[c-nsp] ASA for IPv6

Justin M. Streiner streiner at cluebyfour.org
Mon Aug 22 00:00:43 EDT 2016


On Sat, 20 Aug 2016, Michael Lee wrote:

> Currently I have ASA 5580 with IPv4 NAT setup (public IP outside and RFC
> 1918 inside), I am considering to run IPv6 with Public IPv6 outside and
> Public IPv6 inside (routing mode)
>
> Just wondering there is anything I would need to consider except CPU,
> memory and sessions)

We have IPv6 running behind/through several ASAs of different types - 
mostly 5585Xs and a few 5540s.  A few other important points to consider:

1. IPv6 support has gotten much better in newer releases of code.  A few 
of the later 8.4 releases are pretty stable, as are 9.3 releases.  I don't 
know what versions are supported for the 5580 platform, but this is 
important to consider.

2. Consider your default IPv6 rulesets very carefully.  In many 
applications, functional ICMP in the IPv4 world was a nice-to-have 
feature, but in IPv6, properly functioning ICMPv6 is absolutely crucial. 
When we were working through our default rulesets, we used RFC4890 as a 
starting point and added/removed from there.

3. Support for IPv6 in both routed and transparent contexts seems to be 
pretty good, but we haven't done exhaustive tests to determine if there is 
full feature parity between the two different context types.

We haven't deployed any IPv6 remote-access or site-to-site VPN tunnels 
yet, but I wouldn't be surprised to see that coming before too long.

At this point, we haven't noticed any ASA performance issues that can be 
directly pinned to IPv6, and we've had it full production use for roughly 
a year, and in a testing capacity since 2011.

jms


More information about the cisco-nsp mailing list