designetwork(EN)

IT technical memo of networking

IPv6 connection to the Internet with the Cisco ASA 5505 and NAPT

f:id:daichi703n:20170826234810p:plain

Since the speed of home Internet has slowed and dissatisfaction has become bigger, I will try to introduce IPv6 aiming for improvement. Although there are restrictions for continued use of the Cisco ASA, it was possible to construct a minimum IPv6 environment.

Setting key points are here

  • WAN is an IPv6 global address assigned from JPNE (KDDI)
  • The home LAN is an IPv6 unique local address
  • IPv6 NAPT for the Internet on the Cisco ASA 5505

Home network overview

The outline of the home network is as follows. In addition to the conventional PPPoE IPv4 connection, use the IPv6 (IPoE) option.

  • @nifty + FLET'S IPv6 connection option (free option added)
  • ASA 5505 (Internet PPPoE router / FW)
  • Catalyst 2960 + Aironet 1141 (PC / server connection)

I really want to connect using IPv6 Plus to IPv4 over IPv6 (JPNE, so MAP-E) but I can not use it on the Cisco ASA ...

List of supported devices here

csoption.nifty.com

csoption.nifty.com

IPv6 setting of Cisco ASA 5505

Added IPv6 setting referring here.

Cisco ASA: IPv6 Quick Start - Cisco Support Community

We will add the IPv6 (IPoE) setting to the basic FLET 's PPPoE setting. Please note that copying is difficult because + is added to the additional part.

Enable IPv6 on Interface / Get ​​IPv6 address

Vlan 1 is a home network and Vlan 99 is the Internet. Automatic assignment from ISP on the Internet side, unique local address on the inside side. (The reason for unique local use will be described later)

interface Vlan1
 nameif management
 security-level 100
 ip address 192.168.1.5 255.255.255.0 
+ ipv6 address fd00:1::/64 eui-64
+ ipv6 address autoconfig
+ ipv6 enable
+ ipv6 nd ra-interval 30
!
interface Vlan99
 description internet
 nameif outside
 security-level 0
 pppoe client vpdn group nifty
 ip address pppoe setroute 
+ ipv6 address autoconfig
+ ipv6 enable

IPv6 address acquisition confirmation

Confirm that the IPv6 address can be obtained with the above interface setting.

It can be seen that link local addresses are generated respectively. Also, Vlan 1 (management) can set a unique local address. And at Vlan 99 (outside), we got the global unicast address allocated from ISP. The IPv6 address is allocated on a subnet basis, and in my environment (@nifty IPv6 connection option), it gets /64 IPv6 address range.

ASA5505# sh ipv6 interface
management is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::xxxx:xxxx:xxxx:xxxx
  Global unicast address(es):
    fd00:1::xxxx:xxxx:xxxx:xxxx, subnet is fd00:1::/64
  Joined group address(es):
    ff02::1:xxxx:xxxx
    ff02::2
    ff02::1
  <snip>
outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::xxxx:xxxx:xxxx:xxxx
  Global unicast address(es):
    240b:10:XXXX:XXXX:xxxx:xxxx:xxxx:xxxx, subnet is 240b:10:XXXX:XXXX::/64 [AUTOCONFIG]
      valid lifetime 2591870 preferred lifetime 604670
  Joined group address(es):
    ff02::1:xxxx:xxxx
    ff02::2
    ff02::1
  <snip>

In MacBook connected via AP and SW, IPv6 address can be generated based on RA from ASA as follows. Also, you can confirm that IPv6 gateway information is also registered with netstat -nr. (It may be necessary to add a route add ... memories and logs are awful ...)

MacBook$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    ether xx:xx:xx:xx:xx:xx
    inet6 fe80::aa:xxxx:xxxx:xxxx%en0 prefixlen 64 secured scopeid 0x4
    inet6 fd00:1::xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf secured
    inet6 fd00:1::xxxx:xxxx:xxxx:xxxx prefixlen 64 autoconf temporary
    inet 192.168.1.105 netmask 0xffffff00 broadcast 192.168.1.255
    nd6 options=201<PERFORMNUD,DAD>
    media: autoselect
    status: active
MacBook$
MacBook$ netstat -rn
Routing tables

Internet6:
Destination    Gateway                         Flags    Netif Expire
default        fe80::xxxx:xxxx:xxxx:xxxx%en0   UGc        en0
default        fe80::%utun0                    UGcI     utun0
::1            ::1                             UHL        lo0

IPv6 routing setting for the Internet

In order to set the IPv6 routing for the Internet in the ASA, obtain the IPv6 address of the ISP facing device. The address recognized by interface: outside by the show ipv6 neighbor command is the IPv6 address of the ISP facing device.

