If you are using the ASA to perform NAT, you'll only need to allow inbound TCP 443. If you are routing to the DirectAccess server or have the ASA configured in transparent firewall mode, then you'll need to allow inbound IP protocol 41, and inbound UDP 3544. If your ASA and your DirectAccess clients are on the IPv6 Internet, you will also need to allow inbound IP protocol 50, inbound UDP 500, and all ICMPv6 traffic.
This article explains how to configure a Cisco ASA for protocol-41.
Prerequisites for this article:
IOS 7.2(4) not working (asa724-k8.bin) (asdm-524.bin)
IOS 8.0(2) not working (asa802-k8.bin) (asdm-625.bin)
IOS 8.3(1) working (asa831-k8.bin) (asdm-631.bin)
IOS 8.4(1) working (asa841-k8.bin) (asdm-641.bin)
A working internal tunnel end-point running IPv6-IPv4 tunnel software. I have used an linux server running Debian GNU/Linux 5.0 with the aiccu package. If you want to use a subnet, you also need the radvd package.
SSH access to the ASA.
Configuration setup I used:
IP address of the internal Debian machine is 192.168.35.18
I am using the outside interface of the ASA for translation, I only have one public IP.
Define a new protocol object group
object-group protocol IPv6inIPv4
Define the internal linux Debian host
object network IPv6_HOST
Define the POP that you are using
object network IPv6_POP
With the new version of IOS 8.3, configuring a NAT rule has changed. You are now able to NAT specific source and destination traffic, this is what we need to make the IPv6-IPv4 tunnel to work and to let protocol 41 flow trough the ASA. Make sure this line is the first one in you NAT configuration, it should be on top of the rest! (Add NAT Rule Before "Network Object" NAT Rules...)
object network IPv6_HOST
nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
Open up you're firewall and let protocol 41 flow between the internal Debian host and the POP. I have put these lines at position one, the first line on the interface.
access-list inside_access_in extended permit object-group IPv6inIPv4 object IPv6_HOST object IPv6_POP
access-list outside_access_in extended permit object-group IPv6inIPv4 object IPv6_POP object IPv6_HOST
Now you should be able to configure the tunnel on the Debian box or any other machine on which you are planning the tunnel end-point.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...