03-20-2013 02:04 PM - edited 03-11-2019 06:17 PM
Hi everyone,
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
ipv6 access-list ipv6-inside line 5 deny ip any any log informational interval 300 (hitcnt=45) 0x3b6a5ff9
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
ipv6 access-list ipv6-inside line 5 permit icmp6 any any log informational interval 300 (hitcnt=2) 0x588e9e81
ipv6 access-list ipv6-inside line 6 deny ip any any log informational interval 300 (hitcnt=45) 0x3b6a5ff9
Has anybody an idea what is wrong with the dedicated entries?
THX,
Ingo
03-20-2013 03:17 PM
take a look at the following document. you need icmp6 for ipv6 implementations since it is a core function required for neighbor discovery...
https://supportforums.cisco.com/docs/DOC-8983#Neighbor_Discovery
03-20-2013 03:36 PM
Hello Ingo,
First of all I want to say that Patrick reply was great ( 5 stars to that reply)
Now the behavior you are seeing is expected but why?
IPV6 uses an embedded Neigbhor Discovery protocol for a lot of things such as:
Router discovery
Prefix discovery
Duplicate Address Detection
Layer 3 to layer 2 mapping ( NO ARP ANYMORE)
Etc,etc
And this particular protocol that is the base of IPV6 relies on IPv6 ICMPv6 messages ( There are 5 actually)
Router Solicitation
Router Advertisement
Neigbhor solicitation
Neighbor advertisement
Redirect.
So if you mess with all ICMPv6 traffic nothing is going to work , be careful on that one.
Just deny what needs to be denied ( In the case that all ICMPv6 must be denied then you will need to allow first the ICMPv6 codes for NDP to work, I have been working with one engineer on the last couple of days on a case like this
Have a great day and remember to rate all of the helpful posts ( Stars on the left side)
Julio Carvajal
03-21-2013 02:31 PM
I tried some thinks, but it didn´t work. I set ACE´s for Multicast, Link-Layer, Global Interface addresses, Neighbor solicitations aso.. I extended the prefixes, but it was not helpful.
Any further ideas.!!!
ipv6 access-list ipv6-inside permit icmp6 2001:a128::/32 any
ipv6 access-list ipv6-inside permit icmp6 any host 2001:1a28:0:183::4 log
ipv6 access-list ipv6-inside permit icmp6 any host fe80::5675:d0ff:fe27:535 log
ipv6 access-list ipv6-inside permit icmp6 any ff00::/8 log
ipv6 access-list ipv6-inside permit icmp6 any any neighbor-solicitation
ipv6 access-list ipv6-inside permit icmp6 any any router-advertisement
ipv6 access-list ipv6-inside permit icmp6 any any neighbor-advertisement
ipv6 access-list ipv6-inside permit object-group DM_INLINE_SERVICE_2 host 2001:a128:0:170::1 any log
ipv6 access-list ipv6-inside permit ip 2001:a128:0:170::/64 any log
ipv6 access-list ipv6-inside permit icmp 2001:a128:0:170::/64 any
ipv6 access-list ipv6-inside permit object-group DM_INLINE_SERVICE_1 2001:a128:0:170::/64 any log
ipv6 access-list ipv6-inside deny ip any any
03-21-2013 04:05 PM
Hello,
Man it does not make sense jeje
Please check your inbox
Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide