Blocking IPv6 on ASA

vijay4211 · ‎07-26-2024

Hi All,

is IPv6 blocked on Cisco ASA by default? we are running version 9.12 currently and have received a request to block an IPv6 address and I am pretty sure we haven't used IPv6 in our environment before. So was wondering if we need to take any action on the same.

Regards,

Vijay

MHM Cisco World · ‎07-26-2024

Do you have any attack to your VPN service and you want to deny this IP to access ASA?

MHM

vijay4211 · ‎07-26-2024

Hi MHM,

No, not for this. Actually this is an internet facing firewall and we block malicious IPs coming on our outside interface as provided by our SOC advisories. But this is the first time we have received a request for an IPv6 address.

vijay4211 · ‎07-26-2024

Anyone has any idea on whether we should be blocking this Ipv6 address through, say an ACL, or will it get blocked by default?

tvotna · ‎07-29-2024

I believe that in the routed firewall mode ASA drops all IPv6 if IPv6 addresses are not configured on ASA interfaces, simply because its IPv6 routing table is empty in this case. Transparent firewall mode also requires IPv6 address to be configured.

NB. In ASA ACLs "any" means "any4" OR "any6", so if IPv6 addresses are configured on ASA interfaces, it may let IPv6 through "any" depending on your configuration.

HTH

MHM Cisco World · ‎07-29-2024

defualt behavior of asa is prevent any traffic from low to high secuirty even if you not config ACL and this inlcude both ipv4 and ipv6

But to be sure I run lab yesterday to add ipv6 access-list any any log to OUT of asa but the command is unknown'

Sorry I have limit time these day I will try soon and update you when I sucess

Thanks

MHM