Since the speed of home Internet has slowed and dissatisfaction has become bigger, I will try to introduce IPv6 aiming for improvement. Although there are restrictions for continued use of the Cisco ASA, it was possible to construct a minimum IPv6 environment.
Setting key points are here
- WAN is an IPv6 global address assigned from JPNE (KDDI)
- The home LAN is an IPv6 unique local address
- IPv6 NAPT for the Internet on the Cisco ASA 5505
- Home network overview
- IPv6 setting of Cisco ASA 5505
- Cisco ASA does not support IPv6 bridges
- Confirmation of operation and speed test
- We have not set IPv4 over IPv6
- Conclusion - IPv6 connection to the Internet with the Cisco ASA 5505 and NAPT communication
Home network overview
The outline of the home network is as follows. In addition to the conventional PPPoE IPv4 connection, use the IPv6 (IPoE) option.
- @nifty + FLET'S IPv6 connection option (free option added)
- ASA 5505 (Internet PPPoE router / FW)
- Catalyst 2960 + Aironet 1141 (PC / server connection)
I really want to connect using IPv6 Plus to IPv4 over IPv6 (JPNE, so MAP-E) but I can not use it on the Cisco ASA ...
List of supported devices here
IPv6 setting of Cisco ASA 5505
Added IPv6 setting referring here.
Cisco ASA: IPv6 Quick Start - Cisco Support Community
We will add the IPv6 (IPoE) setting to the basic FLET 's PPPoE setting. Please note that copying is difficult because + is added to the additional part.
Enable IPv6 on Interface / Get IPv6 address
Vlan 1 is a home network and Vlan 99 is the Internet. Automatic assignment from ISP on the Internet side, unique local address on the inside side. (The reason for unique local use will be described later)
interface Vlan1 nameif management security-level 100 ip address 192.168.1.5 255.255.255.0 + ipv6 address fd00:1::/64 eui-64 + ipv6 address autoconfig + ipv6 enable + ipv6 nd ra-interval 30 ! interface Vlan99 description internet nameif outside security-level 0 pppoe client vpdn group nifty ip address pppoe setroute + ipv6 address autoconfig + ipv6 enable
IPv6 address acquisition confirmation
Confirm that the IPv6 address can be obtained with the above interface setting.
It can be seen that link local addresses are generated respectively. Also, Vlan 1 (management) can set a unique local address. And at Vlan 99 (outside), we got the global unicast address allocated from ISP. The IPv6 address is allocated on a subnet basis, and in my environment (@nifty IPv6 connection option), it gets /64 IPv6 address range.
ASA5505# sh ipv6 interface management is up, line protocol is up IPv6 is enabled, link-local address is fe80::xxxx:xxxx:xxxx:xxxx Global unicast address(es): fd00:1::xxxx:xxxx:xxxx:xxxx, subnet is fd00:1::/64 Joined group address(es): ff02::1:xxxx:xxxx ff02::2 ff02::1 <snip> outside is up, line protocol is up IPv6 is enabled, link-local address is fe80::xxxx:xxxx:xxxx:xxxx Global unicast address(es): 240b:10:XXXX:XXXX:xxxx:xxxx:xxxx:xxxx, subnet is 240b:10:XXXX:XXXX::/64 [AUTOCONFIG] valid lifetime 2591870 preferred lifetime 604670 Joined group address(es): ff02::1:xxxx:xxxx ff02::2 ff02::1 <snip>
In MacBook connected via AP and SW, IPv6 address can be generated based on RA from ASA as follows. Also, you can confirm that IPv6 gateway information is also registered with netstat -nr
. (It may be necessary to add a route add ... memories and logs are awful ...)
