cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
0
Helpful
3
Replies

IPv6 Zone-Based Firewall

Matt Wilson
Beginner
Beginner

I have devised the following ZBPF on my 1941 router. Problem is IPv6 doesn't work. I cannot get any IPv6 connectivity. IPv6 works fine with the ZBPF disabled, i.e. not applied to any interfaces. Anyone have any ideas as to why it doesn't work.

 

!
class-map type inspect match-any ipv6.cmap
 match access-group name addresses.acl6
 match access-group name protocols.acl6
!
class-map type inspect match-any ipv4.cmap
 match access-group name addresses.acl4
 match access-group name protocols.acl4
!
policy-map type inspect lan.pmap
 class type inspect ipv6.cmap
  inspect
 class type inspect ipv4.cmap
  inspect
 class class-default
  drop log
!
zone security lan
zone security wan
zone-pair security lan-wan source lan destination wan
!
ip access-list extended addresses.acl4
 permit ip 10.1.1.0 0.0.0.255 any
 permit ip 10.1.2.0 0.0.0.255 any
 permit ip 10.1.3.0 0.0.0.255 any
 permit ip 10.1.4.0 0.0.0.255 any
 permit ip 10.1.5.0 0.0.0.255 any
!
ip access-list extended protocols.acl4
 permit tcp any any
 permit udp any any
 permit icmp any any
!
!
ipv6 access-list addresses.acl6
 permit ipv6 2001:xxxx:4121:3B10::/64 any
 permit ipv6 2001:xxxx:4121:3B20::/64 any
 permit ipv6 2001:xxxx:4121:3B30::/64 any
 permit ipv6 2001:xxxx:4121:3B40::/64 any
 permit ipv6 2001:xxxx:4121:3B50::/64 any
!
ipv6 access-list protocols.acl6
 permit tcp any any
 permit udp any any
 permit icmp any any
 permit ipv6 any any
!
3 Replies 3

balaji.bandi
VIP Guru VIP Guru
VIP Guru

what is the version of code ?

 

worth Looking below config and tweak as per suggestion :

 

https://blog.dchidell.com/2018/11/23/cisco-zone-based-firewall-ipv4-ipv6/

https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Matt Wilson unless it's a copy and paste error, you haven't defined the service-policy under the zone-pair....

zone-pair security lan-wan source lan destination wan
service-policy type inspect lan.pmap

Matt Wilson
Beginner
Beginner

Thanks for the replies. The IOS is 15(7)3M4. It was a copy/paste error, the below is the corrected version. IPv4 works as intended:

!
zone-pair security lan-wan source lan destination wan
 service-policy type inspect lan.pmap
! 

Also, I get this:

R1941#sh ppp all 
Interface/ID OPEN+ Nego* Fail-     Stage    Peer Address    Peer Name
------------ --------------------- -------- --------------- --------------------
Vi2          LCP+ IPCP+ IPV6CP+    LocalT   xxx.xx.23.126    \ syd-gls-har-bras33     

Does this suggest that IPv6 is not being negotiated from the start of PPP? This happens with/without the firewall in place.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers