cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1997
Views
0
Helpful
3
Replies

IPv6 Zone-Based Firewall

Matt Wilson
Level 1
Level 1

I have devised the following ZBPF on my 1941 router. Problem is IPv6 doesn't work. I cannot get any IPv6 connectivity. IPv6 works fine with the ZBPF disabled, i.e. not applied to any interfaces. Anyone have any ideas as to why it doesn't work.

 

!
class-map type inspect match-any ipv6.cmap
 match access-group name addresses.acl6
 match access-group name protocols.acl6
!
class-map type inspect match-any ipv4.cmap
 match access-group name addresses.acl4
 match access-group name protocols.acl4
!
policy-map type inspect lan.pmap
 class type inspect ipv6.cmap
  inspect
 class type inspect ipv4.cmap
  inspect
 class class-default
  drop log
!
zone security lan
zone security wan
zone-pair security lan-wan source lan destination wan
!
ip access-list extended addresses.acl4
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
 permit ip 10.1.3.0 0.0.0.255 any
 permit ip 10.1.4.0 0.0.0.255 any
 permit ip 10.1.5.0 0.0.0.255 any
!
ip access-list extended protocols.acl4
 permit tcp any any
 permit udp any any
 permit icmp any any
!
!
ipv6 access-list addresses.acl6
 permit ipv6 2001:xxxx:4121:3B10::/64 any
 permit ipv6 2001:xxxx:4121:3B20::/64 any
 permit ipv6 2001:xxxx:4121:3B30::/64 any
 permit ipv6 2001:xxxx:4121:3B40::/64 any
 permit ipv6 2001:xxxx:4121:3B50::/64 any
!
ipv6 access-list protocols.acl6
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ipv6 any any
!
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

what is the version of code ?

 

worth Looking below config and tweak as per suggestion :

 

https://blog.dchidell.com/2018/11/23/cisco-zone-based-firewall-ipv4-ipv6/

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@Matt Wilson unless it's a copy and paste error, you haven't defined the service-policy under the zone-pair....

zone-pair security lan-wan source lan destination wan
service-policy type inspect lan.pmap

Matt Wilson
Level 1
Level 1

Thanks for the replies. The IOS is 15(7)3M4. It was a copy/paste error, the below is the corrected version. IPv4 works as intended:

!
zone-pair security lan-wan source lan destination wan
 service-policy type inspect lan.pmap
! 

Also, I get this:

R1941#sh ppp all 
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2          LCP+ IPCP+ IPV6CP+    LocalT   xxx.xx.23.126    \ syd-gls-har-bras33     

Does this suggest that IPv6 is not being negotiated from the start of PPP? This happens with/without the firewall in place.