[Snap] ASA 5505 & IPv6 on Snap!

Forums › 2degrees (including Slingshot, Orcon, Flip, Stuff Fibre, MyRepublic, 2talk and Vocus) › [Snap] ASA 5505 & IPv6 on Snap!

davegforster

7 posts

Wannabe Geek

#115592 31-Mar-2013 17:27

Hi all,

Apologies, double-up from Networking forum.

So i've spent at least 2 days trying to get IPv6 working correctly at home. I'm at a point where I can at least get ICMP replies back from ipv6.google.com on the console of the ASA but not from a client (Win8 or Win 2012).

I have no idea where i'm going wrong with this...

Topology is currently:

Internet -> Fritz!Box 7390 VDSL router (Snap!) -> ASA5505 -> Inside switch -> Client

ASA is in routed firewall mode. IPv4 connectivity is working perfectly. Software version is 9.0(2)
Outside interface (VLAN2) is being autoconfigured via SLAAC (not dhcpv6) - this is working
Inside interface (VLAN1) I want to have autoconfigured, but this doesn't work for some reason. Perhaps I need to configure an ACL, I don't know what the ACL should be. Setting the IPv6 address manually is fine and I can ping it from a client and the client picks up an autoconfigured address in the same subnet.
I've configured a default route for ::/0 to Fritz!Box link-local address. If I change this to be the globally assigned address of the Fritz!Box I can no longer ping ipv6.google.com from the console.
I can't get DHCPrelay working for my clients. I've enabled DHCPv6 on the Fritz!Box and enabled DHCPRelay client on the inside interface and defined the link-local address of the Fritz!Box on the outside interface as the DHCPv6 Server.

interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
ipv6 address fc00::/64 eui-64
ipv6 address fe80::1 link-local
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ipv6 address fe80::2 link-local
ipv6 address autoconfig
ipv6 nd suppress-ra
!
ipv6 route outside ::/0 fe80::2665:11ff:feec:d31b
!
access-list inside_access_in extended permit icmp6 any6 any6
access-list inside_access_in extended permit ip any any
!

It appears mostly that I can't ping through the ASA. From the ASA I can ping IPv6 sites fine.

Ideally I would have both Outside and Inside interfaces being autoconfigured via SLAAC from Snap!. Outside is autoconfiguring fine but Inside is not.

Any help would be appreciated!

Zeon

3918 posts

Uber Geek

Trusted

#790018 31-Mar-2013 18:12

Have you configured a static route on your Fritzbox to the subnet behind the ASA? Ideally Snap would have given you a /56. You then need to have a /64 configured between the ASA and Fristbox subnet (/64 for SLAAC to work). Once that is working (as it sounds it does), use another of the /64s in your /56 as the LAN side of the ASA. Then on the fritzbox add a static route for the /64 to pass to the SLAAC address on the WAN side of the ASA.

There is a standard to autoconfigure this I believe but its more for ISP etc. Funny timing as I'm just doing IPv6 routing for a customer aatm (just waiting for a reboot and came to check GZ) :)

Speedtest 2019-10-14

davegforster

7 posts

Wannabe Geek

#790022 31-Mar-2013 18:47

Thanks for that, I figured it could be related to the Fritz!Box. As far as I can tell, via the web interface you can't configure static routes. You might be able to via telnet but to enable Telnet you need to do it via an IP phone (I don't have one).

Also, I believe Snap give out /48 prefixes but these are dynamic which is why I need to go this going via SLAAC or DHCPv6 (I don't think Snap use DHCPv6...I could be wrong though)

Cheers

tknz

182 posts

Master Geek

#794053 5-Apr-2013 20:11

Looks like your missing the command to tell the device to route IPV6 Traffic

ipv6 unicast-routing

davegforster

7 posts

Wannabe Geek

#794069 5-Apr-2013 20:42

Hey, thanks for the reply.

The ASA does not need (nor does it even have it available) to have "ipv6 unicast-routing". Applying "ipv6 enable" or assigning an ipv6 address to an interface enables ipv6 routing.

"ipv6 unicast-routing" is for IOS routers or layer 3 IOS switches.

Cheers

quakeguy

111 posts

Master Geek

Trusted

#794454 7-Apr-2013 02:03

Hey, a few things:

- Snap does use DHCPv6 to issue addresses rather than SLAAC
- The ASA probably doesn't NAT IPv6 by default (would you want/need NAT with that many addresses?)
- I see you have a link-local address on the inside of the ASA but public addressing on the outside.

Here is what the Fritz!Box does when it connects:
- Grabs IPv6 addressing via DHCPv6 (gets a /48 from Snap)
- Re-issues addresses via SLAAC to the local LAN
- Performs stateful firewalling (connection tracking) but not NAT.

My suspicion is that you want to get the ASA to issue addressing from the prefixes it receives from the Fritz!Box. I don't know how to say that in ASA IOS, however - you will need to google it.

And we're working on implementing static IPv6 at Snap, but it's not ready yet (big job, many dependencies!).

Hope this helps!

“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success... Such emotions make a man forget food, sleep, friends, love, everything.” - Nikola Tesla

Disclaimer: Views expressed in my posts do not necessarily reflect those views of my employer.