cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1868
Views
0
Helpful
4
Replies
adelium904
Beginner

IPV6 ACL permit but not working on C892FSP-K9???

Hi,

I have set up filter for the inbound interface on the wan part.

I permit www and 443 traffic from any to a specific host (2A01:XXXX:XXXX:C884:8000::1).

I get the following error on the browser:

<html><head><title>Service Unavailable</title></head> <body><h4>Service temporairement indisponible ou en maintenance.</h4></body></html>

 

Here is the config I have:

interface GigabitEthernet9
 description Primary link Free
 ip address 192.168.10.100 255.255.255.0
 ip access-group 199 in
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 ipv6 address 2A01:XXXX:XXXX:C880::2/64
 ipv6 address autoconfig default
 ipv6 enable
 ipv6 traffic-filter ipv6in in

interface Vlan4
description front-web
ip address 192.168.104.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ipv6 address 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0/65
ipv6 enable
ipv6 nd prefix 2A01:XXXX:XXXX:C884::/65 infinite infinite
ipv6 nd advertisement-interval
ipv6 nd ra interval 100

ACL:

ipv6 access-list ipv6in
 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C883:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C884:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C884:7FFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C885:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C886:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C887:FFFF:FFFF:FFFF:0
 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFE:0
 deny ipv6 any host 2A01:XXXX:XXXX:C881:FFFF:FFFF:FFFD:0
 deny ipv6 any host 2A01:XXXX:XXXX:C882:FFFF:FFFF:FFFC:0
 permit tcp any any established
 permit icmp any any echo-reply
 permit udp any eq domain any
 permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq www
 permit tcp any host 2A01:XXXX:XXXX5:C884:8000::1 eq 443
 permit tcp any host 2A01:XXXX:XXXX:C884:8000::1 eq 22 log
 permit tcp any 2A01:XXXX:XXXX5:C884:8000::/65 range 1024 65535
 permit udp any 2A01:XXXX:XXXX:C884:8000::/65 range 1024 65535
 permit icmp any 2A01:XXXX:XXXX:C884:8000::/65 echo-reply
 sequence 1000 remark Permit good ICMPv6 message types
 remark Deny loopback address
 deny ipv6 host ::1 any
 remark Deny IPv4-compatible addresses
 deny ipv6 ::/96 any
 remark Deny IPv4-mapped addresses (obsolete)
 deny ipv6 ::FFFF:0.0.0.0/96 any
 remark Deny auto tunneled packets w/compatible addresses (RFC 4291)
 remark Deny other compatible addresses
 deny ipv6 ::224.0.0.0/100 any log
 deny ipv6 ::127.0.0.0/104 any log
 deny ipv6 ::/104 any log
 deny ipv6 ::255.0.0.0/104 any log
 remark Deny false 6to4 packets
 deny ipv6 2002:E000::/20 any log
 deny ipv6 2002:7F00::/24 any log
 deny ipv6 2002::/24 any log
 deny ipv6 2002:FF00::/24 any log
 deny ipv6 2002:A00::/24 any log
 deny ipv6 2002:AC10::/28 any log
 deny ipv6 2002:C0A8::/32 any log
 remark Permit good NDP messages since we deny and log at the end
 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 remark Deny Link-Local communications
 deny ipv6 FE80::/10 any
 remark Deny Site-Local (deprecated)
 deny ipv6 FEC0::/10 any
 remark Deny Unique-Local packets
 deny ipv6 FC00::/7 any
 remark Deny multicast packets
 deny ipv6 FF00::/8 any
 remark Deny Documentation Address
 deny ipv6 2001:DB8::/32 any
 remark Deny 6Bone addresses (deprecated)
 deny ipv6 3FFE::/16 any
 remark Deny RH0 packets
 deny ipv6 any any routing-type 0 log
 remark Deny our own addresses coming inbound

Here is the router/firewall (C892FSP-K9)  log:

Mar 15 08:35:53.712: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/150 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(45698) -> 2A01:E34:EC45:C884:8000::1(80), 1 packet
Mar 15 08:39:52.236: %IPV6_ACL-6-ACCESSLOGP: list ipv6in/160 permitted tcp 2A01:CB09:8017:5F97:99B9:2DBF:AA47:3E8B(33474) -> 2A01:E34:EC45:C884:8000::1(443), 3 packets

 The traffic does not go through??

Any Idea?

Thanks

vandman

1 ACCEPTED SOLUTION

Accepted Solutions

Hi, Sorry for late reply.

I found the solution, the problem came from the fact that I did not have default route ::/0.

The ACL I had blocked automatic routing negotiation between the router and the box.

Here is the ACL I had to apply to allow automatic configuration:

 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp FF02::/16 any router-advertisement
 permit icmp FE80::/10 FF02::/16 router-advertisemen

Thanks

vandman

View solution in original post

4 REPLIES 4
Seb Rupik
VIP Advisor

Hi there,

The HTML response you include has the text for a HTML 503 error: "Service unavailable".  Which implies an issue with the server you are connecting to.

This is confirmed by the router logs which show packets being permitted to that host.

 

I would check on the www service on your server, is it hosting websites on IPv6, does it have an ACL on the http service which blocks requests to IPv6 hosts?

 

cheers,

Seb.

adelium904
Beginner

Hi,

From local network, it works perfectly well. In debug mode, Traefik gives me logs, the website shows itself in the browser.

From Internet, I have no logs in Traefik???

For me, No traffic goes to the service.

This is wearied.

Regards

vandman

This sounds very much like an issue localised to the server. You could run a packet capture on the machine to confirm the externally sourced packets are indeed reaching the machine.

 

What OS are you running? What HTTP service are you running? 

The HTTP response page suggests that it is not an OS firewall, but a configuration item with the HTTP service.

 

cheers,

Seb.

Hi, Sorry for late reply.

I found the solution, the problem came from the fact that I did not have default route ::/0.

The ACL I had blocked automatic routing negotiation between the router and the box.

Here is the ACL I had to apply to allow automatic configuration:

 permit icmp FE80::/10 any nd-na
 permit icmp FE80::/10 any nd-ns
 permit icmp FF02::/16 any router-advertisement
 permit icmp FE80::/10 FF02::/16 router-advertisemen

Thanks

vandman

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube