We want to filter IPv6 extension headers on FWSM (4.1.x) and we discovered that filtering does not works at all. For example to filter destination options we used the following IPv6 ACE:
ipv6 access-list OUTSIDE6_IN deny 60 any any
Then packets are sent using extended IPv6 ping from IOS router and FWSM ignores above ACE and forwards the packet to the destination. The same thing happens when using Scapy as packet generator.
The packet is good because it matches IOS IPv6 ACL Destination options ACE.
I didn't checked but my colleague reported me the same issue with filtering Hop-by-hop option on FWSM.
So, is something wrong with the procedure or this is about new bug?
ACL is assigned to the interface... Other ACEs are being matched so ACL works but it does not match extension headers correctly:
ipv6 access-list OUTSIDE6_IN line 1 deny 60 any any log debugging interval 300 (hitcnt=0) 0xbb24b0a2
ipv6 access-list OUTSIDE6_IN line 2 permit tcp any any eq www log debugging interval 300 (hitcnt=2) 0xbde27d7c
Not related to your problem: You know that the FWSM is a really slow Firewall when it comes to IPv6? Everything has to be processed in the CPU as the Network-Processors are not able to process IPv6.
My intention was not to block ICMP, what I need is blocking all packets containing IPv6 destination option in extension header.
Sent from Cisco Technical Support iPhone App