The objective is to use a IPv6 tunnel broker to provide access to the IPv6 Internet.
In my case I used the service of Hurricane Electrics that provides free ipv6 tunnels. (nicely done guys). The broker provides the tunnel’s interface addresses and a /48 network space. in this simulation the tunnel interface address are the fd02::/64 and the provided network address will be the fd03::/48
However I had a problem to solve. Since ASA’s are unable to terminate IPv6IP tunnel, I needed to pass the IPv6IP traffic through the ASA.
IPv4 and IPv6 Internet clouds are simulated by router as well as the tunnel broker to facilitate the configuration and to make it easier to demonstrate.
IPv4 Internet Router Configuration
hostname IPv4-Internet ! interface Ethernet0/0 description ASA Connection ip address 172.16.0.2 255.255.255.252 no shutdown ! interface Ethernet0/1 description Tunnel-Broker Connection ip address 172.16.0.5 255.255.255.252 no shutdown
IPv6 Internet Router Configuration
hostname IPv6-Internet ! interface Loopback0 description Internet destination simulation no ip address ipv6 address FD01::1/64 ! interface Ethernet0/0 description Tunnel-Broker Connection no ip address ipv6 address FD00::2/64 no shutdown ! ! This route will direct the IP subnet distributed from the tunnel broker to the client ipv6 route FD03::/48 FD00::1
Tunnel Broker Configuration
hostname Tunnel_Brocker ! interface Tunnel0 description Tunnel End Broker Side no ip address ! IPv6 address of the tunnel ipv6 address FD02::1/64 ! Tunnel source located in the external interface attached to the INTERNET tunnel source 172.16.0.6 ! Tunnel mode IPv6 over IP tunnel mode ipv6ip ! Tunnel destination is the external IP of the remote tunnel end tunnel destination 172.16.0.1 ! interface Ethernet0/0 description IPv6-Internet Connection no ip address ipv6 address FD00::1/64 no shutdown ! interface Ethernet0/1 description IPv4-Internet Connection ip address 172.16.0.6 255.255.255.252 no shutdown ! ! IPv4 default route pointing to the IPv4 Internet Router ip route 0.0.0.0 0.0.0.0 172.16.0.5 ! ! IPv6 route to subnet distributed to the client pointing to the tunnel ipv6 route FD03::/48 Tunnel0 FD02::2 ! IPv6 default route pointing to the IPv6 Internet Router ipv6 route ::/0 FD00::2
hostname ASA!interface Ethernet0 description IPv4-Internet Connection nameif outside security-level 0 ip address 172.16.0.1 255.255.255.252 no shutdown!interface Ethernet1 description Internal Connection nameif inside security-level 100 ip address 10.0.0.2 255.255.255.252 no shutdown! ! Network object defining the internal neetwork object network inside-net subnet 192.168.0.0 255.255.255.0! ! Network object defining the internal tunnel end address object network INSIDE_TUNNEL_END host 10.0.0.1! ! Network object defining the remote tunnel end address object network OUTSIDE_TUNNEL_END host 172.16.0.6! ! Object group defining the ipv6ip protocol !object-group protocol IPv6IP protocol-object 41! ! ACL to permit traffic through the ASA ! Allow the return traffic IPv6IP from the 172.16.0.6 to the 10.0.0.1 ! The destination interface is the private address because it has already been through NAT access-list outside_access_in extended permit object IPv6IP object OUTSIDE_TUNNEL_END object INSIDE_TUNNEL_END ! ! Make sure the nat rules are in this order nat (inside,outside) source static INSIDE_TUNNEL_END interface destination static OUTSIDE_TUNNEL_END OUTSIDE_TUNNEL_ENDnat (inside,outside) source dynamic inside-net interface! ! Apply the ACL inbound on the outside interface access-group outside_access_in in interface outside! ! EIGRP routing configuration to learn the inside network 192.168.0.0 and distribute the default router eigrp 10 no auto-summary network 0.0.0.0 0.0.0.0 redistribute static! ! Static default route route outside 0.0.0.0 0.0.0.0 172.16.0.2 1! ! Allow ping to be inspected policy-map global_policy class inspection_default inspect icmp
Check this other post to understand the packet flow process through the ASA.
IPv6IP Protocol 41
Internal Router Configuration
hostname INTERNAL ! ! IPv4 dhcp server configuration ip dhcp pool Lan network 192.168.0.0 255.255.255.0 default-router 192.168.0.254 domain-name bsnetworking.local dns-server 18.104.22.168 lease 2 ! ! IPv6 stack activation ipv6 unicast-routing ipv6 cef ! ! IPv6 dhcp server configuration ipv6 dhcp pool LAN address prefix FD03::/48 lifetime infinite infinite dns-server 2001:4860:4860::8888 domain-name bsnetworking.local ! ! Tunnel Termination interface Tunnel0 description IPv6IP tunnel to Tunnel_Broker no ip address ! IPv6 address given from the Broker ipv6 address FD02::2/64 ! The tunnel source is the interface facing the ASA tunnel source 10.0.0.1 ! The tunnel mode is IPV6IP tunnel mode ipv6ip ! The remote tunnel's end is the IP address in the Tunnel_Broker Router external interface tunnel destination 172.16.0.6 ! interface Ethernet0/0 description Lan Connection ! IPv4 Lan Gateway ip address 192.168.0.254 255.255.255.0 ipv6 address FE80::1 link-local ! IPv6 Lan Gateway this subnet was provided from the Broker ipv6 address FD03::1/48 ! Force DHCP removing the stateless configuration flag on this interface ipv6 nd managed-config-flag ! Apply the previously configured DHCP server to this interface ipv6 dhcp server LAN rapid-commit no shutdown ! interface Ethernet0/1 description ASA Connection ip address 10.0.0.1 255.255.255.252 no shutdown ! ! EIGRP routing configuration router eigrp 10 network 10.0.0.1 0.0.0.0 network 192.168.0.254 0.0.0.0 ! ! Default IPV6 route pointing to the tunnel interface ipv6 route ::/0 Tunnel0 FD02::1
! Tunnel interface status and connectivity INTERNAL#show ipv6 interface brief Ethernet0/0 [up/up] FE80::1 FD03::1 Tunnel0 [up/up] FE80::A00:1 FD02::2 INTERNAL#ping FD02::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to FD02::1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms INTERNAL#! IPv4 and IPv6 DHCP leases INTERNAL#show ip dhcp binding Bindings from all pools not associated with VRF: IP address Client-ID/ Lease expiration Type Hardware address/ User name 192.168.0.1 0150.0000.0600.00 Dec 21 2016 06:33 PM Automatic INTERNAL#show ipv6 dhcp binding Client: FE80::1D26:F6F0:F6D4:AE81 DUID: 000100011C840564525400123456 Username : unassigned VRF : default IA NA: IA ID 0x0E525400, T1 43200, T2 69120 Address: FD03::90C1:C5DB:4AEB:519F:788C preferred lifetime INFINITY, , valid lifetime INFINITY,
PC connectivity verification
Make sure you visit the guys in Hurricane Electric and try it for real.
See you on the next post. Stay good.