I am configuring public IPv6 (dual stack w/static IPv4 block) on an ASA 5506 ver 9.9(2)36. The ISP has assigned a single /64 prefix where 2001:2:3:4::1 (not actual IP) is their equipment and 2001:2:3:4::2 could be our ASA. For a static IPv6 assignment I've typically seen the ISP provide a /126 block for our equipment with a routed /64 (or larger) for LAN devices. I have never configured an ASA with only a /64 before and it would seem like it would require both outside and inside interfaces to be on the same prefix, which of course isn't possible.
The LAN hosts correctly assign themselves the prefix and have the correct default route to the local link of the inside interface. I've tried assigning the /64 block IPv6 to the inside interface setting the default route on the outside interface to their router since I'm able to ping its local link from the local link on my outside interface. This doesn't work of course.
I have confirmed that their upstream routing is working as I am able to pass traffic from the ASA (traceroute out, ssh in) when the /64 is assigned to the outside interface.
Before I go back to them, I'm wondering if this configuration is even possible on an ASA (or otherwise)? It doesn't seem to me that this would work, however there is a lot of IPv6 voodoo that I don't completely understand.
Some config:
interface GigabitEthernet1/1
security-level 0
nameif outside
ip address x.x.1.1 255.255.255.0
ipv6 address 2001:2:3:4::2/64
ipv6 enable
ipv6 nd suppress-ra
!
interface GigabitEthernet1/2
security-level 100
nameif inside
ip address 192.168.0.1 255.255.255.0
! ipv6 address 2001:2:3:4::3/64 ! this doesn't work of course
ipv6 enable
ipv6 nd prefix 2001:2:3:4::/64
ipv6 route outside ::/0 2001:2:3:4::1
Thanks!
