we are planning to migrate out network to IPv6 standard. Preferably Dual Stack.
Currently we enabled SSL VPN using Anyconnect client, where the VPN users will get connected with the ASA 5545 and then able to access the internal network. We are planning to enable dual stack in the outside interface of ASA and the Internal network will remain in IPV4 network.
A user with IPv6 IP need to access the IPv4 internal network using the SSL vpn (the IP address assigned to Anyconnect interface will be an IPv4 address.).
Currently the ASA version is 8.0(4) .
my query is, what are the things i need to consider prior to the migration.
1) Which ASA software version will support IPv6 SSL VPN using Anyconnect Client ( Please note, we don't need IPSec)
2) Similarly which Anyconnect Client will support IPv6 SSL connection.
3) What could be the best practice for this kind of deployment.
Thanks alot... pls help me to clear these doubts.... please refer the diagram.
•Currently all the devices are assigned with IPv4 Addresses.
•Planning to migrate the Internet Edge devices to IPv6 ( Dual Stack)
•Firewalls Outside interface is having Public IPv4 IP addresses.
•The firewalls are in HA mode ( Active/Standby).
•The firewalls are currently used for only the SSL VPN purpose.
•The users from Internet will access the application servers using Any connect SSL VPN.
•The VPN users will get authenticated by using Cisco ACS and RSA token authentication (Dual factor).
•The authentication servers will remain in IPv4 network.
•If an IPv6 VPN user tried to access the internal network, will they get authenticated ?
•Whether dual stack environment will work for SSL VPN using Any connect?
•If an IPv6 user try to establish a VPN connection, can the firewall to assign an IPv4 IP to the Any connect client interface of the client ? (Which means, the user will connect over the internet using IPv6 and the Anyconnect SSL VPN will be established with an IPv4 IP address.)
•If enabling dual stack on the outside interface of Firewall, then, is it possible to assign both IPv6 and IPv4 IP together to the VPN user?
•The firewalls are in Active /Standby mode. For failover, is there any prerequisites in the IPv6 environment?
•For supporting IPv6, which ASA software version is required? // these are not X series firewall.
•Which version of Any connect Client is required for supporting IPv6 SSL VPN (Dual stack).// currently the customer need just SSL vpn using anyconnect.
The ASA-> Authentication server flow in SSL VPN is separate TCP/UDP from connectivity between client and headend. ASA will take the credentials and pass them to corresponding server(s).
From ASA's perspective you configure pools, IPv4, IPv6, or both to determine what you're like to assign, it may happen that the client does not support some of the protocols. As long as the OS supports it you should be able to assign IPv6 and IPv4 and use it accordingly.
ASA 9.0 and Anyconnect 3.1 the minimum you should consider for IPv6 deployment. (this includes connectivity with IPv6 and failover).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :