-
Cisco ASA Series Command Reference
-
About this Guide
-
Using the Command Line Interface
- A through B Commands
-
C Commands
-
cache -- clear compression
-
clear configure -- clear configure http
-
clear configure flow-export-- clear configure zonelabs-integrity
-
clear conn -- clear isakmp sa
-
clear local-host -- clear xlate
-
client-access-rule -- crl-configure
-
crypto ca authenticate -- crypto ipsec ikev1 transform-set mode transport
-
crypto isakmp disconnect-notify -- cxsc auth-proxy port
-
-
D through F Commands
-
database path -- debug cxsc
-
debug dap -- debug http-map
-
debug icmp -- debug ospfv3
-
debug parser cache -- debug xml
-
default -- dhcp-server
-
dhcpd address -- distribute-list out
-
dns domain-lookup -- dynamic-filter whitelist
-
eigrp log-neighbor-changes -- export webvpn webcontent
-
failover -- fallback
-
file-bookmarks -- functions
-
- G through I Commands
- J through L Commands
- M through O Commands
- P through R Commands
-
S Commands
-
same-security-traffic -- shape
-
show aaa kerberos -- show asdm sessions
-
show asp cluster counter -- show asp table vpn-context
-
show blocks -- show cpu
-
show crashinfo -- show curpriv
-
show ddns update interface -- show environment
-
show failover -- show ipsec stats traffic
-
show ipv6 access-list -- show ipv6
-
show isakmp ipsec-over-tcp stats -- show ospf virtual-links
-
show nac-policy -- show ospf virtual-links
-
show pager -- show route
-
show running-config -- show running-config ctl-provider
-
show running-config ddns -- show running-config isakmp
-
show running-config ipv6 router -- show running-config router
-
show running-config same-security-traffic -- show running-config xlate
-
show scansafe -- show switch vlan
-
show tcpstat -- show traffic
-
show uauth -- show xlate
-
shun -- snmp-server user
-
software-version -- storage-objects
-
subject-name -- sysopt radius ignore-secret
-
- T through Z Commands
-
Cisco IOS Commands for the ASASM
-
Feedback
Table Of Contents
ipv6 address through ipv6-vpn-filter Commands
ipv6 ospf database-filter all out
ipv6-address-pool (tunnel-group general attributes mode)
ipv6 address through ipv6-vpn-filter Commands
ipv6 address
To enable IPv6 and configure the IPv6 addresses on an interface (in routed mode) or for the management address (transparent mode), use the ipv6 address command. To remove the IPv6 addresses, use the no form of this command.
ipv6 address {autoconfig | ipv6-address/prefix-length [standby ipv6-prefix | cluster-pool poolname] | ipv6-prefix/prefix-length eui-64 | ipv6-address link-local [standby ipv6-address]}
no ipv6 address {autoconfig | ipv6-address/prefix-length [standby ipv6-address | cluster-pool poolname] | ipv6-prefix/prefix-length eui-64 | ipv6-address link-local [standby ipv6-address]}
Syntax Description
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
Configuring an IPv6 address on an interface enables IPv6 on that interface; you do not need to use the ipv6 enable command after specifying an IPv6 address.
Multiple Context Mode Guidelines
In single context routed firewall mode, each interface address must be on a unique subnet. In multiple context mode, if this interface is on a shared interface, then each IP address must be unique but on the same subnet. If the interface is unique, this IP address can be used by other contexts if desired.
Transparent Firewall Guidelines
A transparent firewall does not participate in IP routing. The only IP configuration required for the ASA is to set the BVI address. This address is required because the ASA uses this address as the source address for traffic originating on the ASA, such as system messages or communications with AAA servers. You can also use this address for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context. For models that include a Management interface, you can also set an IP address for this interface for management purposes.
Failover Guidelines
The standby IP address must be on the same subnet as the main IP address.
ASA Clustering Guidelines
You can only set the cluster pool for an individual interface after you configure the cluster interface mode to be individual (cluster-interface mode individual). The only exception is for the management-only interface(s):
•
•
Examples
The following example assigns 3FFE:C00:0:1::576/64 as the global address for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 address 3ffe:c00:0:1::576/64The following example assigns an IPv6 address automatically for the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 address autoconfigThe following example assigns IPv6 address 3FFE:C00:0:1::/64 to the selected interface and specifies an EUI-64 interface ID in the low order 64 bits of the address. If this device is part of a failover pair, you do not need to specify the standby keyword; the standby address will be automatically created using the modified EUI-64 interface ID.
hostname(config)# interface gigabitethernet 0/2hostname(onfig-if)# ipv6 address 3FFE:C00:0:1::/64 eui-64The following example assigns FE80::260:3EFF:FE11:6670 as the link-level address for the selected interface:
hostname(config)# interface gigabitethernet 0/3hostname(config-if)# ipv6 address FE80::260:3EFF:FE11:6670 link-localThe following example assigns 3FFE:C00:0:1::576/64 as the global address for the selected interface and 3FFE:C00:0:1::575 as the address for the corresponding interface on the standby unit:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 address 3ffe:c00:0:1::576/64 standby 3ffe:c00:0:1::575The following example assigns FE80::260:3EFF:FE11:6670 as the link-level address for the selected interface on the primary unit in a failover pair, and FE80::260:3EFF:FE11:6671 as the link-level address for the corresponding interface on the secondary unit.
hostname(config)# interface gigabitethernet 0/3hostname(config-if)# ipv6 address FE80::260:3EFF:FE11:6670 link-local standby FE80::260:3EFF:FE11:6671Related Commands
debug ipv6 interface
Displays debugging information for IPv6 interfaces.
show ipv6 interface
Displays the status of interfaces configured for IPv6.
ipv6 dhcprelay enable
To enable DHCPv6 relay service on an interface, use the ipv6 dhcprelay enable command in global configuration mode. To disable the DHCPv6 relay service, use the no form of this command.
ipv6 dhcprelay enable interface
no ipv6 dhcprelay enable interface
Syntax Description
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows you to enable DHCPv6 relay service on an interface.When the service is enabled, incoming DHCPv6 messages from a client on the interface, which may have been relayed by another relay agent, are forwarded to all configured relay destinations through all configured outgoing links. For multiple context mode, you cannot enable DHCP relay service on an interface that is used by more than one context (that is, a shared interface).
