Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 5505 and Microsoft DirectAccess

Does anyone have a complete list of what parameters need to be enabled/set on a ASA 5505 so MS Direct Access is happy?

I can't be the only one wanting to place a 5505 in front of the DA Server.

 

3 REPLIES
New Member

If you are using the ASA to

If you are using the ASA to perform NAT, you'll only need to allow inbound TCP 443. If you are routing to the DirectAccess server or have the ASA configured in transparent firewall mode, then you'll need to allow inbound IP protocol 41, and inbound UDP 3544. If your ASA and your DirectAccess clients are on the IPv6 Internet, you will also need to allow inbound IP protocol 50, inbound UDP 500, and all ICMPv6 traffic.

 

Richard Hicks - directaccess.richardhicks.com

New Member

Thanks for the reply Richard

Thanks for the reply Richard and you bring up an interesting question that stumped the Cisco tech I contacted and that is how to allow inbound protocol 41.

Do you know the specific CLI command for that particular subject?

New Member

CiscoAsa

CiscoAsa

This article explains how to configure a Cisco ASA for protocol-41.


Prerequisites for this article:

  • IOS 7.2(4) not working (asa724-k8.bin) (asdm-524.bin)
  • IOS 8.0(2) not working (asa802-k8.bin) (asdm-625.bin)
  • IOS 8.3(1) working (asa831-k8.bin) (asdm-631.bin)
  • IOS 8.4(1) working (asa841-k8.bin) (asdm-641.bin)
  • A working internal tunnel end-point running IPv6-IPv4 tunnel software. I have used an linux server running Debian GNU/Linux 5.0 with the aiccu package. If you want to use a subnet, you also need the radvd package.
  • SSH access to the ASA.


Configuration setup I used:

  • IP address of the internal Debian machine is 192.168.35.18
  • I am using the outside interface of the ASA for translation, I only have one public IP.


Define a new protocol object group

conf t
 object-group protocol IPv6inIPv4
  protocol-object 41
 end
wr mem

Define the internal linux Debian host

conf t
 object network IPv6_HOST
  host 192.168.35.18
 end
wr mem

Define the POP that you are using

conf t
 object network IPv6_POP
  host 192.87.102.107
 end
wr mem

With the new version of IOS 8.3, configuring a NAT rule has changed. You are now able to NAT specific source and destination traffic, this is what we need to make the IPv6-IPv4 tunnel to work and to let protocol 41 flow trough the ASA. Make sure this line is the first one in you NAT configuration, it should be on top of the rest! (Add NAT Rule Before "Network Object" NAT Rules...)

conf t
 object network IPv6_HOST
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
 end
wr mem

Open up you're firewall and let protocol 41 flow between the internal Debian host and the POP. I have put these lines at position one, the first line on the interface.

conf t
 access-list inside_access_in extended permit object-group IPv6inIPv4 object IPv6_HOST object IPv6_POP
 access-list outside_access_in extended permit object-group IPv6inIPv4 object IPv6_POP object IPv6_HOST
 end
wr mem

Now you should be able to configure the tunnel on the Debian box or any other machine on which you are planning the tunnel end-point.

417
Views
0
Helpful
3
Replies