Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1083
Views
0
Helpful
1
Replies

IPv6 and Zone-Based Firewalls (ZBFW)

CiscoNut2b
Level 1
Level 1

‎01-28-2011 11:13 PM - edited ‎03-11-2019 12:41 PM

Hello,

I've been using IPv4 with ZBFW for some time, and it's worked pretty well.  But, all that's all been with IPv4.  I'm now trying to connect to Hurricane Electric's (HE.NET) IPv6 Tunnel Broker, and am having issues.  I have my own /48 from HE.NET.  I am hoping someone here can offer some suggestions.  Also, for now, I'm just trying to PING across it.

I am running 15.1(3)T on my lab 3845 router, and from the Release Notes, I read that IPv6 support became available in 15.1(2)T.

First, I removed ALL configuration from the router via a WRITE ERASE, and tested the IPv6-over-IPv4 tunnel without ZBFW, and it worked just fine.  So, I know the tunnel is proper on HE.NET's side.

Next, I started with my working ZBFW working configuration, enabled IPv6 on all interfaces, and assigned IPv6 addresses in my /48 range.  Each mask is a /64.  I created the IPv6-in-IPv6 tunnel as TUNNEL1, and included it in the "OUTSIDE" zone.

Next, I started by permitting PROTOCOL 41 on both the zpair_SELF-TO-OUTSIDE and zpair_OUTSIDE-TO-SELF.  Assuming there is no "state" for this traffic, I configured these to just PASS the traffic.  From SHOW POLICY-MAP statements, I see hit counts on the proper class-maps, and the tunnel shows as up.  So far, I think, so good.

Next, I thought I'd do an IPv6 PING across it.    With "IP INSPECT LOG DROP-PKT" enabled, I kept seeing the following:

zone-pair zpair_SELF-TO-OUTSIDE class class-default due to  DROP action found in policy-map with ip ident 0

I took this to mean that none of my IPv4 only class-map statements were permitting the IPv6 ICMPs.  OK, makes sense..  So, then I added he following class-maps to permit ALL ICMP traffic (I'm assuming IPv4 and IPv6 are included here):

class-map type inspect match-all zmap_All-ICMP
  match protocol icmp

Then, in both SELF-TO-OUTSIDE and OUTSIDE-TO-SELF Policy-Map statements, I added the following:

class type inspect zmap_All-ICMP
  inspect

This didn't work.. When I use a SHOW POLICY-MAP to see the counters for that class-map, they are all zero, and I am getting the same message of the default policy dropping the traffic.

I then tried changing it from an INSPECT to PASS, but that didn't work, either.   Finally, I created the following class-map statement:

ipv6 access-list zacl_SELF-TO-OUTSIDE-V6-IP
  permit ipv6 any any

and added it to both SELF-TO-OUTSIDE and OUTSIDE-TO-SELF Policy-Map statements as follows:

  class type inspect zmap_All-IPV6
    pass

I then tried a IPv6 PING, and now it succeeds.  But, of course, I can't just let all IPv6 traffic through.   So, I have several questions:

1) How do I granularly permit IPv6 traffic through a ZBF setup using INSPECT commands?  I was expecting it to be the same as IP4.

2) I've searched for ZBFW documentation that includes IPv6, but it's severly lacking.  The official documentation I've come across hasn't been very helpful.  Are there any whitepapers on this?

3) Are there any examples that you can point me to with EXAMPLES of ZBFW and IPv6, preferably with a Tunnel Broker setup, but I'll take whatever is available at this point.

Thank you in advance for your assistance.

Sincerely,

Luis

Labels:
0 Helpful
1 Reply 1

voipesec1
Level 1
Level 1

‎02-01-2011 05:39 PM

ipv6 access-list zacl_SELF-TO-OUTSIDE-V6-IP

  permit ipv6 any any

class-map type inspect match-any protocols_to_allow

  match protocol icmp

  match protocol tcp

  match protocol udp

class-map type inspect match-all full_control

match class-map protocols_to_allow

match access-group zacl_SELF-TO-OUTSIDE-V6-IP

policy-map type inspect router_traffic

  class type inspect full_control

    pass

1) Use ACL to identify the v6 traffic you want to allow.

2) Create a class-map to identify the protocols you want to allow. Like if you just want to allow icmp, don't mention tcp and udp. (match-any keyword should be used)

3) Create another class-map to create a condition to match traffic that matches the first class-map and ACL both. (match-all keyword).

4) Apply the pass action because this is going to be 'to the box' traffic. (inspect does not work for to/from the box traffic)

Your ACL source and destination will swap places for return traffic.

Let me know.

Admin,

Voipesec Network Solutions

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card