[Solved] Cisco PIX IPv6 headaches

gkontos · #1 September 5th, 2012, 20:15

I know this is very off topic! But it is troubling me for a full day and I am about to explode

My ISP has assigned me with a /56 IPv6 subnet! I have successfully implemented a dual stack on my ZXV10 W300B router and I can use native IPv6 with it. But I also have a Cisco PIX 515 8.0.4 behind that I want to use.

The first /64 is being assigned as a link between the router and the outside interface .

# show run

Code:

!
interface Ethernet5
 nameif outside
 security-level 0
 ip address 10.30.0.2 255.255.255.0 
 ipv6 address autoconfig
!

# show ipv6 interface

Code:

outside is up, line protocol is up
  IPv6 is enabled, link-local address is fe80::2e0:b6ff:fe06:ddf  
  Global unicast address(es):
    2a02:580:8f00:2c00:2e0:b6ff:fe06:ddf, subnet is 2a02:580:8f00:2c00::/64 [AUTOCONFIG] 
      valid lifetime 7186 preferred lifetime 3586
  Joined group address(es):
    ff02::1
    ff02::2   
    ff02::1:ff06:ddf
  ICMP error messages limited to one every 100 milliseconds
  ICMP redirects are enabled
  ND DAD is enabled, number of DAD attempts: 1
  ND reachable time is 30000 milliseconds
  ND advertised reachable time is 0 milliseconds
  ND advertised retransmit interval is 1000 milliseconds
  ND router advertisements are sent every 200 seconds
  ND router advertisements live for 1800 seconds
  Hosts use stateless autoconfig for addresses.

The outside interface is getting an IP address from the the router advertisement. We can even ping google DNS:

# ping outside 2001:4860:4860::8888

Code:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2001:4860:4860::8888, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 80/100/110 ms

The inside interface is configured manually by using the last /64 subnet.

# show run

Code:

!
interface Ethernet0
 nameif inside
 security-level 100
 ip address 10.10.10.1 255.255.255.0 
 ipv6 address 2a02:580:8f00:2cff::1/64
 ipv6 address autoconfig
!

I have also assigned manually an IPv6 address on my MAC from where I can ping the inside interface and vice versa:

~ gkontos$ ping6 2a02:580:8f00:2cff::1

Code:

PING6(56=40+8+8 bytes) 2a02:580:8f00:2cff::2 --> 2a02:580:8f00:2cff::1
16 bytes from 2a02:580:8f00:2cff::1, icmp_seq=0 hlim=64 time=1.695 ms
16 bytes from 2a02:580:8f00:2cff::1, icmp_seq=1 hlim=64 time=0.601 ms
16 bytes from 2a02:580:8f00:2cff::1, icmp_seq=2 hlim=64 time=0.603 ms
--- 2a02:580:8f00:2cff::1 ping6 statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 0.601/0.966/1.695/0.515 ms

But I can not ping google or use IPv6 with this configuration from my MAC. It is as if the packets don't pass across the interfaces

I know this is the wrong forum for this type of question. But I also know that we have some network gurus around here

So, if you have any idea... Please help!

jb_fvwm2 · #2 September 5th, 2012, 22:27

Have you tried searching networking-forum.com? (At least one
thread in its ipv6 subforum had a fix for an ipv6 problem
in August...) And/or a search on the problem, including the word "thread" in the title?

kpa · #3 September 5th, 2012, 22:31

I'm not sure if it's possible to use a /64 out of the /56 that way but at least in your configuration there doesn't seem to be anything that instructs the ZXV10 W300B router to forward the 2a02:580:8f00:2cff::/64 prefix to the external address of the cisco 2a02:580:8f00:2c00:2e0:b6ff:fe06:ddf. If it's anything like in IPv4 (I'm only learning IPv6 myself right now

) a static route should solve the problem.

gkontos · #4 September 5th, 2012, 23:11

Quote:

Originally Posted by kpa

I'm not sure if it's possible to use a /64 out of the /56 that way but at least in your configuration there doesn't seem to be anything that instructs the ZXV10 W300B router to forward the 2a02:580:8f00:2cff::/64 prefix to the external address of the cisco 2a02:580:8f00:2c00:2e0:b6ff:fe06:ddf. If it's anything like in IPv4 (I'm only learning IPv6 myself right now

) a static route should solve the problem.

