4

I recently installed a Cisco ASA 5505 firewall on the edge of our LAN. The setup is simple:

Internet <--> ASA <--> LAN

I would like provide the hosts in the LAN with IPv6 connectivity by setting up a 6in4 tunnel to SixXS.

It would be nice to have the ASA as tunnel endpoint so it can firewall both IPv4 and IPv6 traffic.

Unfortunately the ASA apparently can't create a tunnel itself, and can't port-forward protocol 41 traffic, so I believe I would have to do one of the following instead:

  • Set up a host with it's own IP outside the firewall, and have that function as tunnel-endpoint. The ASA can then firewall and route the v6 subnet to the LAN.
  • Set up a host inside the firewall that functions as endpoint, separated via vlan or whatever, and loop the traffic back into the ASA where it can be firewalled and routed. This seems contrived, but would allow me to use a VM instead of a physical machine as endpoint.
  • Any other way?

What would you suggest is the optimal way to set this up?

P.S. I do have a spare public IP address available if needed, and can spin up another VM in our VMware infrastructure.

Martijn Heemels
  • 7,728
  • 7
  • 40
  • 64

1 Answers1

2

I had the same problem, and I've worked it out. Your question helped me greatly, actually. The loopback tunnelling was the trick.

There were significant ASA OS changes, especially with respect to NAT, in the 8.3 release. That's what I'm running, so it's likely the syntax will not work prior to 8.3. I don't know if you could even do this prior to 8.3.

Here's how it's set up. I'll include some configuration snippets below to back this up.

As you, I have an ASA between my edge router and my internal network. I only have one publicly-addressable IPv4 address. I was able to NAT protocol 41 traffic between a specific external host and a specific internal host using the ASA's outside public IP address. The tunnel is terminated on an internal host.

The internal host has two ethernet interfaces. One, connected to the internal network, only runs IPv4. The other, connected to the same segment as the outside interface of the ASA, only runs IPv6. There is also a tunnel interface for the IPv6 tunnel. The configuration of the tunnel came directly from Hurricane Electric's web site. If you have a tunnel configured with them, they can show you detailed configuration instructions for at least 8 different operating systems.

The ASA uses the edge router's IPv4 address as it's default IPv4 route. It uses the IPv6 address of the tunnel endpoint as it's default IPv6 address. Internal hosts use the ASA as their default route for either version, except the tunnel endpoint, which uses its tunnel interface as the default for IPv6.

IPv6 packets go through the ASA twice in each direction. Out, they go through the ASA, to the tunnel endpoint where they are put into the tunnel, and out again through the ASA. Both IPv4 and IPv6 get all of the benefits of the ASA firewall.

The real trick was getting the protocol 41 traffic through the ASA. Here are the pieces that made that work:

object service 6in4
 service 41
object network ipv6_remote_endpoint
 host x.x.x.x
object network ipv6_local_endpoint
 host y.y.y.y

access-list outside_in extended permit object 6in4 object ipv6_remote_endpoint object ipv6_local_endpoint

nat (inside,outside) source static ipv6_local_endpoint interface destination static ipv6_remote_endpoint ipv6_remote_endpoint

Good luck with it!

Rob

Rob F
  • 396
  • 1
  • 7