IPv6 Subnetting

Hello,
So far, as i understood from different web searches and resource materials, the Internet Registry (ARIN, for example) provides a /32 address block to Top ISP. The Top ISP provides a /48 to customers or to normal ISPs (Lower ISPs). Finally, the customer breaks the /48 into subnet using the 16 bits available. (2^16=65535 /64 subnets). Here my question comes in, How is subnetting performed by this way? ... if 65535 subnets to be used, how can we categorize them into Class A, B and C like in IPv4? .... About hosts, i understand that the low-order 64 bits in the ipv6 address is used for hosts but also how do i know which hosts to assign to which subnets? ... and because VLSM is not necessary in IPv6, does it mean that the Classless Routing Protocols concept is gone and IPv6 will be Classful?
Someone kindly shed some lights on how IPv6 subnetting is performed step-by-step.
Your response is highly appreciated.
Regards,
AM

The first thing with IPv6 is to forget everything you learnt about IPv4 conservation. To put it crudely be wasteful and do not be concerned that you have 1.8x10^18 useable host addresses in a /64 and are only going to use it to address a point to point link or use it for a VLAN allocation for 15 servers.
(I am being overly simplistic here to illustrate a point, there are some subtleties, though in essence go with this)
There are also no classes, no network addresses, no broadcast addresses, no wild bit masks. Everything is CIDR, all addresses are useable.
So in the example of getting a /48, you get 65536 x /64 prefixes (2^16bits of subnetting)
Then just start assigning /64s everywhere you would assign any sized subnet in IPv4 (with the exception of loopbacks)
So from the 1st /64 sequentially number all loopbacks for devices using /128 (e.g. prefix::1, ::2, ::3, ::4 etc)
then your first point to point link gets the next /64, and the next point to point link gets the next /64 and so on, then your first VLAN gets the next /64 and so on.
So if you have 20 devices, 34 point to point links and 12 VLANs in your network you would ultimately be using 47 x /64 prefixes from your /48 and keep the rest (65489 x /64s) for later use.
That's the subnets taken care of. Hosts are in general addressed in the last 64 bits if the prefix. This can be done in one of three ways:
Manually configured (e.g. prefix::3/64, prefix::7/64, prefix::AB/64, prefix::cafe:f00d/64),
Using DHCPv6, or
Using SLAAAC (Stateless Address Auto Configuration) where the host generates its own IPv6 address using its MAC address and padding it out to 64 bits. (Do searches in these terms for more info)
String it all together using the IGP of your choice, and that is pretty much it.
I hope this helps

Similar Messages

Convert IPv4 address to IPv6 subnet on AD Sites

Hi,
We currently run IPv4 on our network. However, it looks like it's recommended to enable IPv6 on DFS servers according to this:
http://blogs.technet.com/askds/archive/2009/10/28/dfs-referrals-and-ipv6-outta-site.aspx
I'm having trouble creating an IPv6 subnet in AD Site and Services for my DFS servers since I'm note very familiar with IPv6. I think the IPv6 I see on the servers is the "converted" to IPv6 (see warning message below)??
DC and DFS servers are Win 2008 R2 Datacenter. It looks like the IPv6 address of the DFS servers are not "matching" the subnets I have created and therefore DFS is not associated with the correct sites causing clients to go over the WAN
to other DFS servers.
For example:
The IPv4 for my DFS servers are:
156.124.92.202/23
156.124.78.202/23
I created these IPv4 subnets:
156.124.92.0./23 --> SA-Site
156.124.78.0/23 --> AU-Site
IPv6 DHCP service is not enabled. No Static IPv6 set for the network connection. The "converted" IP seems to be
2002:9c7c:5cca::9c7c:5cca
2002:9c7c:4eca::9c7c:4eca
I created these IPv6 subnets
2002::9c7c:5c00/119
2002::9c7c:4e00/119
This is what I see on the DFS servers:
Validating the site associations on every domain controller of the following: SA-DFS-01
Warning: The server has IP addresses with conflicting site associations
Host name: SA-DFS-01
Site: SA-Site
Domain Controller: SA-AD-01
Host IP address
fe80::2c27:42f8:1294:ef4c%10
2002:9c7c:5cca::9c7c:5cca
Subnet-Site Mapping in AD
No mapping exists
No mapping exists
Host name: SA-DFS-01
Site: SA-Site
Domain Controller: AU-AD-01
Host IP address
fe80::2c27:42f8:1294:ef4c%10
2002:9c7c:5cca::9c7c:5cca
Subnet-Site Mapping in AD
No mapping exists
No mapping exists
Validating the site associations on every domain controller of the following: AU-DFS-01
Warning: The server has IP addresses with conflicting site associations
Host name: AU-DFS-01
Site: AU-Site
Domain Controller: SA-AD-01
Host IP address
2002:9c7c:4eca::9c7c:4eca
Subnet-Site Mapping in AD
No mapping exists
Warning: The server has IP addresses with conflicting site associations
Host name: AU-DFS-01
Site: AU-Site
Domain Controller: AU-AD-01
Host IP address
2002:9c7c:4eca::9c7c:4eca
Subnet-Site Mapping in AD
No mapping exists

