IPv6 at Home (Part III – Followup)
As mentioned in the last article about PPPoE, I had to do a redesign within my home network to support IPv6 and SSL VPN Connections. With the old layout the ASA didnt allow anything initiated from the outside, it just did NAT it to the router no matter what it was. Also I wasn’t able to map a static one-to-one NAT statement onto my single outside interface IP address after I upgraded to 8.3(2).
In this article, I gonna show the configuration for both the router and the ASA, even though the configuration itself is way easier now than it was before 
So instead of using the ASA as first device, I had to move the router in front (hence the PPPoE article :)).
The configuration is pretty straight forward:
C1721 ipv6 unicast-routing ! interface Tunnel10 description to HE IPv6 Tunnel Broker no ip address ipv6 address 2001:470:xx:xx::2/64 ipv6 enable tunnel source Dialer1 tunnel destination 216.66.80.98 tunnel mode ipv6ip ! interface Ethernet0 description DMZ ip address 192.168.50.1 255.255.255.0 ip nat inside ip virtual-reassembly full-duplex ipv6 address 2001:470:xx::1/64 ipv6 enable ! ipv6 route 2001:470:xx:1::/64 2001:470:xx::2 ipv6 route ::/0 2001:470:xx:xx::1
Enable IPv6 unicast routing, configure the Tunnel Interface, configure the IPv6 addresses and configure the routing.
As you can see I do use 2001:470:xx::/64 within my DMZ (ASA outside interface) and 2001:470:xx:1::/64 for my actual network at home (ASA inside interface). The router uses a default route (::/0) towards the HE Tunnel Interface and a route for my internal network towards the ASA (2001:470:xx::2). IPv6 connectivity on the router is now working:
C1721#ping 2a00:1450:8004::67 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2A00:1450:8004::67, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 44/44/48 ms
The IPv6 address 2a00:1450:8004::67 belongs to google (ipv6.google.com), good way to test 🙂
The ASA configuration is even easier, no need for ipv6 unicast routing activation:
ASA5505 interface Vlan2 nameif outside security-level 0 ipv6 address 2001:470:xx::2/64 ipv6 enable ! interface Vlan99 nameif inside security-level 100 ipv6 address 2001:470:xx:1::1/64 ipv6 enable ! ipv6 route outside ::/0 2001:470:xx::1 ASA5505#ping 2a00:1450:8004::67 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2a00:1450:8004::67, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 40/48/50 ms
Now you can give your devices inside the LAN IPv6 addresses and start to use the IPv6 internet (again ;)).
Maybe one small thing to add, if you want to ping from your inside network to the outside, the ASA needs a small config snippet, otherwise it wont allow pings through the ASA:
policy-map global_policy class inspection_default inspect icmp
Have fun 🙂
Can this tunnel be configured with just the ASA 5505 running 8.4 and NO router?
Hi Pete
I don’t know if 8.4 does support tunnel interfaces but 8.2 and 8.3 don’t. I did a quick search on the web but didn’t find something about tunnel interfaces on 8.4 so I guess the answer is still no.
It looks like the ASA still does not support tunnel interfaces.
regards
Michel
Pete, the ASA doesn’t support GRE tunnels, even in 8.4. Sorry.
Only problem with this is that you need a significantly beefy router to handle any kind of broadband connection these days. You won’t get much more than 3-4 mbit with a 1721 with NAT. You have any stats on this?
Hm I get about 660KB/s download according to Windows which is around 5.2 Mbit/s, and I just got a 6Mbit/s line anyway so its ok .)
But yeah if you got more download and want/need it, its probably a good idea to get another router.