Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

ASA IPv6 routing (very simple routing, but it does not work)

Hi guys,

My question is connected with IPv6 routing and ASA.

My simple lab network topology:

PC======ASA 5520=======Router 2801

I've assigned following IPv6 Subnets:

PC-ASA:

Network is 2001::3000:100:/104

ASA has 2001::3000:101:1/104

PC has 2001::3000:133:136/104 (default gateway is 2001::3000:101:1)

ASA-Router:

Network is FC00:1::/32

ASA has FC00:1::1/32

Router has FC00:1::101/32 (default gateway is FC00:1::1)

PC can ping it's IPv6 gateway

Router can ping it's IPv6 gateway

The problem is that PC can't ping (establish tcp connections, etc) Router and vice versa.

ASA can ping both of them.

When I use 'packet-trace' command on ASA it says that connections are allowed.

PC firewall is disabled. Router has not any IPv6 access-list.

ASA has two IPv6 access-list for both interfaces with following rules:

permit ip any any

permit icmp any any

I also used commands 'ipv6 icmp permit any INT1' and 'ipv6 icmp permit any INT2'.

What is the problem of my situation? why PC and Routers can't communicate?

I thought that I have to enable IPv6 routing on ASA, but I do not know how to do this.

When I do 'show ipv6 interface' I get:

INT1 [up/up]

.....

INT2 [up/up]

ASA firmware is 8.2. PC is Windows 7. Router is 12.4.

12 REPLIES
Cisco Employee

Re: ASA IPv6 routing (very simple routing, but it does not work)

Hi ,

Please look at the following link, it shows how to put a default router for IPv6 addresses http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/i3.html#wp1880507

I hope this helps.

Thanks,

Namit

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

How can it be helpful?

ASA does not need default routes. It's directly connected to the PC and Router networks.

asa5520# show ipv6 route

C   2001::3000:100:0/104 [0/0]
     via ::, INT1

C   fc00:1::/32 [0/0]
     via ::, INT2

Router has it's default route:

1#sh run | in route

ipv6 route ::/0 FastEthernet0/0.7

#show ipv6 route

S   ::/0 [1/0]
     via ::, FastEthernet0/0.7

PC also has it's default gateway.

Cisco Employee

Re: ASA IPv6 routing (very simple routing, but it does not work)

Hi ,

Apologies for that. I misunderstood the problem. Just confirming the topology is PC----ASA----ROUTER. PC can ping ASA and vice versa. ASA can ping router and vice versa. The PC cannot ping the router but the ASA can ping both. Could you please provide the running config on the ASA ? Also when you run pings from the PC, please run the command "debug icmp trace" , using this we can see if pings are reaching the ASA. Please use this only if you DO NOT have a lot of icmp traffic flowing. to disable this use "un all".

Thanks,

Namit

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

Thank you for your responce.

I can not provide a full ASA config as it has a lot of information.

Below IPv6 related information:

:
ASA Version 8.2(2)17
!
...
!
interface GigabitEthernet0/1
nameif INT1
security-level 0
ipv6 address 2001::3000:101:1/104
ipv6 enable 
!
...
!
interface GigabitEthernet0/2.7
vlan 7      
nameif INT2  
security-level 0
ipv6 address fc00:1::1/32
ipv6 enable 
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
...
...
ipv6 icmp permit any INT1
ipv6 icmp permit any INT2
...
ipv6 access-list INT1v6_access_in permit ip any any
ipv6 access-list INT1v6_access_in permit icmp any any
ipv6 access-list INT2v6_access_in permit ip any any
ipv6 access-list INT2v6_access_in permit icmp any any
...
access-group INT1v6_access_in in interface INT1
access-group INT2v6_access_in in interface INT2

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

Ping traces.

I tried to ping Router from PC (Windows 7).

Windows 7 has following IPv6 addresses:

   IPv6 Address. . . . . . . . . . . : 2001::3000:133:136(Preferred)   <<== this one I've assigned manually

   IPv6 Address. . . . . . . . . . . : 2001::30:11:8daa:f149:c8f4:cce9(Preferred)

   Temporary IPv6 Address. . . . . . : 2001::30:11:28b2:673b:fe27:ab66(Preferred)

   Link-local IPv6 Address . . . . . : fe80::8daa:f149:c8f4:cce9%11(Preferred)

On ASA:

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

ICMPV6 echo request from INT1:2001::30:11:28b2:673b:fe27:ab66 to INT2:fc00:1::101

On Router:

*Oct  1 06:26:50.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:50.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:55.054: ICMPv6: Received echo request from 2001::30:11:28B2:673B:FE27:AB66

*Oct  1 06:26:55.054: ICMPv6: Sending echo reply to 2001::30:11:28B2:673B:FE27:AB66

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

any solution for this? I've got exactly the same trouble...

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

My problem was the wrong IPv6 allocation.

Be sure that you don't use IPv6 subnetworks with prefixes lower than /64.

I tried to use /104.

IPv6 was designerd for using at least /64 subnet mask. Many hardware network was designed to do such.

Even for point to point links.

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

You can use other subnets besides /64 on an ASA. IPv6 uses /64 for neat features like auto-discovery, but you can use anything you want if you don't care about that. I usually use /80s and /96s (all taken from a subnetted /64) for testing. I haven't had any problem doing that on FWSMs and other Cisco gear.

If I understand your situation correctly, though, you had your router on one subnet, your ASA on another subnet, and your PC on a third subnet, then you were pointing your PC's default gateway to the ASA. My guess is that it figured out how to reach it through the link-local address that was auto-assigned, but when it tried to get farther than the ASA it didn't know where to go and was dying. The same goes for the router trying to talk back to the PC.

This sort of scenario may have worked:

Subnet 1: 2001::3000:100::/104

Subnet 2: 2001::3000:101::/104

Router: 2001::3000:100::1/104
ASA INT1 interface: 2001::3000:100::2/104

ASA INT2 interface: 2001::3000:101::1/104

PC: 2001::3000:101::2/104

PC Default gateway: 2001::3000:101::1/104 (or the link-local address on the INT2 interface)

Perhaps when you reverted to a /64 it all sorted itself out thanks to auto-discovery, but I'm just speculating. I'm no expert on IPv6

Hope that helps...

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

All I knew from working with IPv6 that don't use less than /64 for hosts even it works sometimes.

RFCs about IPv6 say the same.

Anyway, thanks for your post.

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

No RFC says that IPv6 only works sometimes when using a non-/64 subnet. TCP/IP either works or it doesn't, it's not intermittent. Certain features are designed around using a /64, but you can use whatever you want if you don't care about those things.

Just trying to help, you can feel free to not believe me if you like . It sounds like you got your issue sorted out and that's what matters

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

I believe you guys

In the meantime I found my problem. I forgot the routing entry in the external router pointing to my ASA-inside network. Now it works.

Thanks

New Member

Re: ASA IPv6 routing (very simple routing, but it does not work)

Ahhh that would cause an issue . I did the same thing the other day. I couldn't figure out why a load balancer could talk through my firewall, only to remember that I had stripped out the routes in order to start over from scratch and forgot to add them back in. Woops!

3836
Views
4
Helpful
12
Replies
CreatePlease to create content