Hi,
We currently run IPv4 on our network. However, it looks like it's recommended to enable IPv6 on DFS servers according to this:
http://blogs.technet.com/askds/archive/2009/10/28/dfs-referrals-and-ipv6-outta-site.aspx
I'm having trouble creating an IPv6 subnet in AD Site and Services for my DFS servers since I'm note very familiar with IPv6. I think the IPv6 I see on the servers is the "converted" to IPv6 (see warning message below)??
DC and DFS servers are Win 2008 R2 Datacenter. It looks like the IPv6 address of the DFS servers are not "matching" the subnets I have created and therefore DFS is not associated with the correct sites causing clients to go over the WAN
to other DFS servers.
For example:
The IPv4 for my DFS servers are:
156.124.92.202/23
156.124.78.202/23
I created these IPv4 subnets:
156.124.92.0./23 --> SA-Site
156.124.78.0/23 --> AU-Site
IPv6 DHCP service is not enabled. No Static IPv6 set for the network connection. The "converted" IP seems to be
2002:9c7c:5cca::9c7c:5cca
2002:9c7c:4eca::9c7c:4eca
I created these IPv6 subnets
2002::9c7c:5c00/119
2002::9c7c:4e00/119
This is what I see on the DFS servers:
Validating the site associations on every domain controller of the following: SA-DFS-01
Warning: The server has IP addresses with conflicting site associations
Host name: SA-DFS-01
Site: SA-Site
Domain Controller: SA-AD-01
Host IP address
fe80::2c27:42f8:1294:ef4c%10
2002:9c7c:5cca::9c7c:5cca
Subnet-Site Mapping in AD
No mapping exists
No mapping exists
Host name: SA-DFS-01
Site: SA-Site
Domain Controller: AU-AD-01
Host IP address
fe80::2c27:42f8:1294:ef4c%10
2002:9c7c:5cca::9c7c:5cca
Subnet-Site Mapping in AD
No mapping exists
No mapping exists
Validating the site associations on every domain controller of the following: AU-DFS-01
Warning: The server has IP addresses with conflicting site associations
Host name: AU-DFS-01
Site: AU-Site
Domain Controller: SA-AD-01
Host IP address
2002:9c7c:4eca::9c7c:4eca
Subnet-Site Mapping in AD
No mapping exists
Warning: The server has IP addresses with conflicting site associations
Host name: AU-DFS-01
Site: AU-Site
Domain Controller: AU-AD-01
Host IP address
2002:9c7c:4eca::9c7c:4eca
Subnet-Site Mapping in AD
No mapping exists
Hi,
The format seems to be incorrect. Please change them as following and check the result:
2002:9c7c:5cca::/48
2002:9c7c:4eca::/48
For more information about 6to4 address, please see:
http://technet.microsoft.com/en-us/library/cc756770(WS.10).aspx
http://technet.microsoft.com/en-us/library/cc757359(WS.10).aspx
Hope it helps.
This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.
This can be beneficial to other community members reading the thread.

Windows 2012 R2 - Access problems to NFS shares via IPv6

Hello,
we setup some NFS shares on HNAS storage box. The connection to this storage is only possible over IPv6 network.
My server with Windows 2012 R2 has the feature 'Client for NFS' installed and a 'showmount -e servername/or IPv6 address' works. I can see all shares when i try to open the storagebox in Windows Explorer with the command "\\servername" or "\\IPv6
address", too.
My problem is, when I try to mount the share via "Map network drive" or "mount \\servername\sharename *" I get Error 53 - Network path not found.
The share is configured that every server in the IPv6 subnet could access it and it works on Unix machines, but not on Windows.
It does not matter if i set some option parameters for the "mount" command like sec=sys or anon, everytime error 53.
I don't know, if the share needs special options for Windows. I hope somebody can help.
Kind regards

Hi,
here is the output of your 2 commands:
PS C:\Users\admin> get-SmbConnection
PS C:\Users\admin> get-SmbServerConfiguration
AnnounceServer                  : False
AsynchronousCredits             : 64
AutoShareServer                 : True
AutoShareWorkstation            : True
CachedOpenLimit                 : 0
AnnounceComment                 :
EnableDownlevelTimewarp         : False
EnableLeasing                   : True
EnableMultiChannel              : True
EnableStrictNameChecking        : True
AutoDisconnectTimeout           : 0
DurableHandleV2TimeoutInSeconds : 30
EnableAuthenticateUserSharing   : False
EnableForcedLogoff              : True
EnableOplocks                   : True
EnableSecuritySignature         : True
ServerHidden                    : True
IrpStackSize                    : 15
KeepAliveTime                   : 2
MaxChannelPerSession            : 32
MaxMpxCount                     : 50
MaxSessionPerConnection         : 16384
MaxThreadsPerQueue              : 20
MaxWorkItems                    : 1
NullSessionPipes                : HydraLsPipe
NullSessionShares               :
OplockBreakWait                 : 35
PendingClientTimeoutInSeconds   : 120
RequireSecuritySignature        : False
EnableSMB1Protocol              : True
EnableSMB2Protocol              : False
Smb2CreditsMax                  : 2048
Smb2CreditsMin                  : 128
SmbServerNameHardeningLevel     : 0
TreatHostAsStableStorage        : False
ValidateAliasNotCircular        : True
ValidateShareScope              : True
ValidateShareScopeNotAliased    : True
ValidateTargetName              : True
EncryptData                     : False
RejectUnencryptedAccess         : True
I try to access the file share with Windows Explorer. When I enter \\fe08--babe-face-cafe-dead.ipv6-literal.net (just example), I can see all shares on the storage box. When I double-click the share, I want to access, where an access is definitely allowed,
it takes a while and then the error "\\fe08--babe-face-cafe-dead.ipv6-literal.net\share is not accessable. You might not have permission to use this network resource. ..." appears. Of this action a recorded the trace.
Another way I tried is to open command line an type "mount \\fe08--babe-face-cafe-dead.ipv6-literal.net\share *". After this an error 53 occurs immediately without any wait time.

