https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307345#M566136 <P>Hi,</P><P>I have set up filter for the inbound interface on the wan part.</P><P>I permit www and 443 traffic from any to a specific host (2A01:XXXX:XXXX:C884:8000::1).</P><P>I get the following error on the browser:</P><P>&lt;html&gt;&lt;head&gt;&lt;title&gt;Service Unavailable&lt;/title&gt;&lt;/head&gt; &lt;body&gt;&lt;h4&gt;Service temporairement indisponible ou en maintenance.&lt;/h4&gt;&lt;/body&gt;&lt;/html&gt;</P><P>&nbsp;</P><P>Here is the config I have:</P><PRE>interface GigabitEthernet9 description Primary link Free ip address 192.168.10.100 255.255.255.0 ip access-group 199 in ip nat outside ip virtual-reassembly in duplex auto speed auto ipv6 address 2A01:XXXX:XXXX:C880::2/64 ipv6 address autoconfig default ipv6 enable ipv6 traffic-filter ipv6in in<BR /><BR />interface Vlan4<BR />description front-web<BR />ip address 192.168.104.254 255.255.255.0<BR />ip nat inside<BR />ip virtual-reassembly in<BR />ipv6 address 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65<BR />ipv6 enable<BR />ipv6 nd prefix 2A01:XXXX:XXXX:C884::/65 infinite infinite<BR />ipv6 nd advertisement-interval<BR />ipv6 nd ra interval 100</PRE><P>ACL:</P><PRE>ipv6 access-list ipv6in deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0 permit tcp any any established permit icmp any any echo-reply permit udp any eq domain any permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq www permit tcp any host 2A01:XXXX:XXXX5:C884:8000::1 eq 443 permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq 22 log permit tcp any 2A01:XXXX:XXXX5:C884:8000::/65 range 1024 65535 permit udp any 2A01:XXXX:XXXX:C884:8000::/65 range 1024 65535 permit icmp any 2A01:XXXX:XXXX:C884:8000::/65 echo-reply sequence 1000 remark Permit good ICMPv6 message types remark Deny loopback address deny ipv6 host ::1 any remark Deny IPv4-compatible addresses deny ipv6 ::/96 any remark Deny IPv4-mapped addresses (obsolete) deny ipv6 ::FFFF:0.0.0.0/96 any remark Deny auto tunneled packets w/compatible addresses (RFC 4291) remark Deny other compatible addresses deny ipv6 ::224.0.0.0/100 any log deny ipv6 ::127.0.0.0/104 any log deny ipv6 ::/104 any log deny ipv6 ::255.0.0.0/104 any log remark Deny false 6to4 packets deny ipv6 2002:E000::/20 any log deny ipv6 2002:7F00::/24 any log deny ipv6 2002::/24 any log deny ipv6 2002:FF00::/24 any log deny ipv6 2002:A00::/24 any log deny ipv6 2002:AC10::/28 any log deny ipv6 2002:C0A8::/32 any log remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns remark Deny Link-Local communications deny ipv6 FE80::/10 any remark Deny Site-Local (deprecated) deny ipv6 FEC0::/10 any remark Deny Unique-Local packets deny ipv6 FC00::/7 any remark Deny multicast packets deny ipv6 FF00::/8 any remark Deny Documentation Address deny ipv6 2001:DB8::/32 any remark Deny 6Bone addresses (deprecated) deny ipv6 3FFE::/16 any remark Deny RH0 packets deny ipv6 any any routing-type 0 log remark Deny our own addresses coming inbound</PRE><P>Here is the router/firewall (<SPAN>C892FSP-K9</SPAN>)&nbsp; log:</P><PRE>Mar 15 08:35:53.712: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/150 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(45698) -&gt; 2A01:E34:EC45:C884:8000::1(80), 1 packet<BR />Mar 15 08:39:52.236: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/160 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(33474) -&gt; 2A01:E34:EC45:C884:8000::1(443), 3 packets</PRE><P>&nbsp;The traffic does not go through??</P><P>Any Idea?</P><P>Thanks</P><P>vandman</P> Mon, 15 Mar 2021 08:57:57 GMT adelium904 2021-03-15T08:57:57Z https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307345#M566136 <P>Hi,</P><P>I have set up filter for the inbound interface on the wan part.</P><P>I permit www and 443 traffic from any to a specific host (2A01:XXXX:XXXX:C884:8000::1).</P><P>I get the following error on the browser:</P><P>&lt;html&gt;&lt;head&gt;&lt;title&gt;Service Unavailable&lt;/title&gt;&lt;/head&gt; &lt;body&gt;&lt;h4&gt;Service temporairement indisponible ou en maintenance.&lt;/h4&gt;&lt;/body&gt;&lt;/html&gt;</P><P>&nbsp;</P><P>Here is the config I have:</P><PRE>interface GigabitEthernet9 description Primary link Free ip address 192.168.10.100 255.255.255.0 ip access-group 199 in ip nat outside ip virtual-reassembly in duplex auto speed auto ipv6 address 2A01:XXXX:XXXX:C880::2/64 ipv6 address autoconfig default ipv6 enable ipv6 traffic-filter ipv6in in<BR /><BR />interface Vlan4<BR />description front-web<BR />ip address 192.168.104.254 255.255.255.0<BR />ip nat inside<BR />ip virtual-reassembly in<BR />ipv6 address 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65<BR />ipv6 enable<BR />ipv6 nd prefix 2A01:XXXX:XXXX:C884::/65 infinite infinite<BR />ipv6 nd advertisement-interval<BR />ipv6 nd ra interval 100</PRE><P>ACL:</P><PRE>ipv6 access-list ipv6in deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0 permit tcp any any established permit icmp any any echo-reply permit udp any eq domain any permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq www permit tcp any host 2A01:XXXX:XXXX5:C884:8000::1 eq 443 permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq 22 log permit tcp any 2A01:XXXX:XXXX5:C884:8000::/65 range 1024 65535 permit udp any 2A01:XXXX:XXXX:C884:8000::/65 range 1024 65535 permit icmp any 2A01:XXXX:XXXX:C884:8000::/65 echo-reply sequence 1000 remark Permit good ICMPv6 message types remark Deny loopback address deny ipv6 host ::1 any remark Deny IPv4-compatible addresses deny ipv6 ::/96 any remark Deny IPv4-mapped addresses (obsolete) deny ipv6 ::FFFF:0.0.0.0/96 any remark Deny auto tunneled packets w/compatible addresses (RFC 4291) remark Deny other compatible addresses deny ipv6 ::224.0.0.0/100 any log deny ipv6 ::127.0.0.0/104 any log deny ipv6 ::/104 any log deny ipv6 ::255.0.0.0/104 any log remark Deny false 6to4 packets deny ipv6 2002:E000::/20 any log deny ipv6 2002:7F00::/24 any log deny ipv6 2002::/24 any log deny ipv6 2002:FF00::/24 any log deny ipv6 2002:A00::/24 any log deny ipv6 2002:AC10::/28 any log deny ipv6 2002:C0A8::/32 any log remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns remark Deny Link-Local communications deny ipv6 FE80::/10 any remark Deny Site-Local (deprecated) deny ipv6 FEC0::/10 any remark Deny Unique-Local packets deny ipv6 FC00::/7 any remark Deny multicast packets deny ipv6 FF00::/8 any remark Deny Documentation Address deny ipv6 2001:DB8::/32 any remark Deny 6Bone addresses (deprecated) deny ipv6 3FFE::/16 any remark Deny RH0 packets deny ipv6 any any routing-type 0 log remark Deny our own addresses coming inbound</PRE><P>Here is the router/firewall (<SPAN>C892FSP-K9</SPAN>)&nbsp; log:</P><PRE>Mar 15 08:35:53.712: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/150 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(45698) -&gt; 2A01:E34:EC45:C884:8000::1(80), 1 packet<BR />Mar 15 08:39:52.236: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/160 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(33474) -&gt; 2A01:E34:EC45:C884:8000::1(443), 3 packets</PRE><P>&nbsp;The traffic does not go through??</P><P>Any Idea?</P><P>Thanks</P><P>vandman</P> Mon, 15 Mar 2021 08:57:57 GMT https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307345#M566136 adelium904 2021-03-15T08:57:57Z https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307366#M566138 <P>Hi there,</P> <P>The HTML response you include has the text for a HTML 503 error: "Service unavailable".&nbsp; Which implies an issue with the server you are connecting to.</P> <P>This is confirmed by the router logs which show packets being permitted to that host.</P> <P>&nbsp;</P> <P>I would check on the www service on your server, is it hosting websites on IPv6, does it have an ACL on the http service which blocks requests to IPv6 hosts?</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Mon, 15 Mar 2021 09:28:54 GMT https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307366#M566138 Seb Rupik 2021-03-15T09:28:54Z https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307774#M566160 <P>Hi,</P><P>From local network, it works perfectly well. In debug mode, Traefik gives me logs, the website shows itself in the browser.</P><P>From Internet, I have no logs in Traefik???</P><P>For me, No traffic goes to the service.</P><P>This is wearied.</P><P>Regards</P><P>vandman</P> Mon, 15 Mar 2021 20:42:28 GMT https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4307774#M566160 adelium904 2021-03-15T20:42:28Z https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4308007#M566169 <P>This sounds very much like an issue localised to the server. You could run a packet capture on the machine to confirm the externally sourced packets are indeed reaching the machine.</P> <P>&nbsp;</P> <P>What OS are you running? What HTTP service are you running?&nbsp;</P> <P>The HTTP response page suggests that it is not an OS firewall, but a configuration item with the HTTP service.</P> <P>&nbsp;</P> <P>cheers,</P> <P>Seb.</P> Tue, 16 Mar 2021 09:37:49 GMT https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4308007#M566169 Seb Rupik 2021-03-16T09:37:49Z https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4445903#M568916 <P>Hi, Sorry for late reply.</P><P>I found the solution, the problem came from the fact that I did not have default route ::/0.</P><P>The ACL I had blocked automatic routing negotiation between the router and the box.</P><P>Here is the ACL I had to apply to allow automatic configuration:</P><PRE> permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-advertisement permit icmp FE80::/10 FF02::/16 router-advertisemen</PRE><P>Thanks</P><P>vandman</P> Sat, 07 Aug 2021 18:32:22 GMT https://community.cisco.com/t5/network-access-control/ipv6-acl-permit-but-not-working-on-c892fsp-k9/m-p/4445903#M568916 adelium904 2021-08-07T18:32:22Z