Examples
The following example shows how to configure the DHCPv6 relay agent for a DHCPv6 server with an IP address of 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 on the ASA outside interface. Client requests are from the ASA inside interface, with a binding timeout value of 90 seconds.
hostname(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 outsidehostname(config)# ipv6 dhcprelay timeout 90hostname(config)# ipv6 dhcprelay enable insideRelated Commands
ipv6 dhcprelay server
To specify the IPv6 DHCP server destination address to which client messages are forwarded, use the ipv6 dhcprelay server command in global configuration mode. To remove the IPv6 DHCP server destination address, use the no form of this command.
ipv6 dhcprelay server ipv6-address [interface]
no ipv6 dhcprelay server ipv6-address [interface]
Syntax Description
interface
(Optional) Specifies the output interface for a destination.
ipv6-address
Can be a link-scoped unicast, multicast, site-scoped unicast, or global IPV6 address.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
This command enables you to specify the IPv6 DHCP server destination address to which client messages are forwarded. Client messages are forwarded to the destination address through the link to which the output interface is connected. If the specified address is a link-scoped address, then you must specify the interface. Unspecified, loopback, and node-local multicast addresses are not allowed as the relay destination. You can specify a maximum of ten servers per context.
Examples
The following example shows how to configure the DHCPv6 relay agent for a DHCPv6 server with an IP address of 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 on the ASA outside interface. Client requests are from the ASA inside interface, with a binding timeout value of 90 seconds.
hostname(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 outsidehostname(config)# ipv6 dhcprelay timeout 90hostname(config)# ipv6 dhcprelay enable insideRelated Commands
ipv6 dhcprelay timeout
To set the amount of time in seconds that are allowed for responses from the DHCPv6 server to pass to the DHCPv6 client through the relay binding structure, use the ipv6 dhcprelay timeout command in global configuration mode. To return to the default setting, use the no form of this command.
ipv6 dhcprelay timeout seconds
no ipv6 dhcprelay timeout seconds
Syntax Description
seconds
Sets the number of seconds that are allowed for DHCPv6 relay address negotiation. Valid values range from 1 to 3600.
Defaults
The default is 60 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows you to set the amount of time in seconds that are allowed for responses from the DHCPv6 server to pass to the DHCPv6 client through the relay binding structure.
Examples
The following example shows how to configure the DHCPv6 relay agent for a DHCPv6 server with an IP address of 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 on the ASA outside interface. Client requests are from the ASA inside interface, with a binding timeout value of 90 seconds.
hostname(config)# ipv6 dhcprelay server 3FFB:C00:C18:6:A8BB:CCFF:FE03:2701 outsidehostname(config)# ipv6 dhcprelay timeout 90hostname(config)# ipv6 dhcprelay enable insideRelated Commands
ipv6 enable
To enable IPv6 processing and you have not already configured an explicit IPv6 address, use the ipv6 enable command in global configuration mode. To disable IPv6 processing on an interface that has not been configured with an explicit IPv6 address, use the no form of this command.
ipv6 enable
no ipv6 enable
Syntax Description
This command has no arguments or keywords.
Defaults
IPv6 is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Global configuration
—
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
The ipv6 enable command automatically configures an IPv6 link-local unicast address on the interface, while also enabling the interface for IPv6 processing.
The no ipv6 enable command does not disable IPv6 processing on an interface that is configured with an explicit IPv6 address.
Examples
The following example enables IPv6 processing on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 enableRelated Commands
ipv6 enforce-eui64
To enforce the use of modified EUI-64 format interface identifiers in IPv6 addresses on a local link, use the ipv6 enforce-eui64 command in global configuration mode. To disable modified EUI-64 address format enforcement, use the no form of this command.
ipv6 enforce-eui64 if_name
no ipv6 enforce-eui64 if_name
Syntax Description
if_name
Specifies the name of the interface, as designated by the nameif command, for which you are enabling modified EUI-64 address format enforcement.
Defaults
Modified EUI-64 format enforcement is disabled.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.2(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
When this command is enabled on an interface, the source addresses of IPv6 packets received on that interface are verified against the source MAC addresses to ensure that the interface identifiers use the modified EUI-64 format. If the IPv6 packets do not use the modified EUI-64 format for the interface identifier, the packets are dropped and the following syslog message is generated:
%ASA-3-325003: EUI-64 source address check failed.The address format verification is only performed when a flow is created. Packets from an existing flow are not checked. Additionally, the address verification can only be performed for hosts on the local link. Packets received from hosts behind a router will fail the address format verification, and be dropped, because their source MAC address will be the router MAC address and not the host MAC address.
