Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Can we assign IPv4 IP address pool to IPv6 VPN Client

We are planning to enable IPv6 SSL VPN clients, Let me explain the current setup

We have Cisco ASA firewall used for SSL VPN and Cisco ACS for user authentication and RSA for two factor authentication.

LAN Server are in IPv4 only..

Requirement :


Client (IPv6) --- Cloud (IPv6) ---- Outsite(IPv6) -Cisco ASA - Inside(IPv4) ----- ACS (IPv4) & RSA (IPv4)


Client with IPv6 internet connectivity connect to SSL VPN with IPv6, Cisco ASA outside interface with IPv6 address will receive the request.


1. Will Cisco ASA check two factor authentication with ACS and RSA both are in IPv4 address for an IPv6 client ?

2. Once if authenticated, Cisco ASA can assign IPv4/IPv6 address pool to the client, if i prefer only IPv4 address pool and client will get IPv4 address as tunnel interface IP address. Will it work? Means IPv4 over IPv6 SSL VPN tunnel.






Cisco Employee

AFAIR, with SSL we support

AFAIR, with SSL we support IPv4 and IPv6 assigned IP addresses, with IPsec IKEv2 we only support IPv4 addressing. 


Query to AAA servers are separate process, from user<-> headend authentication flow, unless we're talking about IKEv2 with standard EAP methods.

New Member

Thanks Marcin, We have SSL

Thanks Marcin, We have SSL VPN only. Not IPSec.

AAA part i am not clear..



Cisco Employee

ASA with Anyconnect, you're

With IKEv2, ASA with Anyconnect, you're most likely using EAP-Anyconnect :-)

With SSL, as I said, it's a separate flow.


HiSorry to wake up this old


Sorry to wake up this old thread, but this issue is getting actual for me now.

One of our main country ISPs is soon going to offer IPv6 DS-Lite to it's customers. Those customers then want to connect to our, currently only with IPv4 reachable, ASA for AnyConnect VPN.

I run 9.1.x on the ASA and use AnyConnect 3.1.

My thought is now to add an IPv6 address to the public interface of my ASA (I have a public pool and the infrastructure is ready to do this), but then only offer an IPv4 address pool.

So the client connects with IPv6 but gets assigned only an IPv4 address. Is this supported?




Cisco Employee

Patrick,  SSL with IPv6 and



SSL with IPv6 and IPv6 assigned IP address has been working for some time. 


I've been out of the loop for a while but I'm told IPsec should also work with both both assigned protocols - didn't test it. 




I found that document, but it

I found that document, but it doesn't answer my question:

So the client connects with IPv6 (client and asa have a public address, but client doesn't have a public ipv4 one) but gets assigned only an IPv4 address. Is this supported?