Press "Enter" to skip to content

Configuring Cisco ASA 5506-X IPv6 with Prefix Delegation (PD)

On the 24 August 2016 Cisco released new ASA code 9.6.2 adding further support to the IPv6 protocol – Prefix Delegation. Recently Telstra (Australian ISP) has enabled IPv6 on NBN (National Broadband Network) services and I thought what better way to try out this than on my ASA 5506-X. I will go through the basic process on getting IPv6 to work on a Cisco ASA with PD.

In the steps below GigabitEthernet1/1 is the outside interface, and GigabitEthernet1/2 is the inside interface.

1)The first step is configuring IPV6 on the outside interface. At this point, no IPV6 address will be configured in the firewall.

interface GigabitEthernet1/1
 ipv6 address autoconfig default trust dhcp
 ipv6 address dhcp default
 ipv6 enable
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 dhcp client pd ciscoasa

2) The ISP will provide the prefix which has to be used, and some data has to be collected by using the following commands:

show ipv6 dhcp interface outside

With this, you will have the info about the default-dateway (Reachable via address) and the subnet assigned by the ISP (Prefix)

GigabitEthernet1/1 is in client mode
 Prefix State is OPEN
 Renew will be sent in 01:37:04
 Address State is SOLICIT
 List of known servers:
 Reachable via address: fe80::fac0:1ff:fe70:17c0
 DUID: 000100011914BB0A00144FFA6B62
 Preference: 0
 Configuration parameters:
 IA PD: IA ID 0x00020001, T1 7200, T2 11520
 Prefix: 2001:8003:a02c:8700::/56
 preferred lifetime 14400, valid lifetime 14400
 expires at Sep 01 2016 03:40 AM (13024 seconds)
 Information refresh time: 0
 Vendor-specific Information options:
 Enterprise-ID: 1088
 Prefix name: ciscoasa

3)Then, we need to configure the interfaces with these IP address. So, with the command show ipv6 interface, we can find the IPV6 link local for the outside interface, and configure the IPV6 address using its eui-64 portion

outside is up, line protocol is up
   IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106

With these 2 pieces of information, we can configure the IP address to be used in the outside interface and also configure the ipv6 dhcp client pd hint. This command is necessary to ask the ISP to always provide the same IPV6 prefix so that we will keep it as if it were a static assignment.

interface GigabitEthernet1/1
 ipv6 address ciscoasa ::5287:89ff:fefc:7106/64
 ipv6 dhcp client pd hint 2001:8003:a02c:8700::/56

Note: On Telstra residential services I discovered they do not interpret the PD HINT and keep the subnet, so I have left out this line as of March 2017.

In this case, the outside network will have the following subnet 2001:8003:a02c:8700::/64

We can also configure the IPV6 default gateway with the IPV6 link- local address provided by Telstra router

show ipv6 routers 
 ! Will show the link-local address to be used as the default gateway)
 Router fe80::fac0:1ff:fe70:17c0 on outside, last update 9 min
   Hops 64, Lifetime 1800 sec, AddrFlag=1, OtherFlag=0
   Reachable time 0 msec, Retransmit time 0 msec

ipv6 route outside ::/0 fe80::fac0:1ff:fe70:17c0

4) Next step is configuring the inside interface. We defined the subnet to be used so that it would not overlap the outside interface 2001:8003:a02c:8701::/64

interface GigabitEthernet1/2
 ipv6 enable
 ipv6 address 2001:8003:a02c:8701::/64 eui-64
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag

Note: On Telstra residential services the Ipv6 /64 Address will not be static. We will have to change to the following for dynamic assignments:

ipv6 address ciscoasa ::1:0:0:0:1/64

The “::1:0:0:0:1/64“  is basically the host portion of the IP address. The “ciscoasa” in this case contains the IPv6 prefix and when the ASA configures the IP address it will use the prefix and include the host portion as well and then create the IP address.
This way when the ASA reboots or looses power a new address will be ready to use if the ISP gives out dynamic /56's.

Also, a IPV6 DHCP scope was configured. In this case, it works as a stateless DHCP, as the interface will only provide the subnet used in the router advertisements and each host will include its eui-64 information to complete. In the case below I have also added in the Telstra IPv6 DNS servers however you can add your own in, or you can use import dns-server to automatically try get a server.

