IPv6 at Home (Part III – Followup)

As mentioned in the last article about PPPoE, I had to do a redesign within my home network to support IPv6 and SSL VPN Connections. With the old layout the ASA didnt allow anything initiated from the outside, it just did NAT it to the router no matter what it was. Also I wasn’t able to map a static one-to-one NAT statement onto my single outside interface IP address after I upgraded to 8.3(2).
In this article, I gonna show the configuration for both the router and the ASA, even though the configuration itself is way easier now than it was before o_O

So instead of using the ASA as first device, I had to move the router in front (hence the PPPoE article :)).

The configuration is pretty straight forward:

ipv6 unicast-routing
interface Tunnel10
 description to HE IPv6 Tunnel Broker
 no ip address
 ipv6 address 2001:470:xx:xx::2/64
 ipv6 enable
 tunnel source Dialer1
 tunnel destination
 tunnel mode ipv6ip
interface Ethernet0
 description DMZ
 ip address
 ip nat inside
 ip virtual-reassembly
 ipv6 address 2001:470:xx::1/64
 ipv6 enable
ipv6 route 2001:470:xx:1::/64 2001:470:xx::2
ipv6 route ::/0 2001:470:xx:xx::1

Enable IPv6 unicast routing, configure the Tunnel Interface, configure the IPv6 addresses and configure the routing.
As you can see I do use 2001:470:xx::/64 within my DMZ (ASA outside interface) and 2001:470:xx:1::/64 for my actual network at home (ASA inside interface). The router uses a default route (::/0) towards the HE Tunnel Interface and a route for my internal network towards the ASA (2001:470:xx::2). IPv6 connectivity on the router is now working:

C1721#ping 2a00:1450:8004::67

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2A00:1450:8004::67, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms

The IPv6 address 2a00:1450:8004::67 belongs to google (ipv6.google.com), good way to test 🙂

The ASA configuration is even easier, no need for ipv6 unicast routing activation:

interface Vlan2
 nameif outside
 security-level 0
 ipv6 address 2001:470:xx::2/64
 ipv6 enable
interface Vlan99
 nameif inside
 security-level 100
 ipv6 address 2001:470:xx:1::1/64
 ipv6 enable
ipv6 route outside ::/0 2001:470:xx::1

ASA5505#ping 2a00:1450:8004::67
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2a00:1450:8004::67, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/50 ms

Now you can give your devices inside the LAN IPv6 addresses and start to use the IPv6 internet (again ;)).

Maybe one small thing to add, if you want to ping from your inside network to the outside, the ASA needs a small config snippet, otherwise it wont allow pings through the ASA:

policy-map global_policy
 class inspection_default
 inspect icmp

Have fun 🙂



    • pashtuk

      Hi Pete
      I don’t know if 8.4 does support tunnel interfaces but 8.2 and 8.3 don’t. I did a quick search on the web but didn’t find something about tunnel interfaces on 8.4 so I guess the answer is still no.
      It looks like the ASA still does not support tunnel interfaces.


  1. Adam

    Only problem with this is that you need a significantly beefy router to handle any kind of broadband connection these days. You won’t get much more than 3-4 mbit with a 1721 with NAT. You have any stats on this?

    • pashtuk

      Hm I get about 660KB/s download according to Windows which is around 5.2 Mbit/s, and I just got a 6Mbit/s line anyway so its ok .)
      But yeah if you got more download and want/need it, its probably a good idea to get another router.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s