IPv6 tunnel


This scenario details how to connect an IPv6 enabled site which has no native IPv6 internet service to connect to a remote IPv6 routing service to facilitate end to end IPv6 transport, thus avoiding the need for NAT64.

Hurricane Electirc (http://ipv6.he.net/) offers an excellent free service which allows for the use of global routable IPv6 address on your network through the use of its Tunnelbroker service (http://www.tunnelbroker.net/).

Once signed up you will allocated one /64 prefix to be used by your router and a single VLAN, but if you would like IPv6 on additional VLANs there is also a /46 prefix.
To make use of the IPv6 default route made available via the tunnel, OSPFv3 is used between the 1841 and ASA .

IP configurations

Tunnel destination
Server IPv6 address 2001:470:bbbb:aaaa::1/64
Client IPv6 address 2001:470:bbbb:aaaa::2/64
Routed /48 2001:470:ffff::/46
VLAN10 2001:470:ffff:aa10::/64
VLAN30 2001:470:ffff:aa30::/64

1841 configuration

 ipv6 unicast-routing  
 ipv6 cef  
 interface Tunnel1  
  description HE IPV6 Tunnel  
  no ip address  
  ipv6 address 2001:470:bbbb:aaaa::2/64  
  ipv6 enable  
  tunnel source FastEthernet0/0  
  tunnel destination  
  tunnel mode ipv6ip  
 interface FastEthernet0/0  
  ip address dhcp client-id FastEthernet0/0  
  duplex auto  
  speed auto  
  ipv6 address 2001:470:ffff:aaa1::1/64  
  ipv6 enable  
  ipv6 ospf 1 area 0  
 ipv6 route ::/0 Tunnel1  
 ipv6 router ospf 1  
  default-information originate always  
  redistribute connected  
  redistribute static  

ASA Configuration

OSPFv3 which supports IPv6 addresses is only available on versions 9.x of the ASA firmware.

 interface Vlan10  
  nameif outside   
  ipv6 address 2001:470:ffff:aaa1::2/64  
  ipv6 ospf cost 1  
  ipv6 ospf 1 area 0  
 interface Vlan30  
  nameif inside  
  security-level 100  
  ipv6 address 2001:470:ffff:aa30::1/64  
  ipv6 nd prefix 2001:470:ffff:aa30::/64  
 ipv6 router ospf 1  
  redistribute connected  

