- Cisco Employee,
Author: Scott Nishimura.
Updated: Abishek Singh June 2015
Updated: Phillip Remaker August 2016 for 9.6(2) DHCP-PD client feature.
IPv6 Feature Support on the Cisco ASA Firewall
ASA supports IPv6 and it can be setup very easily and quickly. This document focuses on a basic ASA setup for a native IPv6 network. As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.
Here is a quick way to configure up your ASA firewall for IPv6 connectivity.
In this step we assign a link local address to the interface. There are 2 ways to assign a link local address to the interface
Configure the interface to generate a link local address from its MAC address.
interface GigabitEthernet 0/0 no shutdown nameif inside ipv6 enable
When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).
Configure a link local address manually.
interface GigabitEthernet 0/0 no shutdown nameif inside ipv6 address <ipv6-address> link-local
Using the above command you can assign a link local address to the interface manually.
You can verify the link local address by executing the “show ipv6 interface” command.
Next we have to assign the global address to the interface. There are 2 ways of doing this.
You can manually assign a global IPv6 address to the interface.
interface GigabitEthernet 0/0 ipv6 address 2001::db8:2:3::1/64
With the IPv6 address command above, you are manually specifying the global IPv6 address for the interface. You can specify more than one IPv6 addresses for the interface using the command.
You can configure the interface to obtain the address automatically using stateless address autoconfiguration.
interface GigabitEthernet 0/0 ipv6 address autoconfig
Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages.
NOTE: There was a defect (CSCuq62164) in the ASA software that caused the ASA to not assign an address if it received a RA message with both the M and A flags set. This has been fixed in 9.3(1) release and hence we recommend this version if you intend to use SLAAC for configuring the address on ASA interfaces.
Verify IPv6 configuration.
show ipv6 interface inside is up, line protocol is up IPv6 is enabled, link-local address is fe80::e6c7:22ff:fe84:eb2 Global unicast address(es): 2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 Joined group address(es): ff02::1:ff00:1 ff02::1:ff84:eb2 ff02::2 ff02::1 ICMP error messages limited to one every 100 milliseconds ICMP redirects are enabled ND DAD is enabled, number of DAD attempts: 1 ND reachable time is 30000 milliseconds ND advertised reachable time is 0 milliseconds ND advertised retransmit interval is 1000 milliseconds ND router advertisements are sent every 200 seconds ND router advertisements live for 1800 seconds Hosts use stateless autoconfig for addresses.
Step 4 (Optional)
Suppress Router Advertisement messages on an interface.
By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
ipv6 nd suppress-ra
Neighbor discovery will continue to be operational even though RA suppression has been configured.
Define an IPv6 default route.
ipv6 route outside ::/0 next_hop_ipv6_addr
Using ::/0 is equivalent to “any”. The IPv6 route command is functionally similar to the IPv4 route.
Using the regular access-list command define the access-lists with IPv6 addresses in them so as to permit the required traffic to flow through the ASA.
access-list test permit tcp any host 2001:db8::203:a0ff:fed6:162d access-group test in interface outside
The above is permitting traffic to a specific server 2001:db8::203:a0ff:fed6:162d.
SECURING THE FIREWALL
If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network. This will help prevent the ASA from being auto configured from unknown routers.
access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement access-list outsideACL deny icmp6 any any router-advertisement access-group outsideACL in interface outside interface GigabitEthernet 0/0 nameif outside security-level 0 ipv6 address autoconfig ipv6 enable
The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified. All other RAs will be denied.
Configuring ASA to help autoconfigure IPv6 addresses on hosts behind the ASA
The hosts in the network behind the ASA might be configured to autoconfigure their IPv6 address. Dynamic address assignment happens in 2 ways on IPv6 networks. It could either be a stateful address assignment or stateless address assignment.
Stateful dynamic address assignment
For stateful address assignment, a DHCPv6 server needs to be configured on the network that can assign address to hosts upon request. ASA currently does not have the ability to host a DHCPv6 server on its interfaces. But the ASA can act as a DHCPv6 relay agent. In order to enable stateful dynamic address assignment to hosts behind the ASA, the DHCPv6 relay agent needs to be configured on the ASA.
To configure the DHCPv6 relay agent the following configuration is needed:
ipv6 dhcprelay server 2001:db8:c18:6:a8bb:ccff:fe03:2701 ipv6 dhcprelay enable inside
The first command specifies the address of a DHCPv6 server to which the DHCP requests are forwarded. The command also accepts an optional interface name that specifies the output interface for the destination. The second command enables DHCP relay on an interface. When DHCP relay is enabled on an interface, all the DHCP requests coming on that interface get forwarded to the configured DHCP server.
Stateless dynamic address assignment
In Stateless Autoconfiguration (SLAAC) the client picks up its own address based on the prefix being advertised by the ASA. The prefix is advertised by means of an IPv6 router advertisement. ASA sends out IPv6 router advertisements by default from any interface on which a global IPv6 address is configured. Additionally, a DHCPv6 relay agent can be configured to point to a DHCPv6 server that can advertise a DNS server address and a domain name only.
IPv6 Prefix delegation
ASA added support for a DHCP-PD client in 9.6(2) .This feature is documented at http://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/ge... under the heading Configure the IPv6 Prefix Delegation Client.
Prior to 9.6(2), ff the network behind the ASA requires to be assigned IPv6 addresses based on the prefix delegated by a delegation router, then we need to place an ASA between the provider edge (PE) router and the IPv6 capable customer premise router. The ASA must be in transparent mode. This way the ASA protects the entire IPv6 network, including the infrastructure router, on the customer premises. All ICMP6 traffic must be permitted on the ASA running in transparent mode.
The following must be configured on the ASA:
firewall transparent interface BVI1 no ip address ipv6 enable interface GigabitEthernet0/0 nameif outside bridge-group 1 security-level 0 interface GigabitEthernet0/1 nameif inside bridge-group 1 security-level 100 access-list permit_icmp6 extended permit icmp6 any6 any6 access-group permit_icmp6 global
This example uses a link-local IPv6 address on the BVI interface. You can also configure an explicit IPv6 address for in-band management purposes.