The modified EUI-64 format interface identifier is derived from the 48-bit link-layer (MAC) address by inserting the hexadecimal number FFFE between the upper three bytes (OUI field) and the lower three bytes (serial number) of the link layer address. To ensure the chosen address is from a unique Ethernet MAC address, the next-to-lowest order bit in the high-order byte is inverted (universal/local bit) to indicate the uniqueness of the 48-bit address. For example, an interface with a MAC address of 00E0.B601.3B7A would have a 64-bit interface ID of 02E0:B6FF:FE01:3B7A.
Examples
The following example enables modified EUI-64 format enforcement for IPv6 addresses received on the inside interface:
hostname(config)# ipv6 enforce-eui64 insideRelated Commands
ipv6 address
Configures an IPv6 address on an interface.
ipv6 enable
Enables IPv6 on an interface.
ipv6 icmp
To configure ICMP access rules for an interface, use the ipv6 icmp command in global configuration mode. To remove an ICMP access rule, use the no form of this command.
ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
no ipv6 icmp {permit | deny} {ipv6-prefix/prefix-length | any | host ipv6-address} [icmp-type] if-name
Syntax Description
Defaults
If no ICMP access rules are defined, all ICMP traffic is permitted.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
ICMP in IPv6 functions the same as ICMP in IPv4. ICMPv6 generates error messages, such as ICMP destination unreachable messages and informational messages like ICMP echo request and reply messages. Additionally, ICMP packets in IPv6 are used in the IPv6 neighbor discovery process and path MTU discovery.
The minimum MTU allowed on an IPv6 enabled interface is 1280 bytes; however, if IPsec is enabled on the interface, the MTU value should not be set below 1380 because of the overhead of IPsec encryption. Setting the interface below 1380 bytes may result in dropped packets.
If there are no ICMP rules defined for an interface, all IPv6 ICMP traffic is permitted.
If there are ICMP rules defined for an interface, then the rules are processed in order on a first-match basis followed by an implicit deny all rule. For example, if the first matched rule is a permit rule, the ICMP packet is processed. If the first matched rule is a deny rule, or if the ICMP packet did not match any rule on that interface, then the ASA discards the ICMP packet and generates a syslog message.
For this reason, the order that you enter the ICMP rules is important. If you enter a rule denying all ICMP traffic from a specific network, and then follow it with a rule permitting ICMP traffic from a particular host on that network, the host rule will never be processed. The ICMP traffic is blocked by the network rule. However, if you enter the host rule first, followed by the network rule, the host ICMP traffic will be allowed, while all other ICMP traffic from that network is blocked.
The ipv6 icmp command configures access rules for ICMP traffic that terminates at the ASA interfaces. To configure access rules for pass-through ICMP traffic, see the ipv6 access-list command.
Examples
The following example denies all ping requests and permits all packet-too-big messages (to support path MTU discovery) at the outside interface:
hostname(config)# ipv6 icmp deny any echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideThe following example permits host 2000:0:0:4::2 or hosts on prefix 2001::/64 to ping the outside interface:
hostname(config)# ipv6 icmp permit host 2000:0:0:4::2 echo-reply outsidehostname(config)# ipv6 icmp permit 2001::/64 echo-reply outsidehostname(config)# ipv6 icmp permit any packet-too-big outsideRelated Commands
ipv6 local pool
To configure an IPv6 address pool, use the ipv6 local pool command in global configuration mode. To delete the pool, use the no form of this command.
ipv6 local pool pool_name ipv6_address/prefix_length number_of_addresses
no ipv6 local pool pool_name ipv6_address/prefix_length number_of_addresses
Syntax Description
ipv6_address
Specifies the starting IPv6 address for the pool.
number_of_addresses
Range: 1-16384.
pool_name
Specifies the name to assign to this IPv6 address pool.
prefix_length
Range: 0-128.
Defaults
By default, the IPv6 local address pool is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
8.0(2)
This command was introduced.
9.0(1)
You can use an IPv6 local pool for the cluster pool in the ipv6 address command to support ASA clustering.
Usage Guidelines
For VPN, to assign IPv6 local pools, use either the ipv6-local-pool command in the tunnel group or the ipv6-address-pools command (note the "s" on this command) in the group policy. The ipv6-address-pools setting in the group policy overrides the ipv6-address-pools setting in the tunnel group.
Examples
The following example configures an IPv6 address pool named firstipv6pool for use in allocating addresses to remote clients:
hostname(config)# ipv6 local pool firstipv6pool 2001:DB8::1001/32 100hostname(config)#Related Commands
ipv6 nd dad attempts
To configure the number of consecutive neighbor solicitation messages that are sent on an interface during duplicate address detection, use the ipv6 nd dad attempts command in interface configuration mode. To return to the default number of duplicate address detection messages sent, use the no form of this command.
ipv6 nd dad attempts value
no ipv6 nd dad attempts value
Syntax Description
Defaults
The default number of attempts is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
Duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of unicast IPv6 addresses. The frequency at which the neighbor solicitation messages are sent is configured using the ipv6 nd ns-interval command.
Duplicate address detection is suspended on interfaces that are administratively down. While an interface is administratively down, the unicast IPv6 addresses assigned to the interface are set to a pending state.
Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively up. An interface returning to administratively up restarts duplicate address detection for all of the unicast IPv6 addresses on the interface.