You can split a /56 net to 256 /64 nets. I know it sounds crazy given the fact that a /64 net contains a 18,446,744,073,709,551,616 IP addresses.

Now the fact about the routing is what comes to my mind also. The problem is that in the ZXV10 you can not add a static IPv6 route. It runs some sort of embedded Linux, I have tried all possible ways without success so far.

The strange thing is that I can ping from the Internet the outside IP address of the Pix: 2a02:580:8f00:2cff::1

kpa · #5 September 5th, 2012, 23:30

The reason you can ping the outside interface from the internet is that it's still in a subnet that has routing set up both ways, the internet IPv6 hosts know how to reach it and the first router knows it's in a directly connected network.

The chain breaks for the subnet behind the cisco because the first router doesn't know that the subnet should be forwarded to the extenal address of the cisco.

gkontos · #6 September 5th, 2012, 23:45

Quote:

Originally Posted by kpa

The reason you can ping the outside interface from the internet is that it's still in a subnet that has routing set up both ways, the internet IPv6 hosts know how to reach it.

You are most probably right! I also did a capture on the pix while pinging google which reveals that the packets just leave:

Code:

   5: 01:34:53.614653 2a02:580:8f00:2cff::2 > 2001:4860:4860::8888: icmp6: echo request
   6: 01:34:54.614103 2a02:580:8f00:2cff::2 > 2001:4860:4860::8888: icmp6: echo request
   7: 01:34:55.615492 2a02:580:8f00:2cff::2 > 2001:4860:4860::8888: icmp6: echo request
   8: 01:34:56.615080 2a02:580:8f00:2cff::2 > 2001:4860:4860::8888: icmp6: echo request

On the other hand a ping on the internal interface completes:

Code:

140: 01:39:56.999429 2a02:580:8f00:2cff::2 > 2a02:580:8f00:2cff::1: icmp6: echo request
 141: 01:39:57.000747 2a02:580:8f00:2cff::1 > 2a02:580:8f00:2cff::2: icmp6: echo reply
 142: 01:39:58.000915 2a02:580:8f00:2cff::2 > 2a02:580:8f00:2cff::1: icmp6: echo request
 143: 01:39:58.001281 2a02:580:8f00:2cff::1 > 2a02:580:8f00:2cff::2: icmp6: echo reply

I wont sleep tonight

Although both Outside & Inside are statically connected, therefore there shouldn't be any routing issue. The same goes for IPv4 which works. Outside is 10.30.0.2/24 and Inside is 10.10.10.1/24.

kpa · #7 September 5th, 2012, 23:55

Replace the router with a FreeBSD box

gkontos · #8 September 6th, 2012, 00:01

Quote:

Originally Posted by kpa

Replace the router with a FreeBSD box

I would but my box has only 1 NIC

My goal is to use a full dual stack in my home-office and use IPv6 for all my internal devices. My Samsung doesn't support IPv6 yet though...

gkontos · #9 September 6th, 2012, 13:23

The problem appears to be in the ZXV10. It appears that it doesn't route IPv6!

I am waiting for a second NIC so that I can make a FreeBSD box as a router/firewall .

gkontos · #10 September 7th, 2012, 19:55

Solved with a nice implementation of FreeBSD9.1-RC1 as a Dual Stack Firewall/Router.

I will post a how-to soon in the mean time let me just share the speed comparison:

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
help about MPD + CISCO	mohareb	Networking	0	July 5th, 2012 21:11
IPv6 link-local & tcpdump using IPv6	Priyaamaresh	Networking	1	June 12th, 2012 12:32
What does CISCO use FreeBSD for?	baronobeefdip	General	12	March 3rd, 2012 21:42
Syslog and Cisco	erohal	Web & Network Services	1	February 17th, 2012 19:28
IPv6 DAD disables IPv6 Traffic, how to turn IPv6 back on?	benzh512	Networking	6	March 10th, 2009 16:57