ASA 9.x Anyconnect IPv6 VPN

Preface

I have some odd reasons for deploying ipv6. A chinese door entry system, Xbox Live events however the latest isn’t as odd – a CloudFlare depolyment.

Why would you need ipv6 for deploying cloudflare you may ask, well, with ipv6 being preferred in most modern OS’s and CloudFlare being ipv6 enabled – yes it all just works, UNTIL you want to have certain parts of a site IP restricted based on a pinhole VPN and your end clients are dual stacked.

Pinhole VPN ? HUH

A VPN whereas certain subnets are included in interesting traffic whereas users VPN to a device, which then classes some internet hosts as interesting traffic. This means you then have a known IP to help those restrictions.

Now, this works fine with ipv4 and ipv6, *but* if the user has an IPv6 connection, such as BT/Sky in the UK – v6 is preferred, hence CloudFlare even passing the original IP sees an IPV6 home user – which given things aren’t static is difficult to restrict.

The fix – add ipv6 to the pinhole VPN.


Adding IPV6 to a pinhole VPN

Adding ipv6 is pretty straight forward on an ASA – following the same basic path as ipv4 vpns, except of course NAT.

Worth mentioning you should have same-security intra-interface set. This is required as essentially on a pinhole, you’re coming in from the outside, to go out via the outside interface.

Steps:

  1. Configure IPv6 Interfaces, route Outside
  2. Define a pool
  3. Create some Object Groups
  4. Alter some ACLs
  5. Add ipv6 to the Group Policy
  6. Add ipv6 pool to the Tunnel Group

Example:

** note, this is not a complete example, more so adding ipv6 support to an existing client VPN setup.

For the below: our outside is 2001:DB8::/64, pool is 2001:db8:0:1::/64
Our VPN uses the ACL named “vpn” for specifying interesting traffic.

interface GigabitEthernet1/1
nameif outside
ipv6 address 2001:DB8::2//64 standby 2001:DB8::4

ipv6 route outside ::/0 2001:DB8::1

! note, pool has to start with an address, not a network
ipv6 local pool ipv6pool 2001:DB8:0:1::1/64 200

object-group network CloudFlare-ipv6
network-object 2400:cb00::/32
network-object 2606:4700::/32
network-object 2803:f800::/32
network-object 2405:b500::/32
network-object 2405:8100::/32
network-object 2a06:98c0::/29
network-object 2c0f:f248::/32
object-group network ipv6_ssl_vpn_pool
network-object 2001:DB8:0:1::/64

! VPN ACL is already defined, so all we do here is add an entry for ipv6
access-list vpn extended permit ip object-group CloudFlare-ipv6 object-group ipv6_ssl_vpn_pool

! note! ipv6 and ipv4 use the SAME tunnel ACL, do note confuse this with VPN filter. So no need to specify an ACL here.

group-policy GroupPolicy attributes
ipv6-split-tunnel-policy tunnelspecified

tunnel-group TunnelGroup general-attributes
ipv6-address-pool ipv6pool

So now, when folks VPN in, to get to CloudFlare, they use the ipv6 tunnel, meaning a known ipv6 address.


Comments

14 responses to “ASA 9.x Anyconnect IPv6 VPN”

  1. Launa Larnach Avatar
    Launa Larnach

    hi!

    It’s been some time, but I came across a slam piece online about nifry.com and immediately needed to reach out to disprove this review.

    It looks like there’s some negative press that could be harmful to your reputation.
    Knowing how quickly rumors can spiral and not wanting you to be taken by surprise, I felt the need to inform you.

    Here’s the source of the info:

    https://ibit.ly/z2GfV

    My hope is it’s all a misunderstanding, but I thought it best you should know!

    All the best to you,
    Launa

  2. Lawanna Macias Avatar
    Lawanna Macias

    hi, just a warning,

    It’s been some time since we last communicated, but I just got emailed an article online about nifry.com and immediately needed to message you guys to validate this article.

    It seems like there’s some negative press that could be detrimental.
    Being aware of how quickly rumors can spiral and not wanting you to be taken by surprise, I felt the need to inform you.

    Here’s where I came across the info:

    https://ibit.ly/T17A5

    I’m hoping it’s all a mix-up, but I thought it best you should know!

    Wishing you all the best,
    Lawanna

  3. Murray Bockman Avatar
    Murray Bockman

    Providing you the opportunity to invest in more than 100 assets for continuous income.

    ExpertOption is the leader in online trading industry.

    We are trusted by more than 70,000,000 clients.

    We make trading available to everyone

    https://r.shortlify.com/?prefid=1011073001

  4. Ready to blast your message across the digital universe? Just as you’re engaging with this ad, imagine your brand message reaching countless website contact forms worldwide! Starting at just under $100, unlock the potential to reach 1 million forms. Reach out to me below for details

    Phil Stewart
    Email: ty9adu@mail-to-form.xyz
    Skype: form-blasting

  5. Niklas Rhodes Avatar
    Niklas Rhodes

    Get Found On The First Page of Google in Less Than 2 weeks by Using our Priority Stealth S.E.O. Syndication Method.

    Pay us once and you’ll get Organic Search Engine Results using videos that will continue to drive traffic 24/7 year round!