Happy Eyeballs for IPv6 is not working on Windows Xp

Hello,
Today IPv6 public DNS (2001:4860:4860::8888) was not reachable. I am running IPv4 and IPv6 in the dual stack. I could recive the Internet table and my IPv6 subnets are announced too. I could ping all of IPv4 websites but IPv6 websites won't work (DNS issue). Now my understanding about "Happy Eyeballs" is that if Ipv6 is not reachable it will fall back to Ipv4 auto. But it did not do that in my case. To make it worse it won't open the websites which are running over IPv4 either. I had both V4 & V6 DNS servers listed in "ipconfig/all" but I won't work.
Has anybody came across this issue? Any suggestions?
Thanks& Regards,
Deepak Ambotkar

So it sounds like your situation is that
You made successful connections using lookups on the IPv6 based DNS server.
The DNS server then became unreachable.
The IPv6 sites were now unreachable as well?
Any correct cached address should still work. However, if it was a general IPv6 outage which made the DNS server unreachable, cached DNS information for the IPv6 address might remain in place until it times out of the DNS cache. In that case, the sites become unreachable for the lifetime of the stale cache.
Once the IPv6 address age out of the cache, everything should work again.
See if ipconfig /flushdns resolves the issue when it happens.
Happy Eyeballs cannot help you if the cached DNS information becomes invalid. Happy Eyeballs sets the initial preferred path. If the network fails in the meantime, you must rely on traditional DNS timeout mechanisms for recovery.

IPv6 internet routing question. To NAT or to Route

Hello!
I've gotten 2 /56 block of IPv6 addresses from our ISP. We're in the process of rolling out a new website and along with that I'm pushing that we create our IPv6 presence at the same time.
My Question is in regards to Routing vs NAT-ing... in my "Internet" environment, the space between my ISP routers and my firewalls, I have configured one of my 256 /64 networks 2001:XXXX:YY:100::1/64. That would mean My firewall could be 2001:XXXX:YY:100::B/64. My web servers sit in a DMZ off my firewall.
Should I:
A. Provision a random IPv6 subnet in the DMZ and use the firewall to NAT to an IP in the 2001:XXXX:YY:100::/64 range. I thought one of the points of IPv6 was to do away with NAT.
B. Provision 2001:XXXX:YY:101::/64 network in DMZ and ROUTE to the DMZ server. I am thinking this is the solution, but what Protocol to use? Im guessing I advertise my /56 via BGP to ISP, and use what? OSPFv3 between internet routers and firewalls? Use Static Routes? Is there anything that's considered 'best practice' for this type of situation?
To Route or to NAT?

Hi,
if I understand correctly you have /64 on the external interface of your firewall facing your isp.
you should not use stateless auto config SLAAC on your Dmz. Setup your servers statically.
also there is not nat in ipv6, just ensure your stateful firewall handles ipv6 ok, taking special care for icmpv6.
That means you should use a /64 from your /56 for your Dmz. No nat.
whether you setup a static route towards your firewall to reach your Dmz from outside the firewall depends on your network design.
Whether you use bgp with your isp depends on what you agreed with your isp. Has your isp setup a static route of your /56 on their router to you, or are they expecting you to use bgp ?
hope this helps
mark

LEARNING ABOUT IPV6

CAN ANYBODY GUIDE ME ABOUT THE BASICS OF IPV6 AND IPV6 SUBNETTING.........???
HOW IT,S WORK.

For introductory material, maybe also try the Agentinian chapter's Internet Society publication:
http://www.ipv6tf.org/pdf/ipv6forall.pdf
For advanced material, the NIST SP800-119 "guidelines for the secure deployment of IPv6" is short on advice but mind-bendingly helpful for understanding some of the more esoteric corners of the v6 protcol suite.
The biggest changes in v6 compared to v4 are that ARP is replaced by ICMPv6 neighbor discovery, that multicast ICMPv6 router advertisements are required, and there is a new DHCPv6 protocol which is controlled by flag bits in the router advertisements. Address scopes, particularly link-local versus global get a lot more prominent, since IPv6 hosts will continue using their fe80::/64 link-local addresses even after configuring 2000::/3 global scope addresses.
-- Jim Leinweber, WI State Lab of Hygiene

IPv6 - Newb Question (BGP Advertisement)

Hi Everyone - Quick question on IPv6 subnetting
If we are allocated a /32 from an RIR (eg 2001:0DB0::/32), and we advertise the /32 to our upstream Inet providers - Assigning
2001:0DB0:0:10::1/64 to a loop Interface, we *should* be able to reach the Upstream providers IPv6 addresses with a source of the loop interface(As the /64 is within the /32 subnet)?
Cheers.

