Cisco ASA: IPv6 Quick Start

Document

Mar 31, 2011 11:15 AM
Mar 31st, 2011

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

Author: Scott Nishimura.

IPv6 Feature Support on the Cisco ASA Firewall

There has been a lot of discussion recently with the push towards IPv6.  For the ASA firewall, IPv6 feature support has been available and can be set up quickly.  This document focuses on a basic ASA setup for a native IPv6 network.   As you will see, there are very few commands required to have your ASA firewall join an IPv6 ready network.

Here is a quick way to configure up your ASA firewall for IPv6 connectivity.

BASIC CONFIGURATION

STEP#1 - Enable IPv6 on the interface and configure up the global IPv6 address.

interface vlan 2

ipv6 enable

ipv6 address 2001:db8:2:3::1/64

This will assign the IPv6 global address to the interface.  When you enter IPv6 enable, a link local address is automatically generated (this is based on your mac address).  With the IPv6 address command above, you are manually specifying the global, however the ASA also allows for autoconfig which will receive stateless configurations based on RA router advertisement messages. 

For more details, you can review the following reference guide document:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html#wp1897428

STEP#2 - Verify IPv6 configuration.

show ipv6 interface

Example:

outside is up, line protocol is up

  IPv6 is enabled, link-local address is fe80::21e:7aff:fe11:45c 

  Global unicast address(es):

            2001:db8:2:3::1, subnet is 2001:db8:2:3::/64 

  Joined group address(es):

            ff02::1

            ff02::2

            ff02::1:ff00:1

            ff02::1:ff11:45c

  ICMP error messages limited to one every 100 milliseconds

  ICMP redirects are enabled

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND advertised reachable time is 0 milliseconds

  ND advertised retransmit interval is 1000 milliseconds

  ND router advertisements are sent every 200 seconds

  ND router advertisements live for 1800 seconds

  Hosts use stateless autoconfig for addresses

STEP#3 - Define an IPv6 default route.

ipv6 route outside ::/0 next_hop_ipv6_addr

Using ::/0 is equivelant to “any”.  The IPv6 route command is functionally similar to the IPv4 route.

STEP#4 - Define IPv6 access-lists (optional).

IPv6 access-lists are functionally the same as IPv4.  They are parsed sequentially and have an implicit deny at the end.

Example:

ipv6 access-list test permit tcp any host 2001:db8::203:A0FF:FED6:162D

access-group test in interface outside

The above is permitting traffic to a specific server 2001:db8::203:A0FF:FED6:162D.

SECURING THE FIREWALL:

If you plan to configure autoconfig for the IPv6 global address on the ASA, you should limit the amount of router advertisements (RA) to known routers in your network.  This will help prevent the ASA from being auto configured from unknown routers.

ipv6 access-list outsideACL permit icmp6 host fe80::21e:7bff:fe10:10c any router-advertisement

ipv6 access-list outsideACL deny icmp6 any any router-advertisement

access-group outsideACL in interface outside

interface vlan2

nameif outside

security-level 0

ipv6 address autoconfig

ipv6 enable

The above access-list when applied on the ASA will limit receiving router advertisements (RA) from only the router specified.  All other RAs will be denied.

If you wish to prevent the ASA from sending out router advertisements (RA) on a specific interface, you may suppress them with the following interface command:

interface vlan2

ipv6 nd suppress-ra

Neighbor discovery will continue to be operational even though RA suppression has been configured.

For further information, please check out the following documentation on cisco.com:

ASA 8.3 IPv6 configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa83/configuration/guide/config.html

ASA 8.3 IPv6 command reference:

http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/i3.html

Cisco Support Community:

https://supportforums.cisco.com

Average Rating: 4.7 (3 ratings)

Comments

mhankus Sun, 04/03/2011 - 15:52

Adding more details about ICMP would be a good thing. For example what should be allowed, and what should be blocked for inside http server protected by ASA.

Marvin Rhoads Sat, 12/31/2011 - 10:38

Wondering when OSPF v3 will be supported on the ASA so that one can actually participate in an IPv6 routing protocol.

Actions

Login or Register to take actions

This Document

Posted March 31, 2011 at 11:15 AM
Stats:
Comments:2 Avg. Rating:4.7
Views:12411 Contributors:2
Shares:0
Tags: ipv6, asa_8.x
+

Related Content

Documents Leaderboard