    The Benefits are incredible – since by paying us once there will be:

    – No Additional Ad spend needed!

    – No Additional Costs for Ad copy!

    – No Additional Costs per Clicks!

    – No Commercial Licensing fees ever!

    Get Started Today and Get Seen Tomorrow!

    Learn More: Reviews2Videos.com

  6. Caroline Headrick Avatar
    Caroline Headrick

    Did you know that a mere 1% of users bother to browse past the first page of search results? Don’t miss the chance to attract more traffic – get a complimentary website SEO audit today and boost your search engine ranking. Click here to fill out the form for Free SEO Website Audit: https://badgerdigitalmarketingsolutions.com/contact/

  7. Gregg Propst Avatar
    Gregg Propst

    Howdy!

    It’s been a while, but I just saw a very negative opinon online about nifry.com and felt compelled to email you guys to validate this review.

    It appears like there’s some unfavorable news that could be potentially damaging.
    Knowing how quickly rumors can spiral and hoping not you to be taken by surprise, I decided to notify you.

    Here’s where I found the info:

    https://ibit.ly/2sZjy

    My hope is it’s all a simple confusion, but I believed it necessary you should know!

    Best wishes,
    Gregg

  8. Noelia Kauffman Avatar
    Noelia Kauffman

    We haven’t spoken in a while, but I just got emailed something online about nifry.com and thought it was important to email you guys to disprove this review.

    It looks like there’s some rumors circulating that could be harmful to your reputation.
    Being aware of how fast misinformation can spread and wishing not you to be unprepared, I thought it best to notify you.

    Here’s where I came across the info:

    https://ibit.ly/TiMjq

    I’m hoping it’s all a mix-up, but I believed it necessary you should know!

    Wishing you all the best,
    Noelia

  9. Jett Mauldon Avatar
    Jett Mauldon

    hi!

    It has been quite some time, but I came across a very negative opinon online about nifry.com and felt it necessary to message you guys to confirm this article.

    It looks like there’s some negative press that could be detrimental.
    Being aware of how fast misinformation can spread and not wanting you to be unprepared, I decided to inform you.

    Here’s the source of the info:

    https://ibit.ly/HF9pU

    My hope is it’s all a mix-up, but it seemed prudent you should know!

    All the best to you,
    Jett

  10. Gino Mendenhall Avatar
    Gino Mendenhall

    hey, jsut a warning

    It’s been a while since our last conversation, but I came across an article online about nifry.com and felt compelled to message you guys to confirm this nonsense.

    It appears like there’s some rumors circulating that could be detrimental.
    Being aware of how easily stories can get out of hand and wishing not you to be caught off guard, I decided to notify you.

    Here’s where I came across the info:

    https://ibit.ly/lCvb5

    My hope is it’s all a simple confusion, but I believed it necessary you should know!

    Wishing you all the best,
    Gino

  11. Adalberto Tyson Avatar
    Adalberto Tyson

    Hey, it’s been a proper rollercoaster journey for me,

    but finally I’ve managed to build platform connecting ppl with mobile car valeters (think Uber Eats for car cleaning!). Came upon your site & thought you might like the idea.

    Dw I’m not about to sell you backlinks or a cheap website. lol

    In 2 weeks I’ve launched a full MVP – valeters can accept online bookings & payments (I take an 18% cut). Also I’ve automated free listings for UK valeting companies, already indexed & ranking on Google.

    As a fellow founder, I know you know the challenges with new companies. I’m basically looking to raise £60k for 15% equity to fuel growth.

    If keen, let’s chat more on a call. No pressure tho. Worst case, we can swap founder war stories! Always appreciate advice.

    Thanks for your time mate, I know it’s precious!

    Cheers,
    Jack
    jack@wearepython.com

  12. Lupita Plate Avatar
    Lupita Plate

    hi!

    It has been quite some time, but I just read a warning article online about nifry.com and felt it necessary to email you guys to validate this nonsense.

    It seems like there’s some rumors circulating that could be potentially damaging.
    Understanding how easily stories can get out of hand and wishing not you to be unprepared, I decided to notify you.

    Here’s where I found the info:

    https://ibit.ly/WqzAq

    I hope it’s all a mix-up, but I believed it necessary you should know!

    Wishing you all the best,
    Lupita

  13. Verlene Kuefer Avatar
    Verlene Kuefer

    hey

    It’s been some time since we last communicated, but I came across a warning article online about nifry.com and thought it important to message you guys to disprove this article.

    It appears like there’s some unfavorable news that could be detrimental.
    Knowing how quickly rumors can spiral and hoping not you to be unprepared, I felt the need to inform you.

    Here’s where I found the info:

    https://ibit.ly/rRcw3

    I’m hoping it’s all a misunderstanding, but I believed it necessary you should know!

    Best wishes,
    Verlene

  14. Parthenia Lanham Avatar
    Parthenia Lanham

    Did you know that a mere 1% of users bother to browse past the first page of search results? Don’t miss the chance to attract more traffic – get a complimentary website SEO audit today and boost your search engine ranking. Click here to fill out the form for Free SEO Website Audit: https://badgerdigitalmarketingsolutions.com/contact/

Leave a Reply

Your email address will not be published. Required fields are marked *