Cisco Security Appliance - configuring IPv6 Appliance, Cisco, Security, configuring

IPv6-enabled Commands The following security appliance commands can accept and display IPv6 addresses:
•capture
•configure
•copy
•http
•name
•object-group
•ping
•show conn
•show local-host
•show tcpstat
•ssh
•telnet
•tftp-server
•who
•write


Configuring IPv6 on an Interface

At a minimum, each interface needs to be configured with an IPv6 link-local address. Additionally, you can add a site-local and global address to the interface.

Note The security appliance does not support IPv6 anycast addresses.
You can configure both IPv6 and IPv4 addresses on an interface.
To configure IPv6 on an interface, perform the following steps:
Step 1 Enter interface configuration mode for the interface on which you are configuring the IPv6 addresses:
hostname(config)# interface if


Step 2 Configure an IPv6 address on the interface. You can assign several IPv6 addresses to an interface, such as an IPv6 link-local, site-local, and global address. However, at a minimum, you must configure a link-local address.
There are several methods for configuring IPv6 addresses. Pick the method that suits your needs from the following:
•The simplest method is to enable stateless autoconfiguration on the interface. Enabling stateless autoconfiguration on the interface configures IPv6 addresses based on prefixes received in Router Advertisement messages. A link-local address, based on the Modified EUI-64 interface ID, is automatically generated for the interface when stateless autoconfiguration is enabled. To enable stateless autoconfiguration, enter the following command:
hostname(config-if)# ipv6 address autoconfig


•If you only need to configure a link-local address on the interface and are not going to assign any other IPv6 addresses to the interface, you have the option of manually defining the link-local address or generating one based on the interface MAC address (Modified EUI-64 format):
–Enter the following command to manually specify the link-local address:
hostname(config-if)# ipv6 address ipv6-address link-local


–Enter the following command to enable IPv6 on the interface and automatically generate the link-local address using the Modified EUI-64 interface ID based on the interface MAC address:
hostname(config-if)# ipv6 enable



Note You do not need to use the ipv6 enable command if you enter any other ipv6 address commands on an interface; IPv6 support is automatically enabled as soon as you assign an IPv6 address to the interface.
•Assign a site-local or global address to the interface. When you assign a site-local or global address, a link-local address is automatically created. Enter the following command to add a global or site-local address to the interface. Use the optional eui-64 keyword to use the Modified EUI-64 interface ID in the low order 64 bits of the address.
hostname(config-if)# ipv6 address ipv6-address [eui-64]


Step 3 (Optional) Suppress Router Advertisement messages on an interface. By default, Router Advertisement messages are automatically sent in response to router solicitation messages. You may want to disable these messages on any interface for which you do not want the security appliance to supply the IPv6 prefix (for example, the outside interface).
Enter the following command to suppress Router Advertisement messages on an interface:
hostname(config-if)# ipv6 nd suppress-raEnforcing the Use of Modified EUI-64 Interface IDs in IPv6 Addresses RFC 3513: Internet Protocol Version 6 (IPv6) Addressing Architecture requires that the interface identifier portion of all unicast IPv6 addresses, except those that start with binary value 000, be 64 bits long and be constructed in Modified EUI-64 format. The security appliance can enforce this requirement for hosts attached to the local link.
To enforce the use of Modified EUI-64 format interface identifiers in IPv6 addresses on a local link, enter the following command:
hostname(config)# ipv6 enforce-eui64 if_name


The if_name argument is the name of the interface, as specified by the namif command, on which you are enabling the address format enforcement.
When this command is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the Modified EUI-64 format. If the IPv6 packets do not use the Modified EUI-64 format for the interface identifier, the packets are dropped and the following system log message is generated:
%PIX|ASA-3-325003: EUI-64 source address check failed.


The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.
Configuring IPv6 Duplicate Address Detection During the stateless autoconfiguration process, duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection is performed first on the new link-local address. When the link local address is verified as unique, then duplicate address detection is performed all the other IPv6 unicast addresses on the interface.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state. An interface returning to an administratively up state restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
When a duplicate address is identified, the state of the address is set to DUPLICATE, the address is not used, and the following error message is generated:
%PIX|ASA-4-325002: Duplicate address ipv6_address/MAC_address on interface


If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface. If the duplicate address is a global address, the address is not used. However, all configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
The security appliance uses neighbor solicitation messages to perform duplicate address detection. By default, the number of times an interface performs duplicate address detection is 1.
To change the number of duplicate address detection attempts, enter the following command:
hostname(config-if)#ipv6 nd dad attempts value


The value argument can be any value from 0 to 600. Setting the value argument to 0 disables duplicate address detection on the interface.
When you configure an interface to send out more than one duplicate address detection attempt, you can also use the ipv6 nd ns-interval command to configure the interval at which the neighbor solicitation messages are sent out. By default, they are sent out once every 1000 milliseconds.
To change the neighbor solicitation message interval, enter the following command:
hostname(config-if)#ipv6 nd ns-interval value
The value argument can be from 1000 to 3600000 milliseconds.


Configuring IPv6 Access Lists

Configuring an IPv6 access list is similar configuring an IPv4 access, but with IPv6 addresses.
To configure an IPv6 access list, perform the following steps:
Step 1 Create an access entry. To create an access list, use the ipv6 access-list command to create entries for the access list. There are two main forms of this command to choose from, one for creating access list entries specifically for ICMP traffic, and one to create access list entries for all other types of IP traffic.
•To create an IPv6 access list entry specifically for ICMP traffic, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} icmp source destination [icmp_type]


•To create an IPv6 access list entry, enter the following command:
hostname(config)# ipv6 access-list id [line num] {permit | deny} protocol source [src_port] destination [dst_port]


The following describes the arguments for the ipv6 access-list command:
•id—The name of the access list. Use the same id in each command when you are entering multiple entries for an access list.
•line num—When adding an entry to an access list, you can specify the line number in the list where the entry should appear.
•permit | deny—Determines whether the specified traffic is blocked or allowed to pass.
•icmp—Indicates that the access list entry applies to ICMP traffic.
•protocol—Specifies the traffic being controlled by the access list entry. This can be the name (ip, tcp, or udp) or number (1-254) of an IP protocol. Alternatively, you can specify a protocol object group using object-group grp_id.
•source and destination—Specifies the source or destination of the traffic. The source or destination can be an IPv6 prefix, in the format prefix/length, to indicate a range of addresses, the keyword any, to specify any address, or a specific host designated by host host_ipv6_addr.
•src_port and dst_port—The source and destination port (or service) argument. Enter an operator (lt for less than, gt for greater than, eq for equal to, neq for not equal to, or range for an inclusive range) followed by a space and a port number (or two port numbers separated by a space for the range keyword).
•icmp_type—Specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number (from 0 to 155) or one of the ICMP type literals as shown in Appendix D, "Addresses, Protocols, and Ports". Alternatively, you can specify an ICMP object group using object-group id.
Step 2 To apply the access list to an interface, enter the following command:
hostname(config)# access-group access_list_name {in | out} interface if_name