I am studying for my CCNP Route/Switch and think that I will probably have a few IPv6 questions on the exam. Since my internet connect at home is IPv4, I know that I will need to connect my ASA to a IPv6 Broker. Do I need to run IPv6 behind the ASA as well or do I do something different. Would prefer not to have to install a second internet connection just for IPv6.
not very familiar with the ASA but I was with the PIX a few years ago, the concept between the two appliances should be the same. So I believe the ASA will not be able to terminate an IPv6IP tunnel.
Also in front of the ASA you should have a router providing you connectivity to you ISP (lot of guessing here but you did not provide details).
So what you do is terminate the IPv6IP tunnel on the router and then configure the ASA for IPv6 between the outside interface (attached to the router) and the inside interface (your network).
It is a pretty straigh forward process on the router:
description HE ipv6 tunnel ID xxxxx
ip ddns update ipv6tunnel2
no ip address
ipv6 address 2001:470:x:x::2/64
no ipv6 redirects
ipv6 inspect FW6-tnl1 out
ipv6 traffic-filter AL6-v6-inetin in
tunnel source Dialer9
tunnel mode ipv6ip
tunnel destination 184.108.40.206
then you add the IPv6 route and you are done.
ipv6 route ::/0 2001:470:x:x::1
Note that this configuration takes care also of dynamic IP address by using the DDNS update methos and interface as source.
If your IPv4 connection is terminated on the ASA, then you will have to punch a hole in the ASA for the IPv6IP tunnel and do the same thing on an inside router and run you local firewall on the router.
Since posting that message, I have learned a little more. My ASA will connecting to the outside world, with the router functioning as the tunnel broker to be on the inside. It appeares that I may need to upgrade the code on the ASA to allow protocol 41 (used by the tunnel broker) to pass through. I have tried to do this with 8.2.5 code but all the pieces doent seem to be there. May have to upgrade to 8.3 or 8.4.
not very proud of my config but I am still experimenting with it and I do not have any servers, so I only need so little.
Also we might consider, rather than hijacking this thread, to open one on ipv6 filtering (all the niceties of the ipv6 lists having some implicit permits before the implicit deny all and the sort) .....
Also that one would be a good place to discuss ipv6 inspect which in my view is still quite immature, at least comparing to ipv4.
ipv6 access-list AL6-v6-inetin
sequence 1 remark Filtering inbound traffic at Tunnel interface
sequence 20 remark allowing ping of outside for tunnel statu and reachability
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...