I recently installed a Cisco ASA 5505 firewall on the edge of our LAN. The setup is simple:

Internet <--> ASA <--> LAN

I would like provide the hosts in the LAN with IPv6 connectivity by setting up a 6in4 tunnel to SixXS.

It would be nice to have the ASA as tunnel endpoint so it can firewall both IPv4 and IPv6 traffic.

Unfortunately the ASA apparently can't create a tunnel itself, and can't port-forward protocol 41 traffic, so I believe I would have to do one of the following instead:

• Set up a host with it's own IP outside the firewall, and have that function as tunnel-endpoint. The ASA can then firewall and route the v6 subnet to the LAN.
• Set up a host inside the firewall that functions as endpoint, separated via vlan or whatever, and loop the traffic back into the ASA where it can be firewalled and routed. This seems contrived, but would allow me to use a VM instead of a physical machine as endpoint.
• Any other way?

What would you suggest is the optimal way to set this up?

P.S. I do have a spare public IP address available if needed, and can spin up another VM in our VMware infrastructure.