One of the things that IPv6 brings back to the Internet is the ability to do real end-to-end addressing. With IPv4, one of the conservation mechanisms that gained wide acceptance was NAT or Network Address Translation. This allowed for the (somewhat) painless use of private addressing on internal networks. As traffic passes through a NAT gateway or router, the packets are translated into packets containing globally unique public IP addresses. Return traffic simply has the reverse process performed on each packet. Although this is certainly not a firewall, it has provided some security benefit to hosts behind this type of router.
With IPv6, NAT is not needed and is actually discouraged. As a result, the quality of firewalls and stateful packet filtering is more important than ever. In my opinion, the ASA is a good quality firewall and can easily fill the typical many of the IPv6 filtering needs. This blog post is a short, simple example of an IPv6 configuration on an ASA5505.
//Internal IPv6 Address
ipv6 address <IPv6 Net>::/64 eui-64
//Enable IPv6 on Internal Interface
//External IPv6 Address
ipv6 address <IPv6 Address>
//Enable IPv6 on Extternal Interface
switchport access vlan 2
switchport access vlan 1
//IPv6 Default Route
ipv6 route outside ::/0 <IPv6 Address>
That is it. That is a basic IPv6 configuration on the ASA. It is that simple. Stay tuned. In the future, I’ll try to give some examples of allowing inbound traffic and combining some other more advanced features.