06-22-2016 07:51 PM - edited 03-12-2019 12:56 AM
I'm trying to configure IPv6 packet inspection on a 2911 router (IOS 15.1(2)T5) but I'm unable to inspect router-generated traffic. There isn't an option "ipv6 inspect name xxxx udp router-traffic" as in IPv4. Thus I'm unable to ping from the router to a remote host.
I could solve the ping problem by simply adding a "permit icmp any any echo-reply" on my ACL, but I'm still unable to access TCP or UDP-based services (DNS, HTTP...).
Does anyone know if is it possible to enable IPv6 router-generated traffic, or is there any other solution for this problem? If so, how can I do that?
Partial configuration:
ipv6 unicast-routing
ipv6 inspect name SPI_DIALER1_OUT tcp
ipv6 inspect name SPI_DIALER1_OUT udp
ipv6 inspect name SPI_DIALER1_OUT icmp
ipv6 inspect name SPI_DIALER1_OUT ftp
interface Dialer1
ipv6 inspect SPI_DIALER1_OUT out
ipv6 traffic-filter acl6_dialer1_in in
ipv6 access-list acl6_dialer1_in
sequence 10 permit icmp any any nd-ns
sequence 20 permit icmp any any nd-na
sequence 30 permit icmp any any router-advertisement
sequence 40 permit icmp any any echo-reply
deny ipv6 any any log
Solved! Go to Solution.
06-22-2016 09:27 PM
The old Cisco IOS "inspect" system has effectively been deprecated. You should be using zone based firewalling now.
Here is the guide for IPv6 zone based firewall support.
If you want to get up to speed more quickly for ipv4 zone based firewall, try using my Config Wizard and copying the bits you need.
06-22-2016 09:27 PM
The old Cisco IOS "inspect" system has effectively been deprecated. You should be using zone based firewalling now.
Here is the guide for IPv6 zone based firewall support.
If you want to get up to speed more quickly for ipv4 zone based firewall, try using my Config Wizard and copying the bits you need.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide