How does one obtain an IPv6 DNS server when VPNing to an ASA?
Frank Bulk
frnkblk at iname.com
Fri May 14 07:58:35 CEST 2010
Thanks for the warning regarding HA with IPv6 on the 8.2
It took me a few hours to figure out it, so hopefully these code snippets help:
interface Vlan1
nameif outside
security-level 0
ip address a.b.c.d 255.255.255.0
ipv6 address 2607:fe28:11:1000::1/64
ipv6 enable
ipv6 nd prefix default no-advertise
!
interface Vlan2
nameif inside
security-level 100
ip address e.f.g.h 255.255.255.0
ipv6 address 2607:fe28:11:1001::2/64
ipv6 enable
ipv6 nd prefix default no-advertise
!
ipv6 icmp permit any outside
ipv6 icmp permit any inside
ipv6 local pool dvpn-ipv6-pool 2607:fe28:11:1001::5/64 100
ipv6 route inside 2607:fe28:11:4000::/50 2607:fe28:11:1001::1
ipv6 route outside ::/0 2607:fe28:11:1000::2
ipv6 access-list outside_access_in_ipv6 permit icmp6 any any
access-group outside_access_in_ipv6 in interface outside
tunnel-group premier_sslvpn general-attributes
address-pool dvpn_pool
ipv6-address-pool dvpn-ipv6-pool
authentication-server-group RADIUS LOCAL
default-group-policy premier_sslvpn
Frank
-----Original Message-----
From: Ben Jencks [mailto:ben at bjencks.net]
Sent: Friday, May 14, 2010 12:53 AM
To: frnkblk at iname.com
Cc: Shaun Ewing; Shane Kerr; ipv6-ops at lists.cluenet.de
Subject: Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?
It's officially supported in 8.2.x, but there's apparently a nasty bug
in at least the early versions where the "inactive" appliance still
sends RAs despite not forwarding traffic. Be careful and test
carefully. (I didn't experience this bug, we're still on 8.0, but I
know someone who did)
WRT the original question: I assume you're using AnyConnect? If so, I
can't help you, but if you've managed to get anything IPv6 to work
with IPsec on the ASA, I'd like to hear about it.
-Ben
On Fri, May 14, 2010 at 01:11, Frank Bulk <frnkblk at iname.com> wrote:
> I don't believe that's the case in a 8.2.x, look for "IPv6 Support in
> Failover Configurations" in the following:
> http://www.cisco.com/en/US/docs/security/asa/asa82/release/notes/asarn82.htm
> l#wp337399
>
> Frank
>
> -----Original Message-----
> From: Shaun Ewing [mailto:s.ewing at aussiehq.com.au]
> Sent: Friday, May 14, 2010 12:02 AM
> To: Shane Kerr; frnkblk at iname.com
> Cc: ipv6-ops at lists.cluenet.de
> Subject: Re: How does one obtain an IPv6 DNS server when VPNing to an ASA?
>
> <snip>
>
> We have a lot of ASAs, but they're all in HA - and
> anybody who has tried to do IPv6 on them knows (or should know) that IPv6
> support is presently non-existent when in a HA config.
>
> -Shaun
>
>
More information about the ipv6-ops
mailing list