02-23-2018 12:40 PM - edited 02-21-2020 07:25 AM
I am trying to permit an ICMP ping from Hurricane Electric to keep my IPv6 tunnel alive. I am stumped on how to permit this ping and reply from a certain IPv4 address they use to the router's self zone with Zone Based Firewall. Any suggestions?
Richard H. Shores
Solved! Go to Solution.
02-24-2018 03:10 PM
Can you share the config you've tried to avoid loosing time?
The icmp you want to allow is IPv4 based right? It's to maintain the IPv6 tunnel UP?
Let's assume the remote ipv4 is 1.1.1.1 and your local public ip is 2.2.2.2
ip access-list extended ICMP-TUNNEL-IN
permit icmp host 1.1.1.1 host 2.2.2.2
ip access-list extended ICMP-TUNNEL-OUT
permit icmp host 2.2.2.2 host 1.1.1.1
!
class-map type inspect icmp-tunnel-in
match access-group name ICMP-TUNNEL-IN
class-map type inspect icmp-tunnel-out
match access-group name ICMP-TUNNEL-OUT
!
policy-map type inspect ccp-permit
class type inspect icmp-tunnel-in
pass
policy-map type inspect ccp-permit-icmpreply
class type inspect icmp-tunnel-out
pass
02-23-2018 05:09 PM
Hi
You'll need to create an acl that will allow that traffic, create a class-map which will refer to the acl created and use the pass keyword.
This class-map will be used on the policy you're using today from zone outside to self.
If you want help on your config, please share your actual config.
02-23-2018 06:15 PM
Thanks for your willingness to help. I tried several acl combinations to use with the out to self policy and nothing worked. I have attached a sanitized version of my router's current running config. Please note that in the config, I am not using ZBFW for the IPv6 traffic, and using CBAC for it.
Best regards,
Richard
02-24-2018 03:10 PM
Can you share the config you've tried to avoid loosing time?
The icmp you want to allow is IPv4 based right? It's to maintain the IPv6 tunnel UP?
Let's assume the remote ipv4 is 1.1.1.1 and your local public ip is 2.2.2.2
ip access-list extended ICMP-TUNNEL-IN
permit icmp host 1.1.1.1 host 2.2.2.2
ip access-list extended ICMP-TUNNEL-OUT
permit icmp host 2.2.2.2 host 1.1.1.1
!
class-map type inspect icmp-tunnel-in
match access-group name ICMP-TUNNEL-IN
class-map type inspect icmp-tunnel-out
match access-group name ICMP-TUNNEL-OUT
!
policy-map type inspect ccp-permit
class type inspect icmp-tunnel-in
pass
policy-map type inspect ccp-permit-icmpreply
class type inspect icmp-tunnel-out
pass
02-24-2018 10:23 PM
Hello Francesco,
I was able to get the problem resolved with the information you provided for the access lists (changing the ip addresses), class maps, and additions to policy maps.
Thank you for taking the time to help. It is greatly appreciated.
Richard
02-26-2018 04:01 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide