CiscoAsa

From SixXS Wiki
Jump to: navigation, search

This article explains how to configure a Cisco ASA for protocol-41.


Prerequisites for this article:

  • IOS 7.2(4) not working (asa724-k8.bin) (asdm-524.bin)
  • IOS 8.0(2) not working (asa802-k8.bin) (asdm-625.bin)
  • IOS 8.3(1) working (asa831-k8.bin) (asdm-631.bin)
  • IOS 8.4(1) working (asa841-k8.bin) (asdm-641.bin)
  • A working internal tunnel end-point running IPv6-IPv4 tunnel software. I have used an linux server running Debian GNU/Linux 5.0 with the aiccu package. If you want to use a subnet, you also need the radvd package.
  • SSH access to the ASA.


Configuration setup I used:

  • IP address of the internal Debian machine is 192.168.35.18
  • I am using the outside interface of the ASA for translation, I only have one public IP.


Define a new protocol object group

conf t
 object-group protocol IPv6inIPv4
  protocol-object 41
 end
wr mem

Define the internal linux Debian host

conf t
 object network IPv6_HOST
  host 192.168.35.18
 end
wr mem

Define the POP that you are using

conf t
 object network IPv6_POP
  host 192.87.102.107
 end
wr mem

With the new version of IOS 8.3, configuring a NAT rule has changed. You are now able to NAT specific source and destination traffic, this is what we need to make the IPv6-IPv4 tunnel to work and to let protocol 41 flow trough the ASA. Make sure this line is the first one in you NAT configuration, it should be on top of the rest! (Add NAT Rule Before "Network Object" NAT Rules...)

conf t
 object network IPv6_HOST
  nat (inside,outside) source static IPv6_HOST interface destination static IPv6_POP IPv6_POP
 end
wr mem

Open up you're firewall and let protocol 41 flow between the internal Debian host and the POP. I have put these lines at position one, the first line on the interface.

conf t
 access-list inside_access_in extended permit object-group IPv6inIPv4 object IPv6_HOST object IPv6_POP
 access-list outside_access_in extended permit object-group IPv6inIPv4 object IPv6_POP object IPv6_HOST
 end
wr mem

Now you should be able to configure the tunnel on the Debian box or any other machine on which you are planning the tunnel end-point.