Hi John,
Correct. You should be able to use that technique to perform initial testing for your ipv6 connectivity. You can use extended ping for instance to specify the loopback interface as the source address.
Regards

Cisco Catalyst 6500 version 12.2(33)SXI13 configured as DHCP server for a VLAN responds to Windows 7 client with status code NOA

Can anyone help figure out why the Catalyst 6509 is not able to assign an IPv6 address? Thank you.
Cisco Catalyst 6500 version 12.2(33)SXI13 configured as DHCP server for a VLAN responds to Windows 7 client with status code NOADDRS-AVAIL(2). My configuration on the 6500 for the DHCPv6 server is:
ipv6 dhcp database disk0://DHCPV6-DB
ipv6 dhcp pool VLAN206IPV6
prefix-delegation pool VLAN206IPV6-POOL
dns-server 2620:B700:0:1001::53
domain-name global.bio.com
ipv6 local pool VLAN206IPV6-POOL 2620:B700:0:12C7::/65 65
interface Vlan206
description *** IPv6 Subnet ***
ip address 10.2.104.2 255.255.255.0
ipv6 address 2620:B700:0:12C7::2/64
ipv6 nd prefix 2620:B700:0:12C7::/64 14400 14400 no-autoconfig
ipv6 nd managed-config-flag
ipv6 dhcp server VLAN206IPV6
standby version 2
standby 0 ip 10.2.104.1
standby 0 preempt
standby 6 ipv6 2620:B700:0:12C7::1/64
standby 6 preempt
I'm getting a result from my debug as follows:
Apr 10 16:28:02.873 PDT: %LINK-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.873 PDT: %LINK-SP-3-UPDOWN: Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:02.877 PDT: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet2/2, changed state to up
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Received SOLICIT from FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: dst FF02::1:2
Apr 10 16:28:03.861 PDT: type SOLICIT(1), xid 8277025
Apr 10 16:28:03.861 PDT: option ELAPSED-TIME(8), len 2
Apr 10 16:28:03.861 PDT: elapsed-time 101
Apr 10 16:28:03.861 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.861 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.861 PDT: option IA-NA(3), len 12
Apr 10 16:28:03.861 PDT: IAID 0x0FF01FAF, T1 0, T2 0
Apr 10 16:28:03.861 PDT: option UNKNOWN(39), len 32
Apr 10 16:28:03.861 PDT: option VENDOR-CLASS(16), len 14
Apr 10 16:28:03.861 PDT: option ORO(6), len 8
Apr 10 16:28:03.861 PDT: DOMAIN-LIST,DNS-SERVERS,VENDOR-OPTS,UNKNOWN
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Option IA-NA(3) is not supported yet
Apr 10 16:28:03.861 PDT: IPv6 DHCP: Sending ADVERTISE to FE80::5D5E:7EBD:CDBF:2519 on Vlan206
Apr 10 16:28:03.861 PDT: IPv6 DHCP: detailed packet contents
Apr 10 16:28:03.861 PDT: src FE80::21D:E6FF:FEE4:4400
Apr 10 16:28:03.861 PDT: dst FE80::5D5E:7EBD:CDBF:2519 (Vlan206)
Apr 10 16:28:03.861 PDT: type ADVERTISE(2), xid 8277025
Apr 10 16:28:03.861 PDT: option SERVERID(2), len 10
Apr 10 16:28:03.865 PDT: 00030001001DE6E44400
Apr 10 16:28:03.865 PDT: option CLIENTID(1), len 14
Apr 10 16:28:03.865 PDT: 00010001195FD895F01FAF10689E
Apr 10 16:28:03.865 PDT: option STATUS-CODE(13), len 15
Apr 10 16:28:03.865 PDT: status code NOADDRS-AVAIL(2)
Apr 10 16:28:03.865 PDT: status message: NOADDRS-AVAIL

Hello,
maybe hitting the following bug.
Pv6 Address Assignment Support for IPv6 DHCP Server
CSCse81385
Hope this helps

Windows 2008 R2 - High memory on lsass.exe

Windows 2008 R2 fully patched VM with 8GB of RAM and 4 vCPUs. Machine is a DC and file server.
Had an issue that just came up where lsass.exe will start sucking up memory. It gets to the point where the machine is almost not usable. The only way to get everything back in check is to reboot.
I just rebooted a little bit ago and I'm watching lsass.exe slowly start sucking up more and more memory. I'm not sure how to tell where the memory is being used and then how to remedy it. This machine has run fine as a DC/file/print server for 3 years.
Something has happened in the last week that is making it mad.

Hi,
Firstly, have you typed an invalid IPv6 subnet mask in the Active Directory Sites and Services snap-in on that Windows Server 2008 R2 DC? If yes, please refer to the KB below:
The Lsass.exe process crashes on Windows Server 2008 R2-based domain controllers
If not, I would recommend you perform a virus scan on your DC and run the Performance Monitor's Active Directory Data Collector Set on that domain controller while the problem is occurring to find the root reason. To run the Active Directory Data Collector
follow these steps:
1.Run ”Perfmon.msc”and then press enter.
2.Expand Data Collector Sets > System.
3.Right-click on Active Directory Diagnostics and then click
Start in the menu which appears.
Once the report has compiled (The default setting will gather data for the report for 300 seconds, after which it will take an additional period to compile the report.), view reports which will show details of potential problems which need to be investigated
as possible causes.
Best regards,
Susie

Does Airport Extreme 802.11ac support DHCPv6 prefix delegation

I have IPv6 working with my Airport Extreme 802.11ac. I'm experimenting (for fun) with IPv6 on my local network, and I was trying to create another IPv6 subnet using DHCPv6 prefix delegation.
Comcast (my ISP) is indeed delegating a 64-bit prefix to the Airport Extreme, but the Airport Extreme does not seem capable of sub-delegating that 64-bit prefix (into say 2 65-bit prefixes, or 4 66-bit prefixes, etc).
Is the Aiport Extreme 802.11ac is capable of sub-delegating IPv6 prefixes like this?

I have the exact same problem with my ISP (Init7) here in Switzerland. They delegating IPv6 adresses via DHCPv6-PD (Prefix Delegation) and my Apple AirPort Extreme just get only an IPv4 address.
Since the worldwide use of IPv6 is rising steadily, I really hope Apple will wake up and update the firmware of its AirPort devices to support DHCPv6-PD.

DHCPv6 Custom Prefix Length

Hi all,
I've been trying to implement dhcpv6 with Windows Server 2012. Due to our ISP not offering native IPv6 access, we went through a third party tunnel provider to have ipv6 internet connectivity. What I need to do however, is set a custom prefix length for
our dhcp server. Our tunnel provider gave us a /48 block to use for hosts, but windows will only let me create a /64 size scope. Any ideas? The prefix size needs to be /48 in order for this to work correctly. All of our routers are already setup, and we attempted
to use static ipv6 configuration to do a test for configuration, which has succeeded. The only issue is dhcp giving out ipv6 with /48 prefix to work with tunnel provider. Any ideas? We use Windows Server 2008 R2, and Windows Server 2012, if that helps.

I'll comment between your questions/comments:
JC - first off, in IPv6 there is the concept/operations known as Address Autoconfiguration. This process requires up to 2 components in a network system: L3 switches or router to send Router Advertisements - which tells client how to do all this, and then
possibly DHCPv6 servers to provide clients with IPv6 addresses and/or "other information" like dns, domain name, time srvr, download srvr, etc.
This taes a bit to get used to, as well as sometimes a bit of work to "discover" what all is needed and how to properly configure.
a) the DHCPv6 route is not advertised, so the distributed dynamic IPv6 addresses are useless (no connectivity between hosts); there is a manual/temporary netsh override for that, but I don't think this is the proper way to go.
JC - clients learn the default gateway via the router's Router Advertisement (RA). RFC3315 (DHCPv6) does not provide a scope option for def g/w. You should not manually enter an IPv6 def g/w.
b) Here might be another issue, I don't know how I configured the DHCPv6 role in past (stateless vs stateful), perhaps that's the problem, need to look deeper into it, but either way our outdated networking infrastructure (routers and switches) is not aware
of IPv6 protocol at all, it probably doesn't help that I don't even know how the DHCPv6 role was configured in past.
JC - if you want a DHCPv6 server to supply IPv6 addresses and DNS/domain name, etc to clients, that role is Stateful. If you want DHCPv6 to supply only DNS, domain name, etc and the RA supply the network prefix (SLAAC), that role is Stateless (SLAAC plus
some DHCPv6).
Stateful (DHCPv6) operations are the closest to how we run DHCP for IPv4 networks today.
c) I assigned static IPv6 /112 addresses to servers (and they work fine including the DNS lookups) and was hoping to have the same prefix/subnet for clients, instead I get up to 4 different IPv6 addresses on servers (static, dynamic, temporary route, link-local)
and just one address on clients and that one belonging to that dynamic prefix (not what I wanted to have initially) ...
JC - all IPv6 subnets should be /64 for 64 bit network and 64 bit Interface ID (IID) (host address), most OSs will be happier and that is the defined standard way of operating IPv6. Also as you have seen, Microsoft's DHCPv6 server does not allow you to change
the network prefix (/64).
You will always have link-local addresses, and if you are getting the IPv6 and IPv6 Temp, then your RA on the subnet is sending RA's with the "A" flag on for SLAAC, and of you have a static addresses defined for servers on the server vlan, you don't want
SLAAC config on that vlan.
d) How do I fix IP Helper on our core router to pass the IPv6 DHCP requests to other VLANs (currently they are blocked/discarded), it seems that IPv4 IP Helper doesn't work for IPv6?
JC - IPv4 and IPv6 are TOTALLY separate protocols. Everything you do for IPv4, needs a counterpart enabled for IPv6. No IPv4 config does anything for IPv6.
You need a dhcpv6-relay definition which is the IPv6 counterpart to dhcp-relay/IP helper-address...see your L3 switch/router vendor docs for configuring dhcpv6-relay.
Is it all by design then and re-installing DHCPv6 server in stateful mode won't change that or I am missing something completely?
JC - Correct, simply having Stateful (DHCPv6) is not all there is to it. You must configure your RA to instruct IPv6 clients how to address themselves. According to the IPv6 RFCs, clients are told how to address themselves (except for manual addressing),
which is not like the way IPv4 operates.
All your IPv6 config components need to be specifically configured in order for the system you want to work correctly, to work. IPv6 routing, specific option flags in the RA's, dhcpv6-relay, and DHCPv6 scopes. You can't (generally) just "turn on" IPv6 and
have it work (the way you think it should).
IPv6 is quite a beast, but it seems that majority of windows server admins (like me) have limited knowledge on how to configure it properly, resulting in some unexpected outcomes and gotchas ... then days of troubleshooting and then another gotcha ... I
browsed technet for days/weeks and either end up finding unresolved IPv6 "issue" threads where nobody knows what is what or some super-complicated solutions that truly work only for a few ... frustrating ...
JC - IPv6 is not a simple "turn-it-on" protocol, as there are differences in its operation as you see. There 5 great IPv6 books you should consider getting:
Guide to TCP/IP, 4th edition - IPv4 and IPv6 TCP/IP foundations, operations, and examples
Practical IPv6 for Windows Administrators
Understanding IPv6
IPv6 Fundamentals
IPv6 Essentials (but wait for the 3rd edition coming out in July)
Check out gogo6.com/main and view the IPv6 webinar/workshop training calendar. A few of us have facilitated some basic IPv6 trng webinars. I think the schedule is being worked on at the moment, but more classes should be coming.
Additionally, I offer IPv6 Forum Certified training. teachmeipv6.com and I provide IPv6 consulting services.
Hmm...maybe I'll design a webinar for configuring a system like you are doing: L3 switch/router configuration and server side DHCPv6 config. I currently facilitate IPv6 hands-on lab workshops (full day) that cover all of this content.
hth...Jeff
Jeff Carrell

