IOS ZBF not allowing IPv6

mocah · ‎10-05-2011

Hello all,

I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:

Zone:

LAN --> WAN

zone security LAN

zone security WAN

!

class-map type inspect match-any Internet-cmap

match protocol dns

match protocol http

match protocol https

match protocol icmp

match protocol ftp

match protocol pop3

match protocol pop3s

match protocol smtp

!

policy-map type inspect Internet-pmap

class type inspect Internet-cmap

inspect

!

zone-pair security LAN-WAN source LAN destination WAN

service-policy type inspect Internet-pmap

Zone:

WAN--> self deny everything.

Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.

Error messages on console:

Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT

Are there any specia settings for ZBF which should be turned on for IPv6 protocol?

Thank you and kind regards,

Marko

mocah · ‎10-06-2011

Problem is with Internet to Self zone. If zone Internet to Self is removed IPv6 works.

FW-6-DROP_PKT: Dropping icmpv6 session [FE80::290:1AFF:xxxx:xxxx]:0 [FE80::221:D8FF:xxxx:xxxx]:0 on zone-pair Internet-to-Self class Internet-to-Self-icmpv6-cmap with ip ident 0

Which rule would allowed IPv6 traffic from Internet to self zone? I have tried to allowe all icmpv6 traffic but same error appeared. Only if zone-security Internet to Self is removed IPv6 works.

Thank you and kind regards,

Marko