12-03-2014 10:14 PM - edited 03-01-2019 05:46 PM
Hi All,
I suspect that this may be a case of staring at the screen for too long but nevertheless, here I am.
I'm testing an IPv6 rollout between my ISP and an ASA 5505, 9.1(5) in routed mode, and initially all seems good. I can ping6 both from the ASA to the real world and backwards. BTW the ASA is already quite happily running NAT for IPv4 with ACLs and everything, no problem.
The only problem is that according to my reading of the doco I shouldn't be able to ping the ASA from outside as I have no IPv6 ACLs in place. Hence, the default deny rule should be in effect and drop the packets.
Further, if I do add a specific permit rule for ICMP6 there are no packet counts logged against it.
This leads me to suspect that the IPv6 packets are being intercepted earlier in the chain and allowed through but where?
Thanks in advance,
-pete
PS: not sure if this should be cross posted in IPv6 transition...
Solved! Go to Solution.
12-03-2014 11:26 PM
Pete,
I think that doc is mentioning this ACL if you want to send traffic _to_ ASA.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html
If you're curious about processing:
- packet-tracer - unreliable in some cases
- capture traffic with "capture command and "trace" option. There are some example from TAC on how to do it.
M.
12-03-2014 11:26 PM
Pete,
I think that doc is mentioning this ACL if you want to send traffic _to_ ASA.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html
If you're curious about processing:
- packet-tracer - unreliable in some cases
- capture traffic with "capture command and "trace" option. There are some example from TAC on how to do it.
M.
12-04-2014 01:56 AM
Hi Macin,
Yes, you appear to be correct. I'll do some further testing but inside your link at:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1093364
It talks about ICMP being enabled by default and bypassing the firewall ACLs. I was fixating solely on the chain - probably my linux background with ipchains and pf.
Thanks very much, I'm more relaxed now.
Cheers
-pete
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide