Solved: Re: Permitting Outside Ping And Response To Rouer - ZBFW - Self Zone

Richard H. Shores · ‎02-23-2018

I am trying to permit an ICMP ping from Hurricane Electric to keep my IPv6 tunnel alive. I am stumped on how to permit this ping and reply from a certain IPv4 address they use to the router's self zone with Zone Based Firewall. Any suggestions?

Richard H. Shores

Francesco Molino · ‎02-24-2018

Can you share the config you've tried to avoid loosing time?

The icmp you want to allow is IPv4 based right? It's to maintain the IPv6 tunnel UP?

Let's assume the remote ipv4 is 1.1.1.1 and your local public ip is 2.2.2.2

ip access-list extended ICMP-TUNNEL-IN

permit icmp host 1.1.1.1 host 2.2.2.2

ip access-list extended ICMP-TUNNEL-OUT

permit icmp host 2.2.2.2 host 1.1.1.1

!

class-map type inspect icmp-tunnel-in

match access-group name ICMP-TUNNEL-IN

class-map type inspect icmp-tunnel-out

match access-group name ICMP-TUNNEL-OUT

!

policy-map type inspect ccp-permit

class type inspect icmp-tunnel-in

pass

policy-map type inspect ccp-permit-icmpreply

class type inspect icmp-tunnel-out

pass

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎02-23-2018

Hi

You'll need to create an acl that will allow that traffic, create a class-map which will refer to the acl created and use the pass keyword.

This class-map will be used on the policy you're using today from zone outside to self.

If you want help on your config, please share your actual config.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard H. Shores · ‎02-23-2018

Thanks for your willingness to help. I tried several acl combinations to use with the out to self policy and nothing worked. I have attached a sanitized version of my router's current running config. Please note that in the config, I am not using ZBFW for the IPv6 traffic, and using CBAC for it.

Best regards,

Richard

Francesco Molino · ‎02-24-2018

Can you share the config you've tried to avoid loosing time?

The icmp you want to allow is IPv4 based right? It's to maintain the IPv6 tunnel UP?

Let's assume the remote ipv4 is 1.1.1.1 and your local public ip is 2.2.2.2

ip access-list extended ICMP-TUNNEL-IN

permit icmp host 1.1.1.1 host 2.2.2.2

ip access-list extended ICMP-TUNNEL-OUT

permit icmp host 2.2.2.2 host 1.1.1.1

!

class-map type inspect icmp-tunnel-in

match access-group name ICMP-TUNNEL-IN

class-map type inspect icmp-tunnel-out

match access-group name ICMP-TUNNEL-OUT

!

policy-map type inspect ccp-permit

class type inspect icmp-tunnel-in

pass

policy-map type inspect ccp-permit-icmpreply

class type inspect icmp-tunnel-out

pass

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Richard H. Shores · ‎02-24-2018

Hello Francesco,

I was able to get the problem resolved with the information you provided for the access lists (changing the ip addresses), class maps, and additions to policy maps.

Thank you for taking the time to help. It is greatly appreciated.

Richard

Francesco Molino · ‎02-26-2018

Glad that your issue is solved

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question