ASA5505# show ipv6 neighbor 
IPv6 Address               Age Link-layer Addr State Interface
fe80::221:d8ff:fe9a:xxxx     1 0021.d89a.xxxx  STALE outside
fe80::9e5c:f9ff:fe23:xxxx    1 9c5c.f923.xxxx  STALE management

Set the IPv6 default route to the IPv6 address of the confirmed ISP.

+ ipv6 route outside ::/0 fe80::221:d8ff:fe9a:xxxx

IPv6 NAPT setting

Access from the home IPv6 LAN to the Internet is made to communicate by NAPT (PAT) like the conventional IPv4. The reason is that, in addition to ordinary security measures, in the ASA equipment specification From the constraint that global addresses allocated from ISPs within the LAN can not be used .

Set to communicate from the unique local address range to NAPT IPv6 address of the outside interface.

object-group network Internet-PAT
 description internet
 network-object 192.168.0.0 255.255.0.0
nat (management,outside) source dynamic Internet-PAT interface
+ object network inside_v6
+  subnet fd00:1::/64
+  nat (management,outside) dynamic interface ipv6

(reference) www.cisco.com

Cisco ASA does not support IPv6 bridges

The IPv6 environment is originally designed to use a global address on a PC without NAT. When receiving assignment from ISP, DHCPv6-PD (prefix delegation) will be used.

For IPv6 addressing, see here

www.infraexpert.com

ASA does not support the IPv6 bridge required for this DHCPv6-PD.

supportforums.cisco.com

For this reason, IPv6 NAPT is applied as an alternative to Internet access in the same way as before.

Confirmation of operation and speed test

Confirm Internet access in IPv6 from PC (MacBook) in LAN. Check connection information on IPv6 on this site.

test-ipv6.com

I have access to the Internet with IPv6 as follows.

f:id:daichi703n:20170823015111p:plain

I did not know the appropriate site for the speed test but it was addressed to the USA, but the speed test was IPv4: 5 Mbps, IPv6: 29 Mbps , which was about 6 times faster. (From Tokyo, Japan)

f:id:daichi703n:20170823015012p:plain

(Reference) See IPv6 operation confirmation destination here
[DS-Lite connection confirmation model information - Internet multifeed] (http://www.mfeed.co.jp/transix/ds-lite/contents/cisco_1812j.html)

By the way, since IPv6 of @nifty (FLET'S) is IPoE, IPv6 communication becomes possible by simply connecting the MacBook directly to the ONU.

We have not set IPv4 over IPv6

Since this setting is only connect to the IPv6 internet, IPv4 over IPv6 tunnel like DS-Lite is not set up, so the target for speeding up is not very effective only at the IPv6 compatible site ...

Conclusion - IPv6 connection to the Internet with the Cisco ASA 5505 and NAPT communication

Added various IPv6 settings to the Cisco ASA 5505, IPv6 connection with IPoE to the Internet, and IPv6 communication from LAN-PC by NAPT. As a result, although it will be only IPv6-compliant sites, high-speed Internet access became possible.

Additional settings (excerpt)

interface Vlan1
 nameif management
 security-level 100
 ip address 192.168.1.5 255.255.255.0 
+ ipv6 address fd00:1::/64 eui-64
+ ipv6 address autoconfig
+ ipv6 enable
+ ipv6 nd ra-interval 30
!
interface Vlan99
 description internet
 nameif outside
 security-level 0
 pppoe client vpdn group nifty
 ip address pppoe setroute 
+ ipv6 address autoconfig
+ ipv6 enable
!
+ ipv6 route outside ::/0 fe80::221:d8ff:fe9a:xxxx
!
object-group network Internet-PAT
 description internet
 network-object 192.168.0.0 255.255.0.0
nat (management,outside) source dynamic Internet-PAT interface
+ object network inside_v6
+  subnet fd00:1::/64
+  nat (management,outside) dynamic interface ipv6

This Blog is English Version of my JP's.

Sorry if my English sentences are incorrect.

designetwork