 

ipv6 dhcp pool ALCATRONV6
dns-server 2001:8000:101::1
dns-server 2001:8000:101::2
domain-name alcatron.net

interface GigabitEthernet1/2
 ipv6 dhcp server ALCATRONV6

5) Finally we can verify that the hosts are being able to get IPV6 subnet and configure their own IPV6 addresses

ciscoasa-5506X# sh ipv6 neighbor | inc 2001

2001:8003:a02c:8701:497f:8a80:b975:d580    30 a4b8.058e.8236  STALE inside
 2001:8003:a02c:8701:d565:2f36:d9b:32a7     39 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:7c57:4bd5:bb68:1b9     17 a4b8.058e.8236  STALE inside
 2001:8003:a02c:8701:c122:30ca:7b52:42ea     9 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:5f:860c:b32b:c7        43 0015.5d01.0602  STALE inside
 2001:8003:a02c:8701:597e:471f:bfd9:df3f     0 0cc4.7a70.a0a7  REACH inside
 2001:8003:a02c:8701:6820:c272:e85e:2feb    20 7081.eb1a.c6e5  STALE inside
 2001:8003:a02c:8701:f4d4:b595:88f8:374d    40 1c5c.f2b4.6cad  STALE inside
 2001:8003:a02c:8701:8574:1c6f:5fd6:1f1b    43 20c9.d07a.5777  STALE inside

And verify the IPV6 connections

ciscoasa-5506X# show conn | inc 2001

TCP outside  2404:6800:4006:806::2003:80 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51324, idle 0:00:32, bytes 15286, flags UIO
 TCP outside  2404:6800:4006:806::2005:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51333, idle 0:00:14, bytes 630639, flags UIO
 TCP outside  2a03:2880:f019:1:face:b00c:0:1:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51194, idle 0:02:03, bytes 17643, flags UIO
 TCP outside  2a03:2880:f019:1:face:b00c:0:1:443 inside  2001:8003:a02c:8701:c122:30ca:7b52:42ea:51193, idle 0:01:23, bytes 8865, flags UFRIO

 

Other useful commands you will need:

sh ipv6 interface
 ! show the configured IPV6 addresses and subnet masks
 outside is up, line protocol is up
   IPv6 is enabled, link-local address is fe80::5287:89ff:fefc:7106
   Global unicast address(es):
     2001:8003:a02c:8700:5287:89ff:fefc:7106, subnet is 2001:8003:a02c:8700::/64
   Joined group address(es):
     ff02::1:fffc:7106
     ff02::2
     ff02::1
sh ipv6 general-prefix
 ! Will show your prefix acquired via PD lifetime
 IPv6 Prefix ciscoasa, acquired via DHCP PD
   2001:8003:a02c:8700::/56 Valid lifetime 11664, preferred lifetime 11664
    Consumer List                Usage count
     outside (Address command)   1

Another issue I had is trying to get traceroute working correctly so to make sure this was working correctly i had to ensure I had the following lines. This allows ping, and echo reply to all your inside IPv6 hosts, you can tweak this however if you like with the access lists.

access-list Outside_access_in extended permit icmp6 any6 any6 echo-reply
access-list Outside_access_in extended permit icmp6 any6 any6 time-exceeded
access-list Outside_access_in extended permit icmp6 any6 any6 unreachable
access-list Outside_access_in extended permit icmp6 any6 any6

The policy maps were modified to ensure that traceroute v4 and v6 worked. You might have others in the policy-map, just leave those and append the ones below that are missing.

policy-map global_policy
 class inspection_default
   inspect icmp
   inspect icmp error
 class class-default
   set connection decrement-ttl

service-policy global_policy global

 

This was a steep learning experience, but finally I have dual stack IPv4 and IPv6 running on Telstra NBN through a Cisco ASA 5506-X. I have seen no articles which deal with PD delegation on Cisco ASA’s , so I thought i would do this write up so that it can benefit others. Any questions, comments, feedback, welcome as usual 🙂

3 Comments

  1. shek
    shek January 20, 2018

    Hi,
    What is your ASA ios versions. While configuring I am getting error of prefix overlap.

    interface bvi1
    ipv6 enable
    ipv6 address 2001:8003:a02c:8701::/64 << after this I am getting overlap error and

    eui-64 << this ends into error as well.

    Also,
    interface bvi 1
    ipv6 address ciscoasa ::1:0:0:0:1/64 <<< This ends into error as well.
    My version is Version 9.8(1)

  2. Art Vandelay
    Art Vandelay May 21, 2018

    This a great write up and i’ve used it to get PD working on a 5506-x. My provider is Time Warner Cable/Spectrum and they’re honoring a ::/56 hint but basically ignoring everything else. No hint results in a /64, a hint for a ::/56 gets me a /56. A hint for a /60 gets ignored and i still get a /60. I can live with a /56 of course but when i hint for my last prefix that gets dropped too and every reboot i get a different /56 so there’s no consistency and it is very dis-appointing. we’ve progressed to 100% globally routeable addresses on internal networks but are suffering the same woes of v4 dynamic addresses constantly changing.

    http://forums.timewarnercable.com/t5/IPv6/ASA-5506-X-using-PD-and-IPv6-Hint/td-p/152178

    This is my post to the local TWC forum. Please check it out and update if you have any feedback or update here.

  3. RBNetEngr
    RBNetEngr February 23, 2020

    In response to shek…

    It appears that the ASA does not support some of the IPV6 DHCP interface configuration commands on a BVI that it does on a physical interface. I experienced the same issue as you did, where I tried to define the general prefix as a name, and then assign the actual interface using the name, so that if it changes, it will change across all interfaces. But the command doesn’t work on BVI.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.