64.shtml

    http://wiki.nil.com/IPv6_EUI-64_interface_addressing

    I- Global aggregatable addresses (routable in the IPv6 Internet)

    This is a hierarchical address that is globally unique. Allows for aggregation of routing prefixes.
    2000::/3 = 001x xxxx xxxx xxxx: /12 through /23 allocated to RIRs
    examples:
    2600:0000::/12 to ARIN
    2003:0000::/18 to RIPE
    /32 given to ISPs /48 given to Customers

    II- Unique-local address (similar to IPv4 Private Addresses)

    This is a IPv6 unicast address that uses prefix FC00::/7 ( 1111 1100 ). This address can be used for a site without using the globally unique address and it can be considered as private address.

    RFC 4193: LSB of 1st octet = “Assignment Policy Bit”...should always be set to one xxxx xxx1

    As a result, Unique Local addresses always start with FD00::/8

    III- Link-local address (never meant to be routed)

    This is a unicast IPv6 address that can be automatically configured by using the prefix FE80::/10 ( 1111 1110 10 ) and the Interface identifier in EUI-64 format. Nodes on a local link can use the link-local address to communicate and a router will not forward packets that have link-local source or destination addresses.

    2. Multicast address

    This is an address for a set of Interfaces belonging to different nodes. A packet sent to this address is delivered to all interfaces identified by the

    multicast address. IP multicast address has a prefix FF00::/8 (1111 1111). The second octet defines the lifetime and scope of the multicast address.

    • The multicast address AllSPF Routers is FF02::5 note that 02 means that this is a permanent address and has link scope.

              OSPFv3 Hello Packets 

    • The multicast  address ALLDRouters is FF02::6

              Used on OSPFv3 DR and BDR routers to receive OSPF packets.

    • FF02::2 – All routers (link-scope). Hosts use this multicast to query routers. More on this later.
    • FF02::1 – All nodes (link-scope).

    3. Anycast address

    This is an address for a set of interfaces belonging to different nodes.

    • Different interface of different node and a packet sent to this address will be delivered to the closest interface defined by the routing protocol.
    • Anycast addresses are allocated from unicast address space and therefore are syntactically indistinguishable from unicast addresses.
    • Anycast addresses have a prefix concatenated by a series of zeros for the Interface.
    • Must be manually specified with the “anycast” keyword on routers. Think of this as being analogous to HSRP’s virtual address.

    Neighbor Discovery

    • NeighborDiscoveryisacompletelynewprotocol written for IPv6. Works hand-in-hand with ICMPv6.
    • Provides functionality that  can be accomplished only via multiple protocols under IPv4; e.g. DHCP IRDP ARP
    • All nodes are required to fully implement ICMPv6
    • All nodes (and routers) must fully support ND.
    • ND defines five, new ICMPv6 packets to provide for auto-configuration, dead node recovery, and route optimization.
      Router Solicitation (RS, type 133) Router Advertisement (RA, type 144) Neighbor Solicitation (NS, type 135) Neighbor Advertisement (NA, type 136) Redirect (type 137)
    • The hop limit in all neighbor discovery (ND) messages is set to 255 by the sender.
    • If a ND message is received with a hop limit less than 255, the receiver must discard the packet.

    4. Router Solicitation (RS)

    • A node sends RS when it wants to receive a Router Advertisement (RA) right away; e.g. during node startup.
    • Source address for RS might be Unspecified (i.e. ::), if the node does not yet have an address.
    • Destination address is typically FF02::2 (all routers, link scope)
    • RS also contains an option with the sender’s link-layer address (MAC address)

    5. Router Advertisement (RA)

    • Routers send RAs to announce their presence on a link, providing all information necessary for a node to configure itself.
    • Source address is the router’slink-scope address on the interface attached to the link.
    • Destination address is FF02::1(allnodes,link scope).
    • Sent periodically, as well as in response to RS. Whenever RA is sent, the countdown timer for the next RA is reset.
    • The RA contains a lifetime. Informs nodes of the time for which the router can be used as a default. (default = 1800-seconds in IOS)
    • Nodes maintain a list of candidate default routers and choose one for off-link destinations. The lifetime is updated with each received RA from a router.
    • If a RA specifies a zero lifetime, nodes immediately remove the router from the list of candidate default routers.
    • By default, it is up to the Operating System on the node to select the default router.
    • Cisco Routers have the ability to send “high/medium/low” preference in RAs (utilizing bits in the RA message):

             ipv6 nd router-preference {high | medium | low}

    • Sending an RA with a lifetime of zero means “I’m not a default router”.