Archlinux as dual-stack (IPv4/v6) gateway/router

Hello everyone,
i've installed Arch on my PC a few days ago and it works perfectly, the PC is a gaming PC (Asus P8P67 Deluxe, Intel Core i3 2100, 14 GB RAM, 2x Nvidia GTX580) however for specific reasons (i don't have anything else besides IBM PCs with 600Mhz CPUs) i need to use it as a server and a router/gateway for my network (an Archlinux laptop and some Apple products), here's my current network setup :
PPPoE modem is connected to lan0 (ethernet interface) which is configured as 192.168.1.2, gateway 192.168.1.1 (it's the modem's address).
My provider (OVH in France) gives me a /64 IPv6 subnet.
ppp0 interface is created once the lan0 is up (i'm using POST_UP="pon myprovider" in netcfg script, i've already added +ipv6 in /etc/ppp/options to enable IPv6 on the ppp), it gets automatically an IPv4 address and an IPv6 one from my provider, here's the ifconfig ppp0 (i know it's deprecated but i'm so used to it...) :
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1452
inet 109.190.20.173 netmask 255.255.255.255 destination 178.32.37.16
inet6 2001:41d0:70:1301:1c1e:882b:1e8b:efd7 prefixlen 64 scopeid 0x0<global>
inet6 fe80::1c1e:882b:1e8b:efd7 prefixlen 10 scopeid 0x20<link>
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 6080 bytes 3571799 (3.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4173 bytes 870323 (849.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
here's my IPv4 routing table :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default * 0.0.0.0 U 0 0 0 ppp0
172.16.1.0 * 255.255.255.0 U 0 0 0 lan1
rbx-1-rdb.fr.eu * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 lan0
lan1 is my local wired interface which connects to a 1000Mb/s switch, on it there is a Debian machine (the 600Mhz one) which acts as an access point (on it the wired interface is bridged with the wireless one, but all the DHCP/DNS stuff is done on my main computer and i don't think there's anything to do on the access point machine) and my other Archlinux laptop. Forwarding is enabled on both IPv4 and v6 in /etc/sysctl.conf and iptables (not ip6tables) is configured correctly, all works as would like on the IPv4 side (DHCP/DNS/internet access works for all computers on the network) here's my ifconfig lan1 :
lan1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9152
inet 172.16.1.1 netmask 255.255.255.0 broadcast 172.16.1.255
inet6 fe80::f66d:4ff:fee3:2c96 prefixlen 64 scopeid 0x20<link>
ether f4:6d:04:e3:2c:96 txqueuelen 1000 (Ethernet)
RX packets 5060 bytes 701035 (684.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10181 bytes 7102665 (6.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf5100000-f5120000
Here's my IPv6 routing table (i have experience with computers and networks in general but this is a total non-sense to me) :
Kernel IPv6 routing table
Destination Next Hop Flag Met Ref Use If
::1/128 :: U 256 0 0 lo
2001:41d0:70:1301::/64 :: UA 256 0 0 ppp0
fe80::/64 :: !n 256 0 0 lo
fe80::/64 :: U 256 0 0 lan0
fe80::/64 :: U 256 0 0 lan1
fe80::/64 :: U 256 0 0 ppp0
fe80::/10 :: U 1 0 0 ppp0
fe80::/10 :: U 256 0 0 ppp0
::/0 fe80::230:88ff:fe04:63d4 UGDAe 1024 1 0 ppp0
::/0 :: !n -1 1 312 lo
::1/128 :: Un 0 1 2 lo
2001:41d0:70:1301::/128 :: Un 0 1 0 lo
2001:41d0:70:1301:1c1e:882b:1e8b:efd7/128 :: Un 0 2 102 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::/128 :: Un 0 1 0 lo
fe80::1c1e:882b:1e8b:efd7/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2010/128 :: Un 0 1 0 lo
fe80::f66d:4ff:fee3:2c96/128 :: Un 0 1 0 lo
ff00::/8 :: U 256 0 0 lan0
ff00::/8 :: U 256 0 0 lan1
ff00::/8 :: U 256 0 0 ppp0
::/0 :: !n -1 1 312 lo
now with that configuration i can ping6 ipv6.google.com and get a reply :
PING ipv6.google.com(wb-in-x69.1e100.net) 56 data bytes
64 bytes from wb-in-x69.1e100.net: icmp_seq=1 ttl=56 time=49.1 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=2 ttl=56 time=48.5 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=3 ttl=56 time=48.3 ms
64 bytes from wb-in-x69.1e100.net: icmp_seq=4 ttl=56 time=50.3 ms
--- ipv6.google.com ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 48.399/49.116/50.393/0.834 ms
but what next ? I need to redistribute that IPv6 to all my network, currently i have isc-dhcp-server (dhcpd) that gives IPv4 addresses on lan1, i also have bind which acts like a DNS resolver/cacher for my local network. I've heard about radvd which is like a dhcpd but for IPv6, however i think there's other stuff to do on the IPv6 routing table (which i don't understand) before hosts on the network can access Internet through IPv6... so here's a summary : ppp0 gets an IPv6 address, i can ping6 from this computer, and that's it...
Sorry for the long post but we're not on IRC so i don't think the usage of Pastebin is required, thanks for reading and have a nice day.

