07-31-2021 09:21 AM
Hi,
I have a dual stack IPV4/IPV6 router/firewall (C892FSP-K9).
I configured IPV6. The thing is that IPV6 is not working as expected.
The router is behind a French box (Free) giving Internet access.
The symptom:
No incoming traffic is going through the router from internet (behind the box)???
To be precised, when I am between the box and the router, I can access my private network???
As soon as I do the following command, It works from internet, everywhere???
no ipv6 access-list ipv6in
I had permit icmp any host XXXX:XXXX:XXXX:C880::2 to the ipv6in access-list to be able to ping my router wan interface. It does not work even with the fact that this is the first rule???
I have configured filter on a wan interface Gi9 to protect my network. Here is the configuration:
interface GigabitEthernet9 description Primary link Free ip address 192.168.10.100 255.255.255.0 ip access-group 199 in ip nat outside ip virtual-reassembly in duplex auto speed auto ipv6 address XXXX:XXXX:XXXX:C880::2/64 ipv6 address autoconfig default ipv6 enable ipv6 traffic-filter ipv6in in ! interface Vlan1 description home ip address 192.168.100.254 255.255.255.0 ip nat inside ip virtual-reassembly in ipv6 address XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0/64 ipv6 enable ipv6 nd prefix XXXX:XXXX:XXXX:C881::/64 infinite infinite ipv6 nd advertisement-interval ipv6 nd ra interval 100 ! interface Vlan2 description management no ip address ipv6 address XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0/64 ipv6 enable ipv6 nd prefix XXXX:XXXX:XXXX:C882::/64 infinite infinite ipv6 nd advertisement-interval ipv6 nd ra interval 100 ipv6 traffic-filter vlan2_in in ! interface Vlan4 description front-web ip address 192.168.104.254 255.255.255.0 ip nat inside ip virtual-reassembly in ipv6 address XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65 ipv6 enable ipv6 nd prefix XXXX:XXXX:XXXX:C884:8000::/65 infinite infinite ipv6 nd advertisement-interval ipv6 nd ra interval 100 ! ipv6 access-list ipv6in permit icmp any host XXXX:XXXX:XXXX:C880::2 permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D253:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D254:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D254:7FFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D255:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D256:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D257:FFFF:FFFF:FFFF:0 any permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFE:0 any permit ipv6 host YYYY:YYYY:YYYY:D251:FFFF:FFFF:FFFD:0 any permit ipv6 host YYYY:YYYY:YYYY:D252:FFFF:FFFF:FFFC:0 any permit ipv6 host YYYY:YYYY:YYYY:D251::1 any permit ipv6 host YYYY:YYYY:YYYY:D252::1 any permit ipv6 host YYYY:YYYY:YYYY:D251::100 any permit ipv6 host YYYY:YYYY:YYYY:D251:BA27:EBFF:FE89:8465 any deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0 deny ipv6 any host XXXX:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0 deny ipv6 any host XXXX:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0 permit tcp any any established permit udp any eq domain any permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq www permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 eq 443 permit tcp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535 permit udp any host XXXX:XXXX:XXXX:C884:8000::1 range 1024 65535 permit tcp any host XXXX:XXXX:XXXX:C881::100 eq 22 log sequence 1000 remark Permit good ICMPv6 message types remark Deny loopback address deny ipv6 host ::1 any remark Deny IPv4-compatible addresses deny ipv6 ::/96 any remark Deny IPv4-mapped addresses (obsolete) deny ipv6 ::FFFF:0.0.0.0/96 any remark Deny auto tunneled packets w/compatible addresses (RFC 4291) remark Deny other compatible addresses deny ipv6 ::224.0.0.0/100 any log deny ipv6 ::127.0.0.0/104 any log deny ipv6 ::/104 any log deny ipv6 ::255.0.0.0/104 any log remark Deny false 6to4 packets deny ipv6 2002:E000::/20 any log deny ipv6 2002:7F00::/24 any log deny ipv6 2002::/24 any log deny ipv6 2002:FF00::/24 any log deny ipv6 2002:A00::/24 any log deny ipv6 2002:AC10::/28 any log deny ipv6 2002:C0A8::/32 any log remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns remark Deny Link-Local communications deny ipv6 FE80::/10 any remark Deny Site-Local (deprecated) deny ipv6 FEC0::/10 any remark Deny Unique-Local packets deny ipv6 FC00::/7 any remark Deny multicast packets deny ipv6 FF00::/8 any remark Deny Documentation Address deny ipv6 2001:DB8::/32 any remark Deny 6Bone addresses (deprecated) deny ipv6 3FFE::/16 any remark Deny RH0 packets deny ipv6 any any routing-type 0 log remark Deny our own addresses coming inbound ! ipv6 access-list ipv6out permit ipv6 any any
DO you have any Idea on what is blocking the traffic?
