Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1998
Views
0
Helpful
3
Replies

IPv6 Zone-Based Firewall

Matt Wilson
Level 1
Level 1

‎09-15-2021 02:35 AM

I have devised the following ZBPF on my 1941 router. Problem is IPv6 doesn't work. I cannot get any IPv6 connectivity. IPv6 works fine with the ZBPF disabled, i.e. not applied to any interfaces. Anyone have any ideas as to why it doesn't work.

 

!
class-map type inspect match-any ipv6.cmap
 match access-group name addresses.acl6
 match access-group name protocols.acl6
!
class-map type inspect match-any ipv4.cmap
 match access-group name addresses.acl4
 match access-group name protocols.acl4
!
policy-map type inspect lan.pmap
 class type inspect ipv6.cmap
  inspect
 class type inspect ipv4.cmap
  inspect
 class class-default
  drop log
!
zone security lan
zone security wan
zone-pair security lan-wan source lan destination wan
!
ip access-list extended addresses.acl4
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
 permit ip 10.1.3.0 0.0.0.255 any
 permit ip 10.1.4.0 0.0.0.255 any
 permit ip 10.1.5.0 0.0.0.255 any
!
ip access-list extended protocols.acl4
 permit tcp any any
 permit udp any any
 permit icmp any any
!
!
ipv6 access-list addresses.acl6
 permit ipv6 2001:xxxx:4121:3B10::/64 any
 permit ipv6 2001:xxxx:4121:3B20::/64 any
 permit ipv6 2001:xxxx:4121:3B30::/64 any
 permit ipv6 2001:xxxx:4121:3B40::/64 any
 permit ipv6 2001:xxxx:4121:3B50::/64 any
!
ipv6 access-list protocols.acl6
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ipv6 any any
!
Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎09-15-2021 02:48 AM - edited ‎09-15-2021 02:49 AM

what is the version of code ?

 

worth Looking below config and tweak as per suggestion :

 

https://blog.dchidell.com/2018/11/23/cisco-zone-based-firewall-ipv4-ipv6/

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Rob Ingram
VIP
VIP

‎09-15-2021 11:07 AM

@Matt Wilson unless it's a copy and paste error, you haven't defined the service-policy under the zone-pair....

zone-pair security lan-wan source lan destination wan
 service-policy type inspect lan.pmap

0 Helpful

Matt Wilson
Level 1
Level 1

‎09-15-2021 12:27 PM - edited ‎09-15-2021 12:28 PM

Thanks for the replies. The IOS is 15(7)3M4. It was a copy/paste error, the below is the corrected version. IPv4 works as intended:

!
zone-pair security lan-wan source lan destination wan
 service-policy type inspect lan.pmap
!

Also, I get this:

R1941#sh ppp all 
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2          LCP+ IPCP+ IPV6CP+    LocalT   xxx.xx.23.126    \ syd-gls-har-bras33

Does this suggest that IPv6 is not being negotiated from the start of PPP? This happens with/without the firewall in place.

 

0 Helpful
Customers Also Viewed These Support Documents