Awe, way cool radvd "router advertisement daemon"
Ya, that is what you needed for IPv6 to work Ya, see the IPv6 protocol takes care of addressing for you. No need for DHCP nor NAT/PAT becuase your ISP gives you more IP's then you could ever need. In fact, you can fit every IPv4 address posible into the range of addresses your ISP gives you!
One other VARY cool thing with IPv6 is "Anycast, One-to-nearest". Really just endless super cool stuff with IPv6.
If I remember correctly like all OS's prefer to use IPv6 if avalable.
Okay, so for DNS, well I think you do need DHCP to hand that out... (I'm probaly wrong about that), anyway, I'd simply configure you DNS host by host... but I have a faint memory of some cool way that can work itself out too... in anycase:
Google DNS
/etc/resolv.conf
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
nameserver 8.8.8.8
nameserver 8.8.4.4
You know though. For security sake, you may want to configure your LAN with a Private IPv6 netwrok and subnet. All you would need to do is give the interfaces on the router an address starting with FD. Then you can use like arno-iptables-firewall to NAT the address range.
Like this is how IPv6 network and subnet addressing works
http://www.simpledns.com/private-ipv6.aspx
| 8 bits | 40 bits | 16 bits | 64 bits |
+--------+-+------------+-----------+----------------------------+
| Prefix | Global ID | Subnet ID | Interface ID |
+--------+-+------------+-----------+----------------------------+
That "Interface ID" is created by the Host automaticaly. It simply takes the MAC address of the interface and puts an "FE" in teh middel to make it 64 bits long.
A Host learns about the network half of the address by picking up the "Router Advertisement messages"
So if the interface on the LAN side of the router has a Private IP address (it starts with "FD"), that is the network the router will put in the Router Advertisement and the Host's will pick up that Network 64bits and add on it's Interface ID 64bit's. Then bam, you got yourself an IPv6 address in a "Unique Local" IPv6 address range.
EDIT:
Awe, Okay, I just re-read my CCNA book. Okay so ya, a Host or Router using stateless autoconfiguration can learn both the IPv6 address prefix and it's default router IP address using NDP RS/RA messages. However, you do need at least a stateless DHCPv6 server to hand out DNS server's IP.
Last edited by hunterthomson (2012-11-06 09:35:54)

IPV6 DHCP stateful doesn't insert local subnet in route table

I am setting up IPV6 on a LAN using satic IPs for Win2008 servers and DHCP stateful mode for Win7 clients. All static assigned servers can ping each other and if I setup a static on the Win7 clients they can also ping the servers. However when I assign DHCP stateful mode IP to the clients they lose the ability to ping the servers. I think that was is going on is that when the Win7 machines get IP via DHCP they do not get a route in the routing table for the local subnet. I have included IP info for static and DHCP clients in attachments.
I figure if I could add the fd:0:0:1::/64 subnet to the DHCP client it would work but I haven't been able to find the correct syntax to add an "on-link" router. Furthermore, this would kind of defeat the purpose of DHCP if I had to manually add routes to clients.
I have a UC520 that is the default gateway on the LAN and seems to support IPV6. Maybe this guy can help me out?
Thanks in advance.

Alain,
I disagree about the /128. If you look at the static host it also has a /128 route pointing to itself. Also the IPV4 also shows /32 routes pointing to the local IP. The static host has one additional route not found on the DHCP client which is the /64 route to the local subnet pointing to "on-link". It is not clear how to add an "on-link" route using netsh but my point is that DHCP should provide all info and relying on manually adding routes is not the optimal solution.
The UC520 does not have any IPV6 on it. I only mentioned it because usually I use Windows for DHCP but in this case Windows is giving me this weird behaviour. I would rather get Windows DHCP to solve the problem but if it can't I would use the UC520 as a backup option.
Thanks for your input.
Rgds,
Diego

