How to set up IPv6 with Prefix Delegation (PD) on a Cisco ASA?

Question

Our business internet provider recently enabled IPv6 for our fiber connection. They assigned us a /48 to use. Great, I can finally move away from using our 6in4 tunnel. Or not?...

They want us to use PD, which would be fine except that our Cisco ASA 5505 doesn't appear to support that. In fact, I think the ASA only supports static IPv6 addressing on the WAN interface.

How can I get this working?

For the tunnel-setup I set up a Linux DMZ-host in our internal ESXi cluster that terminated the tunnel. Internal IPv6-traffic went through the ASA to the DMZ, was inserted into the tunnel by Linux host and routed through the ASA again to the tunnel provider. This was pretty ugly since traffic crossed the ASA twice and made for a confusing and fragile setup.

With native IPv6 I'm hoping there's an easier way, even if I have to buy other hardware. Any tips?

Update your firmware. The ASA has had [this feature](https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-routed-tfw.html#id_23218) for quite a while. — Michael Hampton, Dec 16 '16 at 15:18
@MichaelHampton Interesting. But the newest firmware for the ASA 5505 is 9.2, while this feature needs 9.6. I've searched a bit more. Turns out we need new hardware, like the 5506 or something else. :( Apparently Cisco wants us to spend money again... See http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-111785 — Martijn Heemels, Dec 16 '16 at 20:17

score 1 · Accepted Answer · answered Dec 19 '16 at 14:28

1

It turns out that the ASA firmware received support for DHCP6-PD (Prefix Delegation) in firmware 9.6. Unfortunately our ASA 5505 doesn't get anything newer than 9.2 so we'll need to upgrade to an ASA 5506-X or higher (or some other brand) to make use of our new IPv6 prefix.

It's unfortunate, since the 5505 is otherwise adequate for our needs and is still under contract.

answered Dec 19 '16 at 14:28

Martijn Heemels

7,728
7
40
64

Wow. I thought the 5505 had gone EOL quite some time ago, but apparently it has not. That's quite strange... – Michael Hampton Dec 19 '16 at 17:43

How to set up IPv6 with Prefix Delegation (PD) on a Cisco ASA?

1 Answers1