IPv6IP Tunnel from a broker through a ASA

IPv6IP Tunnel from a broker through a ASA

The objective is to use a IPv6 tunnel broker to provide access to the IPv6 Internet.

In my case I used the service of Hurricane Electrics that provides free ipv6 tunnels. (nicely done guys). The broker provides the tunnel’s interface addresses and a /48 network space. in this simulation the tunnel interface address are the fd02::/64 and the provided network address will be the fd03::/48

However I had a problem to solve. Since ASA’s are unable to terminate IPv6IP tunnel, I needed to pass the IPv6IP traffic through the ASA.

IPv4 and IPv6 Internet clouds are simulated by router as well as the tunnel broker to facilitate the configuration and to make it easier to demonstrate.

IPv4 Internet Router Configuration

hostname IPv4-Internet
!
interface Ethernet0/0
 description ASA Connection
 ip address 172.16.0.2 255.255.255.252
 no shutdown
!
interface Ethernet0/1
 description Tunnel-Broker Connection
 ip address 172.16.0.5 255.255.255.252
 no shutdown

IPv6 Internet Router Configuration

hostname IPv6-Internet
!
interface Loopback0
 description Internet destination simulation
 no ip address
 ipv6 address FD01::1/64
!
interface Ethernet0/0
 description Tunnel-Broker Connection
 no ip address
 ipv6 address FD00::2/64
 no shutdown
!
! This route will direct the IP subnet distributed from the tunnel broker to the client
ipv6 route FD03::/48 FD00::1

Tunnel Broker Configuration

hostname Tunnel_Brocker
!
interface Tunnel0
 description Tunnel End Broker Side
 no ip address
 ! IPv6 address of the tunnel
 ipv6 address FD02::1/64
 ! Tunnel source located in the external interface attached to the INTERNET
 tunnel source 172.16.0.6
 ! Tunnel mode IPv6 over IP
 tunnel mode ipv6ip
 ! Tunnel destination is the external IP of the remote tunnel end
 tunnel destination 172.16.0.1
!
interface Ethernet0/0
 description IPv6-Internet Connection
 no ip address
 ipv6 address FD00::1/64
 no shutdown
!
interface Ethernet0/1
 description IPv4-Internet Connection
 ip address 172.16.0.6 255.255.255.252
 no shutdown
!
! IPv4 default route pointing to the IPv4 Internet Router
ip route 0.0.0.0 0.0.0.0 172.16.0.5
!
! IPv6 route to subnet distributed to the client pointing to the tunnel
ipv6 route FD03::/48 Tunnel0 FD02::2
! IPv6 default route pointing to the IPv6 Internet Router
ipv6 route ::/0 FD00::2

ASA Configuration

hostname ASA!interface Ethernet0 description IPv4-Internet Connection nameif outside security-level 0 ip address 172.16.0.1 255.255.255.252  no shutdown!interface Ethernet1 description Internal Connection nameif inside security-level 100 ip address 10.0.0.2 255.255.255.252  no shutdown!
! Network object defining the internal neetwork
object network inside-net subnet 192.168.0.0 255.255.255.0!
! Network object defining the internal tunnel end address
object network INSIDE_TUNNEL_END host 10.0.0.1!
! Network object defining the remote tunnel end address 
object network OUTSIDE_TUNNEL_END host 172.16.0.6!
! Object group defining the ipv6ip protocol
!object-group protocol IPv6IP protocol-object 41!
! ACL to permit traffic through the ASA
! Allow the return traffic IPv6IP from the 172.16.0.6 to the 10.0.0.1
! The destination interface is the private address because it has already been through NAT
access-list outside_access_in extended permit object IPv6IP object OUTSIDE_TUNNEL_END object INSIDE_TUNNEL_END !
! Make sure the nat rules are in this order
nat (inside,outside) source static INSIDE_TUNNEL_END interface destination static OUTSIDE_TUNNEL_END OUTSIDE_TUNNEL_ENDnat (inside,outside) source dynamic inside-net interface!
! Apply the ACL inbound on the outside interface
access-group outside_access_in in interface outside!
! EIGRP routing configuration to learn the inside network 192.168.0.0 and distribute the default 
router eigrp 10 no auto-summary network 0.0.0.0 0.0.0.0 redistribute static!
! Static default route
route outside 0.0.0.0 0.0.0.0 172.16.0.2 1!
! Allow ping to be inspected
policy-map global_policy class inspection_default  inspect icmp 

Check this other post to understand the packet flow process through the ASA.

IPv6IP Protocol 41

ws_ipv6ip

Internal Router Configuration

hostname INTERNAL
!
! IPv4 dhcp server configuration
ip dhcp pool Lan
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.254 
 domain-name bsnetworking.local
 dns-server 8.8.8.8
lease 2
!
! IPv6 stack activation
ipv6 unicast-routing
ipv6 cef
!
! IPv6 dhcp server configuration
ipv6 dhcp pool LAN
 address prefix FD03::/48 lifetime infinite infinite
 dns-server 2001:4860:4860::8888
 domain-name bsnetworking.local
!
! Tunnel Termination
interface Tunnel0
 description IPv6IP tunnel to Tunnel_Broker
 no ip address
 ! IPv6 address given from the Broker
 ipv6 address FD02::2/64
 ! The tunnel source is the interface facing the ASA
 tunnel source 10.0.0.1
 ! The tunnel mode is IPV6IP
 tunnel mode ipv6ip
 ! The remote tunnel's end is the IP address in the Tunnel_Broker Router external interface 
 tunnel destination 172.16.0.6
!
interface Ethernet0/0
 description Lan Connection
 ! IPv4 Lan Gateway
 ip address 192.168.0.254 255.255.255.0
 ipv6 address FE80::1 link-local
 ! IPv6 Lan Gateway this subnet was provided from the Broker
 ipv6 address FD03::1/48
 ! Force DHCP removing the stateless configuration flag on this interface
 ipv6 nd managed-config-flag
 ! Apply the previously configured DHCP server to this interface
 ipv6 dhcp server LAN rapid-commit
 no shutdown
!
interface Ethernet0/1
 description ASA Connection
 ip address 10.0.0.1 255.255.255.252
 no shutdown
!
! EIGRP routing configuration
router eigrp 10
 network 10.0.0.1 0.0.0.0
 network 192.168.0.254 0.0.0.0
!
! Default IPV6 route pointing to the tunnel interface
ipv6 route ::/0 Tunnel0 FD02::1

Verification

! Tunnel interface status and connectivity
INTERNAL#show ipv6 interface brief
Ethernet0/0            [up/up]
    FE80::1
    FD03::1
Tunnel0                [up/up]
    FE80::A00:1
    FD02::2
INTERNAL#ping FD02::1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FD02::1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
INTERNAL#
! IPv4 and IPv6 DHCP leases
INTERNAL#show ip dhcp binding
Bindings from all pools not associated with VRF:
IP address          Client-ID/              Lease expiration        Type
                    Hardware address/
                    User name
192.168.0.1         0150.0000.0600.00       Dec 21 2016 06:33 PM    Automatic
INTERNAL#show ipv6 dhcp binding
Client: FE80::1D26:F6F0:F6D4:AE81 
  DUID: 000100011C840564525400123456
  Username : unassigned
  VRF : default
  IA NA: IA ID 0x0E525400, T1 43200, T2 69120
    Address: FD03::90C1:C5DB:4AEB:519F:788C
            preferred lifetime INFINITY, , valid lifetime INFINITY,

PC connectivity verification

 

Voila.

Make sure you visit the guys in Hurricane Electric and try it for real.

See you on the next post. Stay good.

Advertisements