ASA 5505: VPN Access to Different Subnets

Hi All-
I'm trying to figure out how to configure our ASA so that remote users can have VPN access to two different subnets (office LAN and phone LAN). Currently, I have 3 VLANs setup -- VLAN 1 (inside), VLAN 2 (outside), VLAN 13 (phone LAN). Essentially, remote users should be able to access their PC (192.168.1.0 /24) and also access the office phone system (192.168.254.0 /24). Is this even possible? Below is the configurations on our ASA,
Thanks in advance:
ASA Version 8.2(5)
names
name 10.0.1.0 Net-10
name 20.0.1.0 Net-20
name 192.168.254.0 phones
name 192.168.254.250 PBX
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
switchport access vlan 3
interface Ethernet0/6
interface Ethernet0/7
switchport access vlan 13
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.98 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.139.79 255.255.255.224
interface Vlan3
no nameif
security-level 50
ip address 192.168.5.1 255.255.255.0
interface Vlan13
nameif phones
security-level 100
ip address 192.168.254.200 255.255.255.0
ftp mode passive
object-group service RDP tcp
port-object eq 3389
object-group service DM_INLINE_SERVICE_1
service-object ip
service-object tcp eq ssh
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 192.168.1.0 255.255.255.0
access-list vpn_nat_inside extended permit ip Net-10 255.255.255.224 phones 255.255.255.0
access-list inside_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list inside_access_in extended permit ip any any
access-list Split_Tunnel_List standard permit Net-10 255.255.255.224
access-list phones_nat0_outbound extended permit ip any Net-10 255.255.255.224
access-list outside_access_in extended permit object-group DM_INLINE_SERVICE_1 host Mac any
pager lines 24
logging enable
logging timestamp
logging monitor errors
logging history errors
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu phones 1500
ip local pool SSLClientPool-10 10.0.1.1-10.0.1.20 mask 255.255.255.128
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (inside) 10 interface
global (outside) 1 interface
global (phones) 20 interface
nat (inside) 0 access-list inside_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 10 access-list vpn_nat_inside outside
nat (phones) 0 access-list phones_nat0_outbound
nat (phones) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 X.X.139.65 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=pas-asa.null
keypair pasvpnkey
crl configure
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
vpn-sessiondb max-session-limit 10
telnet timeout 5
ssh 192.168.1.100 255.255.255.255 inside
ssh 192.168.1.0 255.255.255.0 inside
ssh Mac 255.255.255.255 outside
ssh timeout 60
console timeout 0
dhcpd auto_config inside
dhcpd address 192.168.1.222-192.168.1.223 inside
dhcpd dns 64.238.96.12 66.180.96.12 interface inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ssl trust-point ASDM_TrustPoint0 outside
webvpn
enable outside
anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc image disk0:/anyconnect-macosx-i386-2.5.2014-k9.pkg 2
svc enable
tunnel-group-list enable
group-policy SSLClientPolicy internal
group-policy SSLClientPolicy attributes
wins-server none
dns-server value 64.238.96.12 66.180.96.12
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout none
vpn-session-timeout none
ipv6-vpn-filter none
vpn-tunnel-protocol svc
group-lock value PAS-SSL-VPN
default-domain none
vlan none
nac-settings none
webvpn
svc mtu 1200
svc keepalive 60
svc dpd-interval client none
svc dpd-interval gateway none
svc compression none
group-policy DfltGrpPolicy attributes
dns-server value 64.238.96.12 66.180.96.12
vpn-tunnel-protocol IPSec svc webvpn
tunnel-group DefaultRAGroup general-attributes
address-pool SSLClientPool-10
tunnel-group DefaultRAGroup ipsec-attributes
pre-shared-key *****
tunnel-group PAS-SSL-VPN type remote-access
tunnel-group PAS-SSL-VPN general-attributes
address-pool SSLClientPool-10
default-group-policy SSLClientPolicy
tunnel-group PAS-SSL-VPN webvpn-attributes
group-alias PAS_VPN enable
group-url https://X.X.139.79/PAS_VPN enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
prompt hostname context
no call-home reporting anonymous

Hi Jouni-
Yes, with the current configs remote users only have access to the 'inside' LAN (192.168.1.0). The digital PBX on the 'phone' LAN (192.168.254.0) is not reachable through their VPN session.
Per you recommendation, I removed the following configs from my ASA:
global (phones) 20 interface
... removing this configuration didn't make a difference -- I was still able to ping the inside LAN, but not the phone LAN.
global (inside) 10 interface
nat (outside) 10 access-list vpn_nat_inside outside
.... removing these two configurations caused the inside LAN to be unreachable. The phone LAN was not reachable, either. So, I put the '10' configurations back.
The ASDM syslog is showing the following when I try to ping the PBX (192.168.254.250) through the VPN session:
"portmap translation creation failed for icmp src outside:10.0.1.1 dest phones:PBX (type 8, code 0)"
What do you think?
Thanks!

Cisco asa 5505: No traffic lan to wan with IPv6

Hello everybody,
I have a Cisco ASA 5505, public ipv6 in outside interface, private ipv6 in LAN, from router I can ping any ipv6 in Internet and ping my LAN ipv6. Traffic doesn't go through router.
This is my configuration.
interface Vlan1
nameif inside
security-level 100
ip address PRIV-Saturn1 255.255.255.0
ipv6 address fc00::1/7
ipv6 enable
interface Vlan2
nameif outside
security-level 0
ip address PUBLIC26 255.255.255.248
ipv6 address xxxx:yyyy:67:36::2/64
ipv6 enable
ipv6 nd suppress-ra
access-list Dynamic_Filter_ACL extended permit tcp any6 any6
ipv6 route outside ::/0 xxx:yyyy:67:36::1
Am I omitting anything?
Thanks in advance for the help.
Jos P

Since you're using IPv6 private addressing (fc00::) on the inside, you need a dynamic NAT entry to translate your private IPv6 addresses to a public one.
Alternatively, you could just use a subnet of your registered IPv6 block for the inside network and not worry about NAT.

IPv6 Subnetting

Similar Messages

Maybe you are looking for