I have some odd reasons for deploying ipv6. A chinese door entry system, Xbox Live events however the latest isn’t as odd – a CloudFlare depolyment.

Why would you need ipv6 for deploying cloudflare you may ask, well, with ipv6 being preferred in most modern OS’s and CloudFlare being ipv6 enabled – yes it all just works, UNTIL you want to have certain parts of a site IP restricted based on a pinhole VPN and your end clients are dual stacked.

Pinhole VPN ? HUH

A VPN whereas certain subnets are included in interesting traffic whereas users VPN to a device, which then classes some internet hosts as interesting traffic. This means you then have a known IP to help those restrictions.

Now, this works fine with ipv4 and ipv6, *but* if the user has an IPv6 connection, such as BT/Sky in the UK – v6 is preferred, hence CloudFlare even passing the original IP sees an IPV6 home user – which given things aren’t static is difficult to restrict.

The fix – add ipv6 to the pinhole VPN.

Adding IPV6 to a pinhole VPN

Adding ipv6 is pretty straight forward on an ASA – following the same basic path as ipv4 vpns, except of course NAT.

Worth mentioning you should have same-security intra-interface set. This is required as essentially on a pinhole, you’re coming in from the outside, to go out via the outside interface.


  1. Configure IPv6 Interfaces, route Outside
  2. Define a pool
  3. Create some Object Groups
  4. Alter some ACLs
  5. Add ipv6 to the Group Policy
  6. Add ipv6 pool to the Tunnel Group


** note, this is not a complete example, more so adding ipv6 support to an existing client VPN setup.

For the below: our outside is 2001:DB8::/64, pool is 2001:db8:0:1::/64
Our VPN uses the ACL named “vpn” for specifying interesting traffic.

interface GigabitEthernet1/1
nameif outside
ipv6 address 2001:DB8::2//64 standby 2001:DB8::4

ipv6 route outside ::/0 2001:DB8::1

! note, pool has to start with an address, not a network
ipv6 local pool ipv6pool 2001:DB8:0:1::1/64 200

object-group network CloudFlare-ipv6
network-object 2400:cb00::/32
network-object 2606:4700::/32
network-object 2803:f800::/32
network-object 2405:b500::/32
network-object 2405:8100::/32
network-object 2a06:98c0::/29
network-object 2c0f:f248::/32
object-group network ipv6_ssl_vpn_pool
network-object 2001:DB8:0:1::/64

! VPN ACL is already defined, so all we do here is add an entry for ipv6
access-list vpn extended permit ip object-group CloudFlare-ipv6 object-group ipv6_ssl_vpn_pool

! note! ipv6 and ipv4 use the SAME tunnel ACL, do note confuse this with VPN filter. So no need to specify an ACL here.

group-policy GroupPolicy attributes
ipv6-split-tunnel-policy tunnelspecified

tunnel-group TunnelGroup general-attributes
ipv6-address-pool ipv6pool

So now, when folks VPN in, to get to CloudFlare, they use the ipv6 tunnel, meaning a known ipv6 address.



No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *

About This Site

This may be a good place to introduce yourself and your site or include some credits.