Enabling IPv6 on the ASA

One of the things that IPv6 brings back to the Internet is the ability to do real end-to-end addressing.  With IPv4, one of the conservation mechanisms that gained wide acceptance was NAT or Network Address Translation.  This allowed for the (somewhat) painless use of private addressing on internal networks.  As traffic passes through a NAT gateway or router, the packets are translated into packets containing globally unique public IP addresses.  Return traffic simply has the reverse  process performed on each packet.  Although this is certainly not a firewall, it has provided some security benefit to hosts behind this type of router.  

With IPv6, NAT is not needed and is actually discouraged.  As a result, the quality of firewalls and stateful packet filtering is more important than ever.  In my opinion, the ASA is a good quality firewall  and can easily fill the typical many of the IPv6 filtering needs.  This blog post is a short, simple example of an IPv6 configuration on an ASA5505.

interface Vlan1
nameif inside
security-level 100

 //Internal IPv6 Address

 ipv6 address <IPv6 Net>::/64 eui-64

 //Enable IPv6 on Internal Interface

 ipv6 enable
!
interface Vlan2
nameif outside
security-level 0

 //External IPv6 Address

 ipv6 address <IPv6 Address>

 //Enable IPv6 on Extternal Interface

 ipv6 enable
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
switchport access vlan 1
!

 //IPv6 Default Route

ipv6 route outside ::/0 <IPv6 Address>

That is it.  That is a basic IPv6 configuration on the ASA.  It is that simple.  Stay tuned.  In the future, I’ll try to give some examples of allowing inbound traffic and combining some other more advanced features.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.