Note
When duplicate address detection identifies a duplicate address, the state of the address is set to DUPLICATE and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message similar to the following is issued:
%ASA-4-DUPLICATE: Duplicate address FE80::1 on outsideIf the duplicate address is a global address of the interface, the address is not used and an error message similar to the following is issued:
%ASA-4-DUPLICATE: Duplicate address 3000::4 on outsideAll configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
Examples
The following example configures 5 consecutive neighbor solicitation messages to be sent when duplicate address detection is being performed on the tentative unicast IPv6 address of the interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd dad attempts 5The following example disables duplicate address detection on the selected interface:
hostname(config)# interface gigabitethernet 0/1hostname(config-if)# ipv6 nd dad attempts 0Related Commands
ipv6 nd managed-config-flag
To configure the ASA to set the managed address config flag in the IPv6 router advertisement packet, use the ipv6 nd managed config-flag command in interface configuration mode. To restore the default setting, use the no form of this command.
ipv6 nd managed-config-flag
no ipv6 managed-config-flag
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
The IPv6 autoconfiguration client host can use this flag to indicate that it must use the stateful address configuration protocol (DHCPv6) to obtain addresses in addition to the derived stateless autoconfiguration address.
Examples
The following example sets the managed address config flag in the IPv6 router advertisement packet for the interface GigabitEthernet 0/0:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd managed config-flagRelated Commands
ipv6 nd other-config-flag
Configures the ASA to set the other config flag in the IPv6 router advertisement packet.
ipv6 nd ns-interval
To configure the interval between IPv6 neighbor solicitation retransmissions on an interface, use the ipv6 nd ns-interval command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ns-interval value
no ipv6 nd ns-interval [value]
Syntax Description
value
The interval between IPv6 neighbor solicitation transmissions, in milliseconds. Valid values range from 1000 to 3600000 milliseconds. The default value is 1000 milliseconds.
Defaults
The default is 1000 milliseconds between neighbor solicitation transmissions.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
This value will be included in all IPv6 router advertisements sent out this interface.
Examples
The following example configures an IPv6 neighbor solicitation transmission interval of 9000 milliseconds for GigabitEthernet 0/0:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ns-interval 9000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd other-config-flag
To configure the ASA to set the other config flag in the IPv6 router advertisement packet, use the ipv6 nd other-config-flag command in interface configuration mode. To restore the default setting, use the no form of this command.
ipv6 nd other-config-flag
no ipv6 other-config-flag
Syntax Description
This command has no arguments or keywords.
Defaults
No default behaviors or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
Usage Guidelines
The IPv6 autoconfiguration client host can use this flag to indicate that it must use the stateful address configuration protocol (DHCPv6) to obtain non-address configuration information such as DNS server information.
Examples
The following example sets the other config flag in the IPv6 router advertisement packet for the interface GigabitEthernet 0/0:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd other-config-flagRelated Commands
ipv6 nd managed-config-flag
Configures the ASA to set the managed address config flag in the IPv6 router advertisement packet.
ipv6 nd prefix
To configure which IPv6 prefixes are included in IPv6 router advertisements, use the ipv6 nd prefix command in interface configuration mode. To remove the prefixes, use the no form of this command.
ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
no ipv6 nd prefix ipv6-prefix/prefix-length | default [[valid-lifetime preferred-lifetime] | [at valid-date preferred-date] | infinite | no-advertise | off-link | no-autoconfig]
Syntax Description
Defaults
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days), and with both the "onlink" and "autoconfig" flags set.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
This command allows control over the individual parameters per prefix, including whether or not the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the ipv6 address command are advertised in router advertisements. If you configure prefixes for advertisement using the ipv6 nd prefix command, then only these prefixes are advertised.
The default keyword can be used to set default parameters for all prefixes.
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
When onlink is "on" (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
When autoconfig is "on" (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
Examples
The following example includes the IPv6 prefix 2001:200::/35, with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds in router advertisements sent out on the specified interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd prefix 2001:200::/35 1000 900Related Commands
ipv6 address
Configures an IPv6 address and enables IPv6 processing on an interface.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-interval
To configure the interval between IPv6 router advertisement transmissions on an interface, use the ipv6 nd ra-interval command in interface configuration mode. To restore the default interval, use the no form of this command.
ipv6 nd ra-interval [msec] value
no ipv6 nd ra-interval [[msec] value]
Syntax Description
Defaults
200 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The interval between transmissions should be less than or equal to the IPv6 router advertisement lifetime if the ASA is configured as a default router by using the ipv6 nd ra-lifetime command. To prevent synchronization with other IPv6 nodes, randomly adjust the actual value used to within 20 percent of the specified value.
Examples
The following example configures an IPv6 router advertisement interval of 201 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-interval 201Related Commands
ipv6 nd ra-lifetime
Configures the lifetime of an IPv6 router advertisement.
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra-lifetime
To configure the "router lifetime" value in IPv6 router advertisements on an interface, use the ipv6 nd ra-lifetime command in interface configuration mode. To restore the default value, use the no form of this command.
ipv6 nd ra-lifetime seconds
no ipv6 nd ra-lifetime [seconds]
Syntax Description
Defaults
1800 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
The "router lifetime" value is included in all IPv6 router advertisements sent out an interface. The value indicates the usefulness of the ASA as a default router on this interface.
Setting the value to a non-zero value to indicates that the ASA should be considered a default router on this interface. The non-zero value for the "router lifetime" value should not be less than the router advertisement interval.
Setting the value to 0 indicates that the ASA should not be considered a default router on this interface.
Examples
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd ra-lifetime 1801Related Commands
ipv6 nd reachable-time
To configure the amount of time that a remote IPv6 node is considered reachable after a reachability confirmation event has occurred, use the ipv6 nd reachable-time command in interface configuration mode. To restore the default time, use the no form of this command.
ipv6 nd reachable-time value
no ipv6 nd reachable-time [value]
Syntax Description
Defaults
Zero milliseconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
The configured time enables detecting unavailable neighbors. Shorter configured times enable detecting unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
To see the reachable time used by the ASA, including the actual value when this comamnd is set to 0, use the show ipv6 interface command to display information about the IPv6 interface, including the ND reachable time being used.