Thanks
Vandman
Solved! Go to Solution.
08-06-2021 07:36 AM
Hi,
Did the new ACE configured in the right sequence? Please make sure it is placed before the deny statements.
Please post the following result of commands:
(hide any sensitive information)
show ipv6 access-list show run interface gi9 show ipv6 interface brief
On the other hand, you may also try to untighten the proposed ACE for troubleshooting purpose, if it works then you can use 'show logging' to verify the blocked traffic.
ipv6 access-list ipv6in <.. omitted ..> remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp any any router-solicitation log permit icmp any any router-advertisement log
permit icmp any any log
permit icmp any any log <.. omitted ..>
If it's not work, then there should be another problem that not related to SLAAC (ipv6 stateless auto configuration)
08-07-2021 11:27 AM
Hi ngkin2010,
thanks for the help.
I have to do like this:
permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-advertisement permit icmp FE80::/10 FF02::/16 router-advertisemen
If I do not put the last line, it does not work.
Not it is working.
Thanks again
08-01-2021 04:39 AM - edited 08-01-2021 05:04 AM
Hi,
Since your are using IPv6 auto configuration on your outside interface, I am not sure if you also need to allow Router Solicitation in your filter list.
ipv6 access-list ipv6in
<.. omitted ..>
remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns
permit icmp FF02::/16 any router-solicitation (Optional, given that your router will not delegate prefix to the 'box')
permit icmp FF02::/16 any router-advertisement
<.. omitted ..>
On the other hand, you may use the log option in each of the deny entry ACL to verify what traffic was blocked.
08-06-2021 01:39 AM - edited 08-06-2021 05:17 AM
Hi,
I think I found the problem.
When I remove the ipv6in ACL, I get from my box the default route to internet:
ND ::/0 [2/0] via FE80::XXXX:XXXX:XXXX:XXXX, GigabitEthernet9
When I set the ACL, I loose the route.
I must miss some command. I am not shure it is an ACL problem.
How do I tell the router to get the default route from my box?
I mean, command to set and ACL to allow auto config for the default route and ACL to allow forwarding for auto-config on each host behind the router.
Thanks
vandman
08-06-2021 05:48 AM
Hi,
You get the default via IPv6 autoconfiguration
interface GigabitEthernet9 description Primary link Free ip address 192.168.10.100 255.255.255.0 ip access-group 199 in ip nat outside ip virtual-reassembly in duplex auto speed auto ipv6 address XXXX:XXXX:XXXX:C880::2/64 ipv6 address autoconfig default ipv6 enable ipv6 traffic-filter ipv6in in !
That's why you need to allow the router-advertisement our the ACL to get the default route from IPv6 autoconfig.
ipv6 access-list ipv6in <.. omitted ..> remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-solicitation (Optional, given that your router will not delegate prefix to the 'box') permit icmp FF02::/16 any router-advertisement <.. omitted ..>
But of coz, you can manually configure default IPv6 route on router, you acutally doesn't need to configure the IPv6 autoconfiguration on Gi9 interface (given that the IPv6 address configured - XXXX:XXXX:XXXX:C880::2/64 is correct)
08-06-2021 07:09 AM
Hi ngkin2010
It does not work, the default route is not shoing???
vandman
08-06-2021 07:36 AM
Hi,
Did the new ACE configured in the right sequence? Please make sure it is placed before the deny statements.
Please post the following result of commands:
(hide any sensitive information)
show ipv6 access-list show run interface gi9 show ipv6 interface brief
On the other hand, you may also try to untighten the proposed ACE for troubleshooting purpose, if it works then you can use 'show logging' to verify the blocked traffic.
ipv6 access-list ipv6in <.. omitted ..> remark Permit good NDP messages since we deny and log at the end permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp any any router-solicitation log permit icmp any any router-advertisement log
permit icmp any any log
permit icmp any any log <.. omitted ..>
If it's not work, then there should be another problem that not related to SLAAC (ipv6 stateless auto configuration)
08-07-2021 11:27 AM
Hi ngkin2010,
thanks for the help.
I have to do like this:
permit icmp FE80::/10 any nd-na permit icmp FE80::/10 any nd-ns permit icmp FF02::/16 any router-advertisement permit icmp FE80::/10 FF02::/16 router-advertisemen
If I do not put the last line, it does not work.
Not it is working.
Thanks again
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide