Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3324
Views
0
Helpful
2
Replies

ICMP6 Seems to Bypass Access Control List

Go to solution
Peter Brady
Level 1
Level 1

‎12-03-2014 10:14 PM - edited ‎03-01-2019 05:46 PM

Hi All,

I suspect that this may be a case of staring at the screen for too long but nevertheless, here I am.

I'm testing an IPv6 rollout between my ISP and an ASA 5505, 9.1(5) in routed mode, and initially all seems good.  I can ping6 both from the ASA to the real world and backwards.  BTW the ASA is already quite happily running NAT for IPv4 with ACLs and everything, no problem.

The only problem is that according to my reading of the doco I shouldn't be able to ping the ASA from outside as I have no IPv6 ACLs in place.  Hence, the default deny rule should be in effect and drop the packets.

Further, if I do add a specific permit rule for ICMP6 there are no packet counts logged against it.

This leads me to suspect that the IPv6 packets are being intercepted earlier in the chain and allowed through but where?

Thanks in advance,
-pete

PS: not sure if this should be cross posted in IPv6 transition...

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-03-2014 11:26 PM

Pete, 

 

I think that doc is mentioning this ACL if you want to send traffic _to_ ASA. 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

 

If you're curious about processing: 

- packet-tracer - unreliable in some cases 

- capture traffic with "capture command and "trace" option. There are some example from TAC on how to do it. 

 

M.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-03-2014 11:26 PM

Pete, 

 

I think that doc is mentioning this ACL if you want to send traffic _to_ ASA. 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html

 

If you're curious about processing: 

- packet-tracer - unreliable in some cases 

- capture traffic with "capture command and "trace" option. There are some example from TAC on how to do it. 

 

M.

0 Helpful

Go to solution
Peter Brady
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-04-2014 01:56 AM

Hi Macin,

Yes, you appear to be correct.  I'll do some further testing but inside your link at:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1093364

It talks about ICMP being enabled by default and bypassing the firewall ACLs.  I was fixating solely on the chain - probably my linux background with ipchains and pf.

Thanks very much, I'm more relaxed now.

Cheers
-pete

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card