Hello,
i have a issue with IP Version 6 and Zone-Based-Policy-Firewall.
this is the setup:
Router1 (Cisco 1802, IOS 15.1(3)T1, i also tried older IOS):
#######
Dialer 0 to IPV4 Internet
Dialer 6 to IPV6 Internet
Tunnel 0 configured as DMVPN to Router 2
VLAN 1 as internal Interface with IP 192.168.0.0/24 and 2001:xxxx:xxxx:2::/64
Router2 (Cisco 1802, IOS 15.1(3)T1, i also tried older IOS):
#######
Dialer 0 to IPV4 Internet
Tunnel 0 configured as DMVPN to Router 1
VLAN 1 as internal Interface with IP 10.0.0.0/24 and 2001:xxxx:xxxx:1::/64
Router1 connects to IPV6 Internet via Dialer 6
Router2 connects to IPV6 Internet via Tunnel0 (Dynamic-Multipoint-VPN)
Router1 and Router2 are configured with Zone-Based-Policy-Firewall.
When i remove the ZBPF Config from Router1 everything works!
#################
When i configure ZBPF on Router1 the IPV6 Connection between two Routers works in both directions,
the Internet Connection IPV6 from Router1 also works great
but the Internet Connection IPV6 from Router2 doesn't work anymore in the outgoing direction.
(Tunnel0 and VLAN1 are in the ZONE_BUERO_VLAN1, Dialer0 and Dialer6 are in ZONE_INTERNET)
zone security ZONE_INTERNET
zone security ZONE_BUERO_VLAN1
zone-pair security ZP_BUERO_VLAN1__INTERNET source ZONE_BUERO_VLAN1 destination ZONE_INTERNET
service-policy type inspect FW_TO_INTERNET
zone-pair security ZP_INTERNET__BUERO_VLAN1 source ZONE_INTERNET destination ZONE_BUERO_VLAN1
service-policy type inspect FW_INTERNET__BUERO_VLAN1
policy-map type inspect FW_TO_INTERNET
class type inspect FW_GRE
pass
class type inspect FW_ESP
pass
class type inspect FW_ALLES_ERLAUBT_INSPECT2
inspect
class class-default
drop log
policy-map type inspect FW_INTERNET__BUERO_VLAN1
class type inspect FW_GRE
pass
class type inspect FW_ESP
pass
class type inspect FW_IPV6_ALLES
drop log
class class-default
drop log
class-map type inspect match-any FW_GRE
match access-group name FW_GRE
class-map type inspect match-any FW_ESP
match access-group name FW_ESP
class-map type inspect match-any FW_ALLES_ERLAUBT_INSPECT2
match protocol http
match protocol https
match protocol ntp
match protocol dns
ip access-list extended FW_GRE
permit gre any any
ip access-list extended FW_ESP
permit esp any any
!
ipv6 access-list FW_IPV6_ALLES
permit ipv6 any any
permit icmp any any
permit tcp any any
permit udp any any
Debug Messages: (Seen on Router1)
Client in VLAN1 Router1 is browsing: (2001:xxxx:xxxx:2:C8FD:5EFE:523E:FB55)
- no debug - works -
Client in VLAN1 Router2 is browsing: (2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55)
*May 24 18:38:18.016: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56687 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to DROP action found in policy-map with ip ident 0
Router1#
*May 24 18:38:48.465: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56696 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to DROP action found in policy-map with ip ident 0
Router1#
*May 24 18:39:21.705: %FW-6-DROP_PKT: Dropping tcp session [2001:xxxx:xxxx:1:C8FD:5EFE:5111:FB55]:56747 [2A02:2E0:3FE:100::7]:80 on zone-pair ZP_BUERO_VLAN1__INTERNET class class-default due to DROP action found in policy-map with ip ident 0
so can you tell me how this it possible, even if i have the same zone membership of two interfaces it works for traffic from vlan 1 but it is blocked for traffic from tunnel 0???