Examples
The following example configures an IPv6 reachable time of 1700000 milliseconds for the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd reachable-time 1700000Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd suppress-ra
To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6 nd suppress-ra command in interface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN interface, use the no form of this command.
ipv6 nd suppress-ra
no ipv6 nd suppress-ra
Syntax Description
This command has no arguments or keywords.
Defaults
Router advertisements are automatically sent on LAN interfaces if IPv6 unicast routing is enabled.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
•
—
Command History
Usage Guidelines
Use the no ipv6 nd suppress-ra command to enable the sending of IPv6 router advertisement transmissions on non-LAN interface types (for example serial or tunnel interfaces).
Examples
The following example suppresses IPv6 router advertisements on the selected interface:
hostname(config)# interface gigabitethernet 0/0hostname(config-if)# ipv6 nd suppress-raRelated Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 neighbor
To configure a static entry in the IPv6 neighbor discovery cache, use the ipv6 neighbor command in global configuration mode. To remove a static entry from the neighbor discovery cache, use the no form of this command.
ipv6 neighbor ipv6_address if_name mac_address
no ipv6 neighbor ipv6_address if_name [mac_address]
Syntax Description
Defaults
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
The ipv6 neighbor command is similar to the arp command. If an entry for the specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. These entries are stored in the configuration when the copy command is used to store the configuration.
Use the show ipv6 neighbor command to view static entries in the IPv6 neighbor discovery cache.
The clear ipv6 neighbors command deletes all entries in the IPv6 neighbor discovery cache except static entries. The no ipv6 neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries—entries learned from the IPv6 neighbor discovery process—from the cache. Disabling IPv6 on an interface by using the no ipv6 enable command deletes all IPv6 neighbor discovery cache entries configured for that interface except static entries (the state of the entry changes to INCMP [Incomplete]).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Examples
The following example adds a static entry for the an inside host with an IPv6 address of 3001:1::45A and a MAC address of 0002.7D1A.9472 to the neighbor discovery cache:
hostname(config)# ipv6 neighbor 3001:1::45A inside 0002.7D1A.9472Related Commands
clear ipv6 neighbors
Deletes all entries in the IPv6 neighbor discovery cache, except static entries.
show ipv6 neighbor
Displays IPv6 neighbor cache information.
ipv6 ospf
To enable the OSPFv3 interface configuration for IPv6, use the ipv6 ospf command in global configuration mode. To disable the OSPFv3 interface configuration for IPv6, use the no form of this command.
ipv6 ospf [process-id] [cost | database-filter | dead-interval seconds | flood-reduction | hello-interval seconds | mtu-ignore | neighbor | network | priority | retransmit-interval seconds | transmit-delay seconds]
no ipv6 ospf [process-id] [cost | database-filter | dead-interval seconds | flood-reduction | hello-interval seconds | mtu-ignore | neighbor | network | priority | retransmit-interval seconds | transmit-delay seconds]
Syntax Description
Defaults
All IPv6 addresses are included by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
You must enable an OSPFv3 routing process before you can create an OSPFv3 area.
Examples
The following example enables OSPFv3 interface configuration:
hostname(config)# ipv6 ospf 3Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf area
To create an OSPFv3 area for IPv6, use the ipv6 ospf area command in global configuration mode. To disable the OSPFv3 area configuration for IPv6, use the no form of this command.
ipv6 ospf area [area-num] [instance]
no ipv6 ospf area [area-num] [instance]
Syntax Description
area-num
Specifies the OSPFv3 area to be enabled.
instance
Specifies the area instance ID that is to be assigned to an interface.
Defaults
All IPv6 addresses are included by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
—
—
Command History
Usage Guidelines
You must configure OSPFv3 routing on each interface separately. An interface can have only one OSPFv3 area, and OSPFv3 for the ASA supports only one instance per interface. Each interface uses a different area instance ID. The area instance ID only affects the receipt of OSPF packets, and applies to normal OSPF interfaces and virtual links.
Examples
The following example enables OSPFv3 interface configuration:
hostname(config)# ipv6 ospf 3 area 2Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf cost
To explicitly specify the cost of sending a packet on an interface, use the ipv6 ospf cost command in interface configuration mode. To reset the cost of sending a packet on an interface to the default value, use the no form of this command.
ipv6 ospf cost interface-cost
no ipv6 ospf cost interface-cost
Syntax Description
interface-cost
Specifies an unsigned integer value expressed as the link-state metric, which can range from 1 to 65535.
Defaults
The default cost is based on the bandwidth.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to explicitly specify the packet cost for an interface.
Examples
The following example sets the packet cost to 65:
hostname(config-if)# ipv6 ospf cost 65Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf database-filter all out
To filter outgoing LSAs to an OSPFv3 interface, use the ipv6 ospf databse-filter all out command in interface configuration mode. To restore the forwarding of LSAs to the interface, use the no form of this command.
ipv6 ospf database-filter all out
no ipv6 ospf database-filter all out
Syntax Description
This command has no arguments or keywords.
Defaults
All outgoing LSAs are flooded to the interface.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to filter outgoing LSAs to an OSPFv3 interface.
Examples
The following example filters outgoing LSAs to the specified interface:
hostname(config)# interface ethernet 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf database-filter all outRelated Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf dead-interval
To set the time period for which hello packets must not be seen before neighbors declare that the router is down, use the ipv6 ospf dead-interval command in interface configuration mode. To return to the default time, use the no form of this command.
ipv6 ospf dead-interval seconds
no ipv6 ospf dead-interval seconds
Syntax Description
seconds
Specifies the interval in seconds. The value must be the same for all nodes in the network. Valid values range from 1 to 65535.
