cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5445
Views
0
Helpful
6
Replies

Blocked IPV6 traffic

adelium904
Level 1
Level 1

Hi,

I have a dual stack IPV4/IPV6 router/firewall (C892FSP-K9).

I configured IPV6. The thing is that IPV6 is not working as expected.

The router is behind a French box (Free) giving Internet access.

 

The symptom:

No incoming traffic is going through the router from internet (behind the box)???

To be precised, when I am between the box and the router, I can access my private network???

 

As soon as I do the following command, It works from internet, everywhere???

no ipv6 access-list ipv6in

I had permit icmp any host XXXX:XXXX:XXXX:C880::2 to the ipv6in access-list to be able to ping my router wan interface. It does not work even with the fact that this is the first rule???

 

I have configured filter on a wan interface Gi9 to protect my network. Here is the configuration:

interface GigabitEthernet9
 description Primary link Free
 ip address 192.168.10.100 255.255.255.0
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address XXXX:XXXX:XXXX:C880::2/64
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 traffic-filter ipv6in in
!
interface Vlan1
 description home
 ip address 192.168.100.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0/64
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C881::/64 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
!
interface Vlan2
 description management
 no ip address
 ipv6 address XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0/64
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C882::/64 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
 ipv6 traffic-filter vlan2_in in
!
interface Vlan4
 description front-web
 ip address 192.168.104.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ipv6 address XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65
 ipv6 enable
 ipv6 nd prefix XXXX:XXXX:XXXX:C884:8000::/65 infinite infinite
 ipv6 nd advertisement-interval
 ipv6 nd ra interval 100
!
ipv6 access-list ipv6in
 permit icmp any host XXXX:XXXX:XXXX:C880::2
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D253:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D254:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D254:7FFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D255:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D256:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D257:FFFF:FFFF:FFFF:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFE:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFD:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFC:0 any
 permit ipv6 host YYYY:YYYY:YYYY:D251::1 any
 permit ipv6 host YYYY:YYYY:YYYY:D252::1 any
 permit ipv6 host YYYY:YYYY:YYYY:D251::100 any
 permit ipv6 host YYYY:YYYY:YYYY:D251:BA27:EBFF:FE89:8465 any
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0
 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0
 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0
 permit tcp any any established
 permit udp any eq domain any
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq www
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq 443
 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535
 permit udp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535
 permit tcp any host XXXX:XXXX:XXXX:C881::100 eq 22 log
 sequence 1000 remark Permit good ICMPv6 message types
 remark Deny loopback address
 deny ipv6 host ::1 any
 remark Deny IPv4-compatible addresses
 deny ipv6 ::/96 any
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 ::FFFF:0.0.0.0/96 any
 remark Deny auto tunneled packets w/compatible addresses (RFC 4291)
 remark Deny other compatible addresses
 deny ipv6 ::224.0.0.0/100 any log
 deny ipv6 ::127.0.0.0/104 any log
 deny ipv6 ::/104 any log
 deny ipv6 ::255.0.0.0/104 any log
 remark Deny false 6to4 packets
 deny ipv6 2002:E000::/20 any log
 deny ipv6 2002:7F00::/24 any log
 deny ipv6 2002::/24 any log
 deny ipv6 2002:FF00::/24 any log
 deny ipv6 2002:A00::/24 any log
 deny ipv6 2002:AC10::/28 any log
 deny ipv6 2002:C0A8::/32 any log
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 remark Deny Link-Local communications
 deny ipv6 FE80::/10 any
 remark Deny Site-Local (deprecated)
 deny ipv6 FEC0::/10 any
 remark Deny Unique-Local packets
 deny ipv6 FC00::/7 any
 remark Deny multicast packets
 deny ipv6 FF00::/8 any
 remark Deny Documentation Address
 deny ipv6 2001:DB8::/32 any
 remark Deny 6Bone addresses (deprecated)
 deny ipv6 3FFE::/16 any
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Deny our own addresses coming inbound
!
ipv6 access-list ipv6out
 permit ipv6 any any

 DO you have any Idea on what is blocking the traffic?

