Hello everybody,

We are testing IPv6 at moment and now we having the following problem. When we apply security on the interface that is facing the internet the dns protocol doesn't work anymore. What we have configured is the follwing:

ipv6 inspect routing-header

ipv6 inspect udp idle-time 3600

ipv6 inspect tcp synwait-time 60

ipv6 inspect name ipv6-firewall tcp

ipv6 inspect name ipv6-firewall udp

ipv6 inspect name ipv6-firewall ftp timeout 3600

ipv6 inspect name ipv6-firewall icmp

ipv6 access-list ipv6-inet-in

remark block site local

deny ipv6 any FEC0::/10

remark block mcast

deny ipv6 any FF00::/8

remark permit mcast link local

permit ipv6 any FF02::/16

remark permit mcast global scope

permit ipv6 any FF0E::/16

remark permit minimal icmp messages

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit icmp any any echo-request

permit icmp any any packet-too-big

permit icmp any any parameter-problem

permit icmp any any mld-query

permit icmp any any mld-report

permit icmp any any mld-reduction

permit icmp any any router-solicitation

permit icmp any any router-advertisement

remark permitted traffic

permit udp any any eq domain log

And the following is configured on the interface facing the internet

ipv6 traffic-filter ipv6-inet-in in

ipv6 inspect ipv6-firewall in 

ipv6 inspect ipv6-firewall out

When this is configured the dns protocol does not working any more. In the debug we also seeing that the rule permit udp any any eq domain log on the access-list doesn't got any hits. The dns protocol is only working when we add the following line permit ipv6 host {ipv6 addres of dns server} any to the access-list, but that is not what you want. Do you have any suggestions what maybay be wrong with it?  PS. the router we are using is a cisco 887VA with IOS version 15.1(4)M5

In advanced Thank you