Defaults
The default is four times the interval that is set by the ipv6 ospf hello-interval command.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to specify the interval during which hello packets are not seen before neighbors notify that the router is down.
Examples
The following example sets the dead interval to 60:
hostname(config)# interface ethernet 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf dead-interval 60Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf encryption
To specify the encryption type for an interface, use the ipv6 ospf encryption command in interface configuration mode. To remove the encryption type for an interface, use the no form of this command.
ipv6 ospf encryption {ipsec spi spi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key | null}
no ipv6 ospf encryption {ipsec spi spi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key | null}
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to specify the encryption type for an interface.
Examples
The following example enables SHA-1 encryption on the interface:
hostname(config)# interface ethernet 0/0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf encryption ipsec spi 1001 esp null sha1 123456789A123456789B123456789C123456789DRelated Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf flood-reduction
To specify the flood reduction of LSAs to the interface, use the ipv6 ospf flood-reduction command in interface configuration mode. To remove the flood reduction of LSAs to the interface, use the no form of this command.
ipv6 ospf flood-reduction
no ipv6 ospf flood-reduction
Syntax Description
This command has no arguments or keywords.
Command Default
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to specify the flood reduction of LSAs to an interface.
Examples
The following example enables flood reduction of LSAs to the interface:
hostname(config-if)# interface GigabitEthernet3/2.200
vlan 200
nameif outside
security-level 100
ip address 20.20.200.30 255.255.255.0 standby 20.20.200.31
ipv6 address 3001::1/64 standby 3001::8
ipv6 address 6001::1/64 standby 6001::8
ipv6 enable
ospf priority 255
ipv6 ospf cost 100
ipv6 ospf 100 area 10 instance 200ipv6 ospf flood reductionRelated Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf hello-interval
To set the time period for which hello packets must not be seen before neighbors declare that the router is down, use the ipv6 ospf dead-interval command in interface configuration mode. To return to the default time, use the no form of this command.
ipv6 ospf dead-interval seconds
no ipv6 ospf dead-interval seconds
Syntax Description
seconds
Specifies the interval in seconds. The value must be the same for all nodes in the network. Valid values range from 1 to 65535.
Defaults
The default interval is 10 seconds if you are using Ethernet and 30 seconds if you are using non-broadcast.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to specify the interval during which hello packets are not seen before neighbors notify that the router is down.
Examples
The following example sets the dead interval to 60:
hostname(config)# interface ethernet 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf dead-interval 60Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf mtu-ignore
To disable OSPFv3 maximum transmission unit (MTU) mismatch detection when the ASA receives database descriptor (DBD) packets, use the ipv6 ospf mtu-ignore command in interface configuration mode. To reset the MTU mismatch detection when the ASA receives DBD packets to the default, use the no form of this command.
ipv6 ospf mtu-ignore
no ipv6 ospf mtu-ignore
Syntax Description
This command has no arguments or keywords.
Defaults
OSPFv3 MTU mismatch detection is enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to disable OSPFv3 MTU mismatch detection when the ASA receives DBD packets.
Examples
The following example disables OSPFv3 MTU mismatch detection when the ASA receives DBD packets:
hostname(config)# interface serial 0/0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf mtu-ignoreRelated Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6 ospf neighbor
To configure OSPFv3 router interconnections to nonbroadcast networks, use the ipv6 ospf neighbor command in interface configuration mode. To remove a configuration, use the no form of this command.
ipv6 ospf neighbor ipv6-address [priority number] [poll-interval seconds] [cost number] [database-filter]
no ipv6 ospf neighbor ipv6-address [priority number] [poll-interval seconds] [cost number] [database-filter]
Syntax Description
Defaults
The default depends on the network type.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to configure OSPFv3 router interconnections to nonbroadcast networks.
Examples
The following example configures an OSPFv3 neighboring router:
hostname(config)# interface serial 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf 1 area 0hostname(config-if)# ipv6 ospf neighbor FE80::A8BB:CCFF:FE00:C01Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
ipv6 ospf priority
Determines the designated router for a specified network.
ipv6 ospf network
To configure the OSPFv3 network type to a type other than the default, use the ipv6 ospf network command in interface configuration mode. To return to the default type, use the no form of this command.
ipv6 ospf network {broadcast | point-to-point non-broadcast}
no ipv6 ospf network {broadcast | point-to-point non-broadcast}
Syntax Description
broadcast
Sets the network type to broadcast.
point-to-point non-broadcast
Sets the network type to point-to-point non-broadcast.
Defaults
The default depends on the network type.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
•
•
—
—
Command History
Usage Guidelines
Use this command to configure the OSPFv3 network type to a type that is different from the default.
Examples
The following example sets the OSPFv3 network to a broadcast network:
hostname(config)# interface serial 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf 1 area 0hostname(config-if)# ipv6 ospf network broadcasthostname(config-if)# encapsulation frame-relayRelated Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
ipv6 ospf priority
Determines the designated router for a specified network.
ipv6 ospf priority
To set the router priority, which helps determine the designated router for a specified network, use the ipv6 ospf priority command in interface configuration mode. To return to the default value, use the no form of this command.
ipv6 ospf priority number-value
no ipv6 ospf priority number-value
Syntax Description
number-value
Sets the number value that specifies the priority of the router. Valid values range from 0 to 255.
Defaults
The default priority is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to set the priority of the router.
Examples
The following example sets the priority of the router to 4:
hostname(config)# interface ethernet 0hostname(config-if)# ipv6 ospf priority 4Related Commands
ipv6 ospf retransmit-interval
To specify the time between LSA retransmissions for adjacencies that belong to the interface, use the ipv6 ospf retransmit-interval command in interface configuration mode. To return to the default value, use the no form of this command.
ipv6 ospf retransmit-interval seconds
no ipv6 ospf retransmit-interval seconds
Syntax Description
Defaults
The default is 5 seconds.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to specify the time between LSA retransmissions for adjacencies that belong to the interface.
Examples
The following example sets the retransmission interval to 8 seconds:
hostname(config)# interface ethernet 2hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf retransmit-interval 8Related Commands
ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
ipv6 ospf priority
Determines the designated router for a specified network.
ipv6 ospf transmit-delay
To set the estimated time that is required to send a link-state update packet on the interface, use the ipv6 ospf transmit-delay command in interface configuration mode. To return to the default value, use the no form of this command.
ipv6 ospf transmit-delay seconds
no ipv6 ospf transmit-delay seconds
Syntax Description
seconds
Specifies the time in seconds that is required to send a link-state update. Valid values range from 1 to 65535 seconds.
Defaults
The default is 1 second.
Command Modes
The following table shows the modes in which you can enter the command:
Interface configuration
•
—
•
—
—
Command History
Usage Guidelines
Use this command to set the estimated time that is required to send a link-state update packet on the interface.
Examples
The following example sets the transmission delay to 3 seconds:
hostname(config)# interface ethernet 0hostname(config)# ipv6 enablehostname(config-if)# ipv6 ospf transmit-delay 3Related Commands
clear ipv6 ospf
Deletes all IPv6 settings in the OSPFv3 routing process.
ipv6 ospf priority
Determines the designated router for a specified network.
ipv6 route
To add an IPv6 route to the IPv6 routing table, use the ipv6 route command in global configuration mode. To remove an IPv6 default route, use the no form of this command.
ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance | tunneled]
no ipv6 route if_name ipv6-prefix/prefix-length ipv6-address [administrative-distance | tunneled]
Syntax Description
Defaults
By default, the administrative distance is 1.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
•
•
•
—
Command History
7.0(1)
This command was introduced.
8.2(1)
Support for transparent firewall mode was introduced.
Usage Guidelines
Use the show ipv6 route command to view the contents of the IPv6 routing table.
You can define a separate default route for tunneled traffic along with the standard default route. When you create a default route with the tunneled option, all traffic from a tunnel terminating on the ASA that cannot be routed using learned or static routes, is sent to this route. For traffic emerging from a tunnel, this route overrides over any other configured or learned default routes.
The following restrictions apply to default routes with the tunneled option:
•
•
•
You cannot define more than one default route with the tunneled option; ECMP for tunneled traffic is not supported.
Examples
The following example routes packets for network 7fff::0/32 to a networking device on the inside interface at 3FFE:1100:0:CC00::1 with an administrative distance of 110:
hostname(config)# ipv6 route inside 7fff::0/32 3FFE:1100:0:CC00::1 110Related Commands
debug ipv6 route
Displays debugging messages for IPv6 routing table updates and route cache updates.
show ipv6 route
Displays the current contents of the IPv6 routing table.
ipv6 router ospf
To create an OSPFv3 routing process and enter IPv6 router configuration mode, use the ipv6 router ospf command in global configuration mode.
ipv6 router ospf process-id
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The ipv6 router ospf command is the global configuration command for OSPFv3 routing processes running on the ASA. After you enter the ipv6 router ospf command, the command prompt appears as (config-rtr)#, indicating that you are in IPv6 router configuration mode.
When using the no ipv6 router ospf command, you do not need to specify optional arguments unless they provide necessary information. The no ipv6 router ospf command terminates the OSPFv3 routing process specified by its process-id argument. You assign the process-id value locally on the ASA. You must assign a unique value for each OSPFv3 routing process. You can use a maximum of two processes.
Use the ipv6 router ospf command in IPv6 router configuration mode to configure OSPFv3 routing processes with the following OSPFv3-specific options:
•
•
•
•
•
•
•
•
–
–
–
–
–
•
–
–
–
•
–
–
•
•
–
–
–
Examples
The following example enables an OSPFv3 routing process and enters IPv6 router configuration mode:
hostname(config)# ipv6 router ospf 10hostname(config-rtr)#Related Commands
clear ipv6 ospf
Removes all IPv6 settings in the OSPFv3 routing process.
debug ospfv3
Provides debugging information for troubleshooting OSPFv3 routing processes.
ipv6-address-pool (tunnel-group general attributes mode)
To specify a list of IPv6 address pools for allocating addresses to remote clients, use the ipv6-address-pool command in tunnel-group general-attributes configuration mode. To eliminate IPv6 address pools, use the no form of this command.
ipv6-address-pool [(interface_name)] ipv6_address_pool1 [...ipv6_address_pool6]
no ipv6-address-pool [(interface_name)] ipv6_address_pool1 [...ipv6_address_pool6]
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Tunnel-group general attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
You can enter multiples of each of these commands, one per interface. If an interface is not specified, then the command specifies the default for all interfaces that are not explicitly referenced.
The IPv6 address-pool settings in the group-policy ipv6-address-pools command override the IPv6 address pool settings in the tunnel group ipv6-address-pool command.
The order in which you specify the pools is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
Examples
The following example entered in tunnel-group general-attributes configuration mode, specifies a list of IPv6 address pools for allocating addresses to remote clients for an IPsec remote access tunnel group test:
hostname(config)# tunnel-group test type remote-accesshostname(config)# tunnel-group test general-attributeshostname(config-tunnel-general)# ipv6-address-pool (inside) ipv6addrpool1 ipv6addrpool2 ipv6addrpool3hostname(config-tunnel-general)#Related Commands
ipv6-address-pools
To specify a list of up to six IPv6 address pools from which to allocate addresses to remote clients, use the ipv6-address-pools command in group-policy attributes configuration mode. To remove the attribute from the group policy and enable inheritance from other sources of group policy, use the no form of this command.
ipv6-address-pools value ipv6_address_pool1 [...ipv6_address_pool6]
no ipv6-address-pools value ipv6_address_pool1 [...ipv6_address_pool6]
ipv6-address-pools none
no ipv6-address-pools none
Syntax Description
Defaults
By default, the IPv6 address pools attribute is not configured.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy attributes configuration
•
—
•
—
—
Command History
Usage Guidelines
To configure IPv6 address pools, use the ipv6 local pool command.
The order in which you specify the pools in the ipv6-address-pools command is significant. The ASA allocates addresses from these pools in the order in which the pools appear in this command.
The ipv6-address-pools none command disables this attribute from being inherited from other sources of policy, such as the DefaultGrpPolicy. The no ipv6-address-pools none command removes the ipv6-address-pools none command from the configuration, restoring the default value, which is to allow inheritance.
Examples
The following example, entered in group-policy attributes configuration mode, configures an IPv6 address pool named firstipv6pool for use in allocating addresses to remote clients, then associates that pool with GroupPolicy1:
hostname(config)# ipv6 local pool firstipv6pool 2001:DB8::1000/32 100hostname(config)# group-policy GroupPolicy1 attributeshostname(config-group-policy)# ipv6-address-pools value firstipv6poolhostname(config-group-policy)#Related Commands
ipv6-split-tunnel-policy
To set a IPv6 split tunneling policy, use the ipv6-split-tunnel-policy command in group-policy configuration mode. To remove the ipv6-split-tunnel-policy attribute from the running configuration, use the no form of this command. This enables inheritance of a value for IPv6 split tunneling from another group policy.
IPv6 split tunneling lets a remote-access VPN client conditionally direct packets over an IPsec or SSL IPv6 tunnel in encrypted form, or to a network interface in cleartext form. With IPv6 split-tunneling enabled, packets not bound for destinations on the other side of the IPsec or SSL VPN tunnel endpoint do not have to be encrypted, sent across the tunnel, decrypted, and then routed to a final destination.
This command applies IPv6 split tunneling policy to a specific network.
ipv6-split-tunnel-policy {tunnelall | tunnelspecified | excludespecified}
no ipv6-split-tunnel-policy
Syntax Description
Defaults
IPv6 split tunneling is disabled by default, which is tunnelall.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy
•
—
•
—
—
Command History
Usage Guidelines
IPv6 split tunneling is primarily a traffic management feature, not a security feature. In fact, for optimum security, we recommend that you not enable IPv6 split tunneling.
Examples
The following example shows how to set a split tunneling policy of tunneling only specified networks for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#ipv6-split-tunnel-policy tunnelspecifiedRelated Commands
ipv6-vpn-address-assign
To specify a method for assigning IPv6 addresses to remote access clients, use the ipv6-vpn-addr-assign command in global configuration mode. To remove the attribute from the configuration, use the no version of this command. To remove all configured VPN address assignment methods from the ASA, user the no version of this command. without arguments.
ipv6-vpn-addr-assign {aaa | local }
no ipv6-vpn-addr-assign {aaa | local }
Syntax Description
Defaults
Both the AAA and local vpn address assignment options are enabled by default.
Command Modes
The following table shows the modes in which you can enter the command:
Global configuration
•
—
•
—
—
Command History
Usage Guidelines
The ASA can use either the AAA or local methods for assigning IPv6 addresses to remote access clients. If you configure more than one address assignment method, the ASA searches each of the options until it finds an IPv6 address.
Examples
The following example shows how to configure AAA as the address assignment method.
Example:hostname(config)# ipv6-vpn-addr-assign aaa
The following example shows how to configure the use of a local address pool for the address assignment method.
Example:hostname(config)# no ipv6-vpn-addr-assign local
Related Commands
ipv6-vpn-filter
To specify the name of the IPv6 ACL to use for VPN connections, use the ipv6-vpn-filter command in group-policy configuration or username configuration mode. To remove the ACL, including a null value created by issuing the ipv6-vpn-filter none command, use the no form of this command.
ipv6-vpn-filter {value IPV6-ACL-NAME | none}
no ipv6-vpn-filter
Syntax Description
Defaults
No default behavior or values.
Command Modes
The following table shows the modes in which you can enter the command:
Group-policy configuration
•
—
•
—
—
Username configuration
•
—
•
—
—
Command History
Usage Guidelines
Clientless SSL VPN does not use the ACL defined in the ipv6-vpn-filter command.
The no option allows inheritance of a value from another group policy. To prevent inheriting values, use the ipv6-vpn-filter none command.
You configure ACLs to permit or deny various types of traffic for this user or group policy. You then use the ipv6-vpn-filter command to apply those ACLs.
Examples
The following example shows how to set a filter that invokes an access list named ipv6_acl_vpn for the group policy named FirstGroup:
hostname(config)#group-policy FirstGroup attributeshostname(config-group-policy)#ipv6-vpn-filter value ipv6_acl_vpnRelated Commands
access-list
Creates an access list, or uses a downloadable access list.
vpn-filter
Specifies the names of an IPv4 or IPv6 ACL to use for VPN connections.
