On the 24 August 2016 Cisco released new ASA code 9.6.2 adding further support to the IPv6 protocol – Prefix Delegation. Recently Telstra (Australian ISP) has enabled IPv6 on NBN (National Broadband Network) services and I thought what better way to try out this than on my ASA 5506-X. I will go through the basic process on getting IPv6 to work on a Cisco ASA with PD.
In the steps below GigabitEthernet1/1 is the outside interface, and GigabitEthernet1/2 is the inside interface.
1)The first step is configuring IPV6 on the outside interface. At this point, no IPV6 address will be configured in the firewall.
interface GigabitEthernet1/1 ipv6 address autoconfig default trust dhcp ipv6 address dhcp default ipv6 enable ipv6 nd managed-config-flag ipv6 nd other-config-flag ipv6 dhcp client pd ciscoasa
2) The ISP will provide the prefix which has to be used, and some data has to be collected by using the following commands:
show ipv6 dhcp interface outside
With this, you will have the info about the default-dateway (Reachable via address) and the subnet assigned by the ISP (Prefix)
GigabitEthernet1/1 is in client mode Prefix State is OPEN Renew will be sent in 01:37:04 Address State is SOLICIT List of known servers: Reachable via address: fe80::fac0:1ff:fe70:17c0 DUID: 000100011914BB0A00144FFA6B62 Preference: 0 Configuration parameters: IA PD: IA ID 0x00020001, T1 7200, T2 11520 Prefix: 2001:8003:a02c:8700::/56 preferred lifetime 14400, valid lifetime 14400 expires at Sep 01 2016 03:40 AM (13024 seconds) Information refresh time: 0 Vendor-specific Information options: Enterprise-ID: 1088 Prefix name: ciscoasa
3)Then, we need to configure the interfaces with these IP address. So, with the command show ipv6 interface, we can find the IPV6 link local for the outside interface, and configure the IPV6 address using its eui-64 portion
outside is up, line protocol is up IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106
With these 2 pieces of information, we can configure the IP address to be used in the outside interface and also configure the ipv6 dhcp client pd hint. This command is necessary to ask the ISP to always provide the same IPV6 prefix so that we will keep it as if it were a static assignment.
interface GigabitEthernet1/1 ipv6 address ciscoasa ::5287:89ff:fefc:7106/64 ipv6 dhcp client pd hint 2001:8003:a02c:8700::/56 Note: On Telstra residential services I discovered they do not interpret the PD HINT and keep the subnet, so I have left out this line as of March 2017.
In this case, the outside network will have the following subnet 2001:8003:a02c:8700::/64
We can also configure the IPV6 default gateway with the IPV6 link- local address provided by Telstra router
show ipv6 routers ! Will show the link-local address to be used as the default gateway) Router fe80::fac0:1ff:fe70:17c0 on outside, last update 9 min Hops 64, Lifetime 1800 sec, AddrFlag=1, OtherFlag=0 Reachable time 0 msec, Retransmit time 0 msec ipv6 route outside ::/0 fe80::fac0:1ff:fe70:17c0
4) Next step is configuring the inside interface. We defined the subnet to be used so that it would not overlap the outside interface 2001:8003:a02c:8701::/64
interface GigabitEthernet1/2 ipv6 enable ipv6 address 2001:8003:a02c:8701::/64 eui-64 ipv6 nd managed-config-flag ipv6 nd other-config-flag Note: On Telstra residential services the Ipv6 /64 Address will not be static. We will have to change to the following for dynamic assignments: ipv6 address ciscoasa ::1:0:0:0:1/64 The “::1:0:0:0:1/64“ is basically the host portion of the IP address. The “ciscoasa” in this case contains the IPv6 prefix and when the ASA configures the IP address it will use the prefix and include the host portion as well and then create the IP address. This way when the ASA reboots or looses power a new address will be ready to use if the ISP gives out dynamic /56's.
