Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


5 posts

Wannabe Geek


Topic # 115592 31-Mar-2013 17:27
Send private message

Hi all,

Apologies, double-up from Networking forum.

So i've spent at least 2 days trying to get IPv6 working correctly at home. I'm at a point where I can at least get ICMP replies back from ipv6.google.com on the console of the ASA but not from a client (Win8 or Win 2012).

I have no idea where i'm going wrong with this...

Topology is currently:

Internet -> Fritz!Box 7390 VDSL router (Snap!) -> ASA5505 -> Inside switch -> Client
  • ASA is in routed firewall mode. IPv4 connectivity is working perfectly. Software version is 9.0(2)
  • Outside interface (VLAN2) is being autoconfigured via SLAAC (not dhcpv6) - this is working
  • Inside interface (VLAN1) I want to have autoconfigured, but this doesn't work for some reason. Perhaps I need to configure an ACL, I don't know what the ACL should be. Setting the IPv6 address manually is fine and I can ping it from a client and the client picks up an autoconfigured address in the same subnet.
  • I've configured a default route for ::/0 to Fritz!Box link-local address. If I change this to be the globally assigned address of the Fritz!Box I can no longer ping ipv6.google.com from the console.
  • I can't get DHCPrelay working for my clients. I've enabled DHCPv6 on the Fritz!Box and enabled DHCPRelay client on the inside interface and defined the link-local address of the Fritz!Box on the outside interface as the DHCPv6 Server.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.252 255.255.255.0
ipv6 address fc00::/64 eui-64
ipv6 address fe80::1 link-local
!
interface Vlan2
nameif outside
security-level 0
ip address dhcp setroute
ipv6 address fe80::2 link-local
ipv6 address autoconfig
ipv6 nd suppress-ra
!
ipv6 route outside ::/0 fe80::2665:11ff:feec:d31b
!
access-list inside_access_in extended permit icmp6 any6 any6
access-list inside_access_in extended permit ip any any
!

It appears mostly that I can't ping through the ASA. From the ASA I can ping IPv6 sites fine.

Ideally I would have both Outside and Inside interfaces being autoconfigured via SLAAC from Snap!. Outside is autoconfiguring fine but Inside is not. 

Any help would be appreciated!
 

Create new topic
3409 posts

Uber Geek
+1 received by user: 404

Trusted

  Reply # 790018 31-Mar-2013 18:12
Send private message

Have you configured a static route on your Fritzbox to the subnet behind the ASA? Ideally Snap would have given you a /56. You then need to have a /64 configured between the ASA and Fristbox subnet (/64 for SLAAC to work). Once that is working (as it sounds it does), use another of the /64s in your /56 as the LAN side of the ASA. Then on the fritzbox add a static route for the /64 to pass to the SLAAC address on the WAN side of the ASA.

There is a standard to autoconfigure this I believe but its more for ISP etc. Funny timing as I'm just doing IPv6 routing for a customer aatm (just waiting for a reboot and came to check GZ) :)







5 posts

Wannabe Geek


  Reply # 790022 31-Mar-2013 18:47
Send private message

Thanks for that, I figured it could be related to the Fritz!Box. As far as I can tell, via the web interface you can't configure static routes. You might be able to via telnet but to enable Telnet you need to do it via an IP phone (I don't have one).

Also, I believe Snap give out /48 prefixes but these are dynamic which is why I need to go this going via SLAAC or DHCPv6 (I don't think Snap use DHCPv6...I could be wrong though)

Cheers

169 posts

Master Geek
+1 received by user: 1


  Reply # 794053 5-Apr-2013 20:11
Send private message

Looks like your missing the command to tell the device to route IPV6 Traffic

ipv6 unicast-routing




5 posts

Wannabe Geek


  Reply # 794069 5-Apr-2013 20:42
Send private message

Hey, thanks for the reply.

The ASA does not need (nor does it even have it available) to have "ipv6 unicast-routing". Applying "ipv6 enable" or assigning an ipv6 address to an interface enables ipv6 routing.

"ipv6 unicast-routing" is for IOS routers or layer 3 IOS switches.

Cheers

111 posts

Master Geek
+1 received by user: 22

Trusted

  Reply # 794454 7-Apr-2013 02:03
Send private message

Hey, a few things:

- Snap does use DHCPv6 to issue addresses rather than SLAAC
- The ASA probably doesn't NAT IPv6 by default (would you want/need NAT with that many addresses?)
- I see you have a link-local address on the inside of the ASA but public addressing on the outside.

Here is what the Fritz!Box does when it connects:
- Grabs IPv6 addressing via DHCPv6 (gets a /48 from Snap)
- Re-issues addresses via SLAAC to the local LAN
- Performs stateful firewalling (connection tracking) but not NAT.


My suspicion is that you want to get the ASA to issue addressing from the prefixes it receives from the Fritz!Box. I don't know how to say that in ASA IOS, however - you will need to google it.

And we're working on implementing static IPv6 at Snap, but it's not ready yet (big job, many dependencies!).

Hope this helps!




“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success... Such emotions make a man forget food, sleep, friends, love, everything.” - Nikola Tesla

 


Disclaimer: Views expressed in my posts do not necessarily reflect those views of my employer.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.