topic IOS ZBF not allowing IPv6 in Network Security https://community.cisco.com/t5/network-security/ios-zbf-not-allowing-ipv6/m-p/1804515#M496510 <P>Hello all,</P><P></P><P>I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:</P><P>Zone:</P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;">LAN --&gt; WAN</SPAN></TH></TR><TR><TD><P>zone security LAN</P><P>zone security WAN</P><P>!</P><P>class-map type inspect match-any Internet-cmap</P><P>match protocol dns</P><P>match protocol http</P><P>match protocol https</P><P>match protocol icmp</P><P>match protocol ftp</P><P>match protocol pop3</P><P>match protocol pop3s</P><P>match protocol smtp</P><P>!</P><P>policy-map type inspect Internet-pmap</P><P>class type inspect Internet-cmap</P><P> inspect</P><P>!</P><P>zone-pair security LAN-WAN source LAN destination WAN</P><P>service-policy type inspect Internet-pmap</P></TD></TR></TBODY></TABLE><P></P><P>Zone:</P><P>WAN--&gt; self deny everything.</P><P></P><P>Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.</P><P></P><P>Error messages on console: </P><P>Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT</P><P></P><P>Are there any specia settings for ZBF which should be turned on for IPv6 protocol?</P><P></P><P>Thank you and kind regards,</P><P>Marko </P> Mon, 11 Mar 2019 21:33:58 GMT mocah 2019-03-11T21:33:58Z IOS ZBF not allowing IPv6 https://community.cisco.com/t5/network-security/ios-zbf-not-allowing-ipv6/m-p/1804515#M496510 <P>Hello all,</P><P></P><P>I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:</P><P>Zone:</P><TABLE border="1" cellpadding="3" cellspacing="0" class="jiveBorder" style="width: 100%; border: 1px solid #000000;"><TBODY><TR><TH align="center" style="background-color: #6690bc;" valign="middle"><SPAN style="color: #ffffff;">LAN --&gt; WAN</SPAN></TH></TR><TR><TD><P>zone security LAN</P><P>zone security WAN</P><P>!</P><P>class-map type inspect match-any Internet-cmap</P><P>match protocol dns</P><P>match protocol http</P><P>match protocol https</P><P>match protocol icmp</P><P>match protocol ftp</P><P>match protocol pop3</P><P>match protocol pop3s</P><P>match protocol smtp</P><P>!</P><P>policy-map type inspect Internet-pmap</P><P>class type inspect Internet-cmap</P><P> inspect</P><P>!</P><P>zone-pair security LAN-WAN source LAN destination WAN</P><P>service-policy type inspect Internet-pmap</P></TD></TR></TBODY></TABLE><P></P><P>Zone:</P><P>WAN--&gt; self deny everything.</P><P></P><P>Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.</P><P></P><P>Error messages on console: </P><P>Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT</P><P></P><P>Are there any specia settings for ZBF which should be turned on for IPv6 protocol?</P><P></P><P>Thank you and kind regards,</P><P>Marko </P> Mon, 11 Mar 2019 21:33:58 GMT https://community.cisco.com/t5/network-security/ios-zbf-not-allowing-ipv6/m-p/1804515#M496510 mocah 2019-03-11T21:33:58Z IOS ZBF not allowing IPv6 https://community.cisco.com/t5/network-security/ios-zbf-not-allowing-ipv6/m-p/1804516#M496511 <HTML><HEAD></HEAD><BODY><P>Problem is with Internet&nbsp; to Self zone. If&nbsp; zone Internet to Self&nbsp; is removed IPv6 works.</P><P></P><P>FW-6-DROP_PKT: Dropping icmpv6 session [FE80::290:1AFF:xxxx:xxxx]:0 [FE80::221:D8FF:xxxx:xxxx]:0 on zone-pair Internet-to-Self class Internet-to-Self-icmpv6-cmap&nbsp;&nbsp; with ip ident 0 </P><P></P><P>Which rule would allowed IPv6 traffic from Internet to self zone? I have tried to allowe all icmpv6 traffic but same error appeared. Only if zone-security Internet to Self is removed IPv6 works.</P><P></P><P>Thank you and kind regards,</P><P>Marko</P></BODY></HTML> Fri, 07 Oct 2011 06:53:09 GMT https://community.cisco.com/t5/network-security/ios-zbf-not-allowing-ipv6/m-p/1804516#M496511 mocah 2011-10-07T06:53:09Z