MacBook$ ifconfig en0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 ether xx:xx:xx:xx:xx:xx inet6 fe80::aa:xxxx:xxxx:xxxx%en0 prefixlen 64 secured scopeid 0x4 inet6 fd00:1::xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf secured inet6 fd00:1::xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf temporary inet 192.168.1.105 netmask 0xffffff00 broadcast 192.168.1.255 nd6 options=201<PERFORMNUD,DAD> media: autoselect status: active MacBook$ MacBook$ netstat -rn Routing tables Internet6: Destination Gateway Flags Netif Expire default fe80::xxxx:xxxx:xxxx:xxxx%en0 UGc en0 default fe80::%utun0 UGcI utun0 ::1 ::1 UHL lo0
IPv6 routing setting for the Internet
In order to set the IPv6 routing for the Internet in the ASA, obtain the IPv6 address of the ISP facing device. The address recognized by interface: outside by the show ipv6 neighbor
command is the IPv6 address of the ISP facing device.
ASA5505# show ipv6 neighbor IPv6 Address Age Link-layer Addr State Interface fe80::221:d8ff:fe9a:xxxx 1 0021.d89a.xxxx STALE outside fe80::9e5c:f9ff:fe23:xxxx 1 9c5c.f923.xxxx STALE management
Set the IPv6 default route to the IPv6 address of the confirmed ISP.
+ ipv6 route outside ::/0 fe80::221:d8ff:fe9a:xxxx
IPv6 NAPT setting
Access from the home IPv6 LAN to the Internet is made to communicate by NAPT (PAT) like the conventional IPv4. The reason is that, in addition to ordinary security measures, in the ASA equipment specification From the constraint that global addresses allocated from ISPs within the LAN can not be used .
Set to communicate from the unique local address range to NAPT IPv6 address of the outside interface.
object-group network Internet-PAT description internet network-object 192.168.0.0 255.255.0.0 nat (management,outside) source dynamic Internet-PAT interface + object network inside_v6 + subnet fd00:1::/64 + nat (management,outside) dynamic interface ipv6
(reference) www.cisco.com
Cisco ASA does not support IPv6 bridges
The IPv6 environment is originally designed to use a global address on a PC without NAT. When receiving assignment from ISP, DHCPv6-PD (prefix delegation) will be used.
For IPv6 addressing, see here
ASA does not support the IPv6 bridge required for this DHCPv6-PD.
For this reason, IPv6 NAPT is applied as an alternative to Internet access in the same way as before.
Confirmation of operation and speed test
Confirm Internet access in IPv6 from PC (MacBook) in LAN. Check connection information on IPv6 on this site.
I have access to the Internet with IPv6 as follows.
I did not know the appropriate site for the speed test but it was addressed to the USA, but the speed test was IPv4: 5 Mbps, IPv6: 29 Mbps , which was about 6 times faster. (From Tokyo, Japan)
(Reference) See IPv6 operation confirmation destination here
[DS-Lite connection confirmation model information - Internet multifeed] (http://www.mfeed.co.jp/transix/ds-lite/contents/cisco_1812j.html)
By the way, since IPv6 of @nifty (FLET'S) is IPoE, IPv6 communication becomes possible by simply connecting the MacBook directly to the ONU.
We have not set IPv4 over IPv6
Since this setting is only connect to the IPv6 internet, IPv4 over IPv6 tunnel like DS-Lite is not set up, so the target for speeding up is not very effective only at the IPv6 compatible site ...
Conclusion - IPv6 connection to the Internet with the Cisco ASA 5505 and NAPT communication
Added various IPv6 settings to the Cisco ASA 5505, IPv6 connection with IPoE to the Internet, and IPv6 communication from LAN-PC by NAPT. As a result, although it will be only IPv6-compliant sites, high-speed Internet access became possible.
Additional settings (excerpt)
interface Vlan1 nameif management security-level 100 ip address 192.168.1.5 255.255.255.0 + ipv6 address fd00:1::/64 eui-64 + ipv6 address autoconfig + ipv6 enable + ipv6 nd ra-interval 30 ! interface Vlan99 description internet nameif outside security-level 0 pppoe client vpdn group nifty ip address pppoe setroute + ipv6 address autoconfig + ipv6 enable ! + ipv6 route outside ::/0 fe80::221:d8ff:fe9a:xxxx ! object-group network Internet-PAT description internet network-object 192.168.0.0 255.255.0.0 nat (management,outside) source dynamic Internet-PAT interface + object network inside_v6 + subnet fd00:1::/64 + nat (management,outside) dynamic interface ipv6