Thanks

Vandman

2 Accepted Solutions

Accepted Solutions

Hi,

 

Did the new ACE configured in the right sequence? Please make sure it is placed before the deny statements.

 

Please post the following result of commands:

(hide any sensitive information)

 

show ipv6 access-list
show run interface gi9
show ipv6 interface brief

On the other hand, you may also try to untighten the proposed ACE for troubleshooting purpose, if it works then you can use 'show logging' to verify the blocked traffic.

 

ipv6 access-list ipv6in
 <.. omitted ..> 
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp any any router-solicitation log
 permit icmp any any router-advertisement log
permit icmp any any log
permit icmp any any log <.. omitted ..>

 

If it's not work, then there should be another problem that not related to SLAAC (ipv6 stateless auto configuration)

 

 

 

View solution in original post

Hi ngkin2010,

thanks for the help.

I have to do like this:

 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp FF02::/16 any router-advertisement
 permit icmp FE80::/10 FF02::/16 router-advertisemen

If I do not put the last line, it does not work.

Not it is working.

Thanks again

View solution in original post

6 Replies 6

ngkin2010
Level 7
Level 7

Hi,

 

Since your are using IPv6 auto configuration on your outside interface, I am not sure if you also need to allow Router Solicitation in your filter list.

 

ipv6 access-list ipv6in
<.. omitted ..>
remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns
permit icmp FF02::/16 any router-solicitation (Optional, given that your router will not delegate prefix to the 'box')
permit icmp FF02::/16 any router-advertisement
<.. omitted ..>

 

On the other hand, you may use the log option in each of the deny entry ACL to verify what traffic was blocked.  

Hi,

I think I found the problem.

When I remove the ipv6in ACL, I get from my box the default route to internet:

ND  ::/0 [2/0]
     via FE80::XXXX:XXXX:XXXX:XXXX, GigabitEthernet9

When I set the ACL, I loose the route.

I must miss some command. I am not shure it is an ACL problem.

How do I tell the router to get the default route from my box?

I mean, command to set and ACL to allow auto config for the default route and ACL to allow forwarding for auto-config on each host behind the router.

 

Thanks

vandman

Hi,

 

You get the default via IPv6 autoconfiguration

 

 

interface GigabitEthernet9
 description Primary link Free
 ip address 192.168.10.100 255.255.255.0
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address XXXX:XXXX:XXXX:C880::2/64
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 traffic-filter ipv6in in
!

That's why you need to allow the router-advertisement our the ACL to get the default route from IPv6 autoconfig.

ipv6 access-list ipv6in
 <.. omitted ..> 
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp FF02::/16 any router-solicitation (Optional, given that your router will not delegate prefix to the 'box')
 permit icmp FF02::/16 any router-advertisement
 <.. omitted ..>
 

But of coz, you can manually configure default IPv6 route on router, you acutally doesn't need to configure the IPv6 autoconfiguration on Gi9 interface (given that the IPv6 address configured - XXXX:XXXX:XXXX:C880::2/64 is correct)

 

 

 

Hi ngkin2010

It does not work, the default route is not shoing???

vandman

Hi,

 

Did the new ACE configured in the right sequence? Please make sure it is placed before the deny statements.

 

Please post the following result of commands:

(hide any sensitive information)

 

show ipv6 access-list
show run interface gi9
show ipv6 interface brief

On the other hand, you may also try to untighten the proposed ACE for troubleshooting purpose, if it works then you can use 'show logging' to verify the blocked traffic.

 

ipv6 access-list ipv6in
 <.. omitted ..> 
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp any any router-solicitation log
 permit icmp any any router-advertisement log
permit icmp any any log
permit icmp any any log <.. omitted ..>

 

If it's not work, then there should be another problem that not related to SLAAC (ipv6 stateless auto configuration)

 

 

 

Hi ngkin2010,

thanks for the help.

I have to do like this:

 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp FF02::/16 any router-advertisement
 permit icmp FE80::/10 FF02::/16 router-advertisemen

If I do not put the last line, it does not work.

Not it is working.

Thanks again

Review Cisco Networking for a $25 gift card