How does one obtain an IPv6 DNS server when VPNing to an ASA?

Frank Bulk frnkblk at iname.com
Fri May 14 07:58:35 CEST 2010 

Thanks for the warning regarding HA with IPv6 on the 8.2

It took me a few hours to figure out it, so hopefully these code snippets help:

interface Vlan1
 nameif outside
 security-level 0
 ip address a.b.c.d 255.255.255.0
 ipv6 address 2607:fe28:11:1000::1/64
 ipv6 enable
 ipv6 nd prefix default no-advertise
!
interface Vlan2
 nameif inside
 security-level 100
 ip address e.f.g.h 255.255.255.0
 ipv6 address 2607:fe28:11:1001::2/64
 ipv6 enable
 ipv6 nd prefix default no-advertise
!

ipv6 icmp permit any outside
ipv6 icmp permit any inside
ipv6 local pool dvpn-ipv6-pool 2607:fe28:11:1001::5/64 100
ipv6 route inside 2607:fe28:11:4000::/50 2607:fe28:11:1001::1
ipv6 route outside ::/0 2607:fe28:11:1000::2
ipv6 access-list outside_access_in_ipv6 permit icmp6 any any

access-group outside_access_in_ipv6 in interface outside

tunnel-group premier_sslvpn general-attributes
 address-pool dvpn_pool
 ipv6-address-pool dvpn-ipv6-pool
 authentication-server-group RADIUS LOCAL
 default-group-policy premier_sslvpn

Frank

-----Original Message-----
From: Ben Jencks [mailto:ben at bjencks.net] 
Sent: Friday, May 14, 2010 12:53 AM
To: frnkblk at iname.com
Cc: Shaun Ewing; Shane Kerr; ipv6-ops at lists.cluenet.de
Subject: Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?

It's officially supported in 8.2.x, but there's apparently a nasty bug
in at least the early versions where the "inactive" appliance still
sends RAs despite not forwarding traffic. Be careful and test
carefully. (I didn't experience this bug, we're still on 8.0, but I
know someone who did)

WRT the original question: I assume you're using AnyConnect? If so, I
can't help you, but if you've managed to get anything IPv6 to work
with IPsec on the ASA, I'd like to hear about it.

-Ben

On Fri, May 14, 2010 at 01:11, Frank Bulk <frnkblk at iname.com> wrote:
> I don't believe that's the case in a 8.2.x, look for "IPv6 Support in
> Failover Configurations" in the following:
> http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.htm
> l#wp337399
>
> Frank
>
> -----Original Message-----
> From: Shaun Ewing [mailto:s.ewing at aussiehq.com.au]
> Sent: Friday, May 14, 2010 12:02 AM
> To: Shane Kerr; frnkblk at iname.com
> Cc: ipv6-ops at lists.cluenet.de
> Subject: Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?
>
> <snip>
>
> We have a lot of ASAs, but they're all in HA - and
> anybody who has tried to do IPv6 on them knows (or should know) that IPv6
> support is presently non-existent when in a HA config.
>
> -Shaun
>
>

More information about the ipv6-ops mailing list