    6. Neighbor Solicitation (NS)

    • NS messages are used to:
      1. obtain link layer addresses for nodes
      2. provide link layer addresses for self
      3. verify neighbor reachability

    • Source address is the link-local address of the node’s interface on the link or perhaps Unspecified (::).
    • Destination address is the Solicited-Node Multicast Address. Created and assigned for every unicast address assigned to an interface.

              fe80::219:7ff:fe25:94ab 

               ff02::1:ff25:94ab ----> is the solicited-node multicast address

    • Target address contains the address of neighbor we are soliciting.
    • NS and NA are analogous to ARP.

    7. Neighbor Advertisement (NA)

    • NA is sent in response to NS. In this case it is unicast to the sender of the NS. If the sender’s address is Unspecified, the NA is sent to FF02::1 (all nodes, link scope). Analogous to ARP reply.
    • NA may be sent without solicitation if the sender wishes to make new information known immediately. In this case, it is always sent to FF02::1 (all nodes, link scope).  Analogous to gratuitous ARP broadcast reply (which is not part of the ARP specification).
    • The NA source address can be any valid source address for the interface on which the NA is sent.

    Enabling an interface for IPV6


    ASA# conf

    ASA(config)# int vlan 1
    ASA(config-if)#ipv6 enable

    ASA(config-if)#ipv6 address 2001:4800:0:1::1/64

    Configuring and Applying IPV6 access-list to an interface

    ASA# conf t
    ASA(config)#ipv6 access-list inside-v6 permit icmp6 2001:4800:0:1::1/64 any
    ASA(config)#ipv6 access-list inside-v6 permit icmp 2001:4800:0:1::1/64 host 2610:108:3000:5004::1
    ASA(config)#ipv6 access-list inside-v6 permit icmp 2001:4800:0:1::1/64 2610:108:4000:aaaa::/64
    ASA(config)#ipv6 access-list inside-v6 permit icmp6 any any
    ASA(config)#access-group inside-v6 in interface inside

    The following example uses it to permit access to all ports less than port 1025, which permits access to the well-known ports (1 to 1024):

    ASA(config)# ipv6 access-list acl_dmz-v6 permit tcp any host 3001:1::203:A0FF:FED6:162D lt 1025

    ASA(config)# access-group acl_dmz1-v6 in interface dmz1

    Configuring ipv6 route statements

    ipv6 route inside 2410:108:3000::/48 2610:108:4000:a001::2
    ipv6 route inside 2410:108:4000:a002::/64 2610:108:4000:a001::2
    ipv6 route inside 2410:108:4000:aaaa::/64 2610:108:4000:a001::3

    Configuring captures for IPV6 traffic

    Configure interesting access-list for packet capture:

    ipv6 access-list tacin permit ip host 2410:108:4000:a000::1 host 2410:108:4000:a000::2
    ipv6 access-list tacin permit ip host 2410:108:4000:a000::2 host 2410:108:4000:a000::1

    Apply capture acl to the interface:

    sh cap capin detail

    IPV6 related defects:

    CSCth46161 Transparent mode ASA does not pass IPv6 Router Advertisement packet
    CSCte44112 "icmp-type" object groups can be erroneously used with the IPv6 ACL
    CSCte51194 IPv6: Multiple equal cost routes not working
    CSCtd34024 ASA not getting IPv6 ND sollicitation on subinterfaces

    http://tools.cisco.com/Support/BugToolKit/

    Please go to the above link login with your CCO ID and then key above defect IDs to read more details.

    Average Rating: 5 (2 ratings)

    Comments

    dibyam-baral Fri, 10/25/2013 - 09:14

    Is it possible to convert ipv4 to ipv6 address when we configure cisco router with ipv4 in one end and that provide ipv6 as an output in other end

    If so then please help me with that command...

    Actions

    Login or Register to take actions

    This Document

    Posted April 4, 2010 at 5:51 AM
    Stats:
    Comments:4 Avg. Rating:5
    Views:9142 Contributors:4
    Shares:9

    Related Content

    Documents Leaderboard