Also, a IPV6 DHCP scope was configured. In this case, it works as a stateless DHCP, as the interface will only provide the subnet used in the router advertisements and each host will include its eui-64 information to complete. In the case below I have also added in the Telstra IPv6 DNS servers however you can add your own in, or you can use import dns-server to automatically try get a server.
ipv6 dhcp pool ALCATRONV6 dns-server 2001:8000:101::1 dns-server 2001:8000:101::2 domain-name alcatron.net interface GigabitEthernet1/2 ipv6 dhcp server ALCATRONV6
5) Finally we can verify that the hosts are being able to get IPV6 subnet and configure their own IPV6 addresses
ciscoasa-5506X# sh ipv6 neighbor | inc 2001 2001:8003:a02c:8701:497f:8a80:b975:d580 30 a4b8.058e.8236 STALE inside 2001:8003:a02c:8701:d565:2f36:d9b:32a7 39 1c5c.f2b4.6cad STALE inside 2001:8003:a02c:8701:7c57:4bd5:bb68:1b9 17 a4b8.058e.8236 STALE inside 2001:8003:a02c:8701:c122:30ca:7b52:42ea 9 1c5c.f2b4.6cad STALE inside 2001:8003:a02c:8701:5f:860c:b32b:c7 43 0015.5d01.0602 STALE inside 2001:8003:a02c:8701:597e:471f:bfd9:df3f 0 0cc4.7a70.a0a7 REACH inside 2001:8003:a02c:8701:6820:c272:e85e:2feb 20 7081.eb1a.c6e5 STALE inside 2001:8003:a02c:8701:f4d4:b595:88f8:374d 40 1c5c.f2b4.6cad STALE inside 2001:8003:a02c:8701:8574:1c6f:5fd6:1f1b 43 20c9.d07a.5777 STALE inside
And verify the IPV6 connections
ciscoasa-5506X# show conn | inc 2001 TCP outside 2404:6800:4006:806::2003:80 inside 2001:8003:a02c:8701:c122:30ca:7b52:42ea:51324, idle 0:00:32, bytes 15286, flags UIO TCP outside 2404:6800:4006:806::2005:443 inside 2001:8003:a02c:8701:c122:30ca:7b52:42ea:51333, idle 0:00:14, bytes 630639, flags UIO TCP outside 2a03:2880:f019:1:face:b00c:0:1:443 inside 2001:8003:a02c:8701:c122:30ca:7b52:42ea:51194, idle 0:02:03, bytes 17643, flags UIO TCP outside 2a03:2880:f019:1:face:b00c:0:1:443 inside 2001:8003:a02c:8701:c122:30ca:7b52:42ea:51193, idle 0:01:23, bytes 8865, flags UFRIO
Other useful commands you will need:
sh ipv6 interface ! show the configured IPV6 addresses and subnet masks outside is up, line protocol is up IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106 Global unicast address(es): 2001:8003:a02c:8700:5287:89ff:fefc:7106, subnet is 2001:8003:a02c:8700::/64 Joined group address(es): ff02::1:fffc:7106 ff02::2 ff02::1
sh ipv6 general-prefix ! Will show your prefix acquired via PD lifetime IPv6 Prefix ciscoasa, acquired via DHCP PD 2001:8003:a02c:8700::/56 Valid lifetime 11664, preferred lifetime 11664 Consumer List Usage count outside (Address command) 1
Another issue I had is trying to get traceroute working correctly so to make sure this was working correctly i had to ensure I had the following lines. This allows ping, and echo reply to all your inside IPv6 hosts, you can tweak this however if you like with the access lists.
access-list Outside_access_in extended permit icmp6 any6 any6 echo-reply access-list Outside_access_in extended permit icmp6 any6 any6 time-exceeded access-list Outside_access_in extended permit icmp6 any6 any6 unreachable access-list Outside_access_in extended permit icmp6 any6 any6
The policy maps were modified to ensure that traceroute v4 and v6 worked. You might have others in the policy-map, just leave those and append the ones below that are missing.
policy-map global_policy class inspection_default inspect icmp inspect icmp error class class-default set connection decrement-ttl service-policy global_policy global
This was a steep learning experience, but finally I have dual stack IPv4 and IPv6 running on Telstra NBN through a Cisco ASA 5506-X. I have seen no articles which deal with PD delegation on Cisco ASA’s , so I thought i would do this write up so that it can benefit others. Any questions, comments, feedback, welcome as usual 🙂3 Comments