https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996503#M439962 <HTML><HEAD></HEAD><BODY><P>To block IPv6 ping/icmp, the access-list should be:</P><P></P><P>ipv6 access-list OUTSIDE6_IN deny icmp6 any any</P></BODY></HTML> Fri, 06 Jul 2012 03:09:13 GMT Jennifer Halim 2012-07-06T03:09:13Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996499#M439958 <P>Hello,</P><P></P><P>We want to filter IPv6 extension headers on FWSM (4.1.x) and we discovered that filtering does not works at all. For example to filter destination options we used the following IPv6 ACE:</P><P>ipv6 access-list OUTSIDE6_IN deny 60 any any</P><P></P><P>Then packets are sent using extended IPv6 ping from IOS router and FWSM ignores above ACE and forwards the packet to the destination. The same thing happens when using Scapy as packet generator. </P><P></P><P>The packet is good&nbsp; because it matches IOS IPv6 ACL Destination options ACE. </P><P></P><P>I didn't checked but my colleague reported me the same issue with filtering Hop-by-hop option on FWSM.</P><P></P><P>So, is something wrong with the procedure or this is about new bug?</P><P></P><P></P><P>Regards,</P><P>Igor</P> Mon, 11 Mar 2019 23:26:45 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996499#M439958 igor.mamuzic 2019-03-11T23:26:45Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996500#M439959 <HTML><HEAD></HEAD><BODY><P>Did you assign the access-list to the interface using the "access-group" command?</P></BODY></HTML> Thu, 05 Jul 2012 14:34:19 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996500#M439959 Jennifer Halim 2012-07-05T14:34:19Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996501#M439960 <HTML><HEAD></HEAD><BODY><P> Jenifer,</P><P></P><P>ACL is assigned to the interface... Other ACEs are being matched so ACL works but it does not match extension headers correctly:</P><P></P><P>ipv6 access-list OUTSIDE6_IN line 1 deny 60 any any log debugging interval 300 (hitcnt=0) 0xbb24b0a2 </P><P>ipv6 access-list OUTSIDE6_IN line 2 permit tcp any any eq www log debugging interval 300 (hitcnt=2) 0xbde27d7c<SPAN id="mce_marker"> </SPAN></P></BODY></HTML> Thu, 05 Jul 2012 17:33:14 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996501#M439960 igor.mamuzic 2012-07-05T17:33:14Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996502#M439961 <HTML><HEAD></HEAD><BODY><P>Not related to your problem: You know that the FWSM is a really slow Firewall when it comes to IPv6? Everything has to be processed in the CPU as the Network-Processors are not able to process IPv6.</P></BODY></HTML> Thu, 05 Jul 2012 18:14:08 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996502#M439961 Karsten Iwen 2012-07-05T18:14:08Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996503#M439962 <HTML><HEAD></HEAD><BODY><P>To block IPv6 ping/icmp, the access-list should be:</P><P></P><P>ipv6 access-list OUTSIDE6_IN deny icmp6 any any</P></BODY></HTML> Fri, 06 Jul 2012 03:09:13 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996503#M439962 Jennifer Halim 2012-07-06T03:09:13Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996504#M439963 <HTML><HEAD></HEAD><BODY><P>My intention was not to block ICMP, what I need is blocking all packets containing IPv6 destination option in extension header. </P><P></P><P>Sent from Cisco Technical Support iPhone App</P></BODY></HTML> Fri, 06 Jul 2012 06:39:32 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996504#M439963 igor.mamuzic 2012-07-06T06:39:32Z https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996505#M439964 <HTML><HEAD></HEAD><BODY><P>FWSM does not support inspection of IPv6 and hence no way to block extension headers. This can be achieved in ASA.</P></BODY></HTML> Thu, 09 Aug 2012 06:24:18 GMT https://community.cisco.com/t5/network-security/filtering-ipv6-extension-headers-on-fwsm/m-p/1996505#M439964 sumbhat 2012-08-09T06:24:18Z