Discussion:
[c-nsp] IPv6 Stateful IOS Firewall
David Freedman
2011-07-13 08:57:47 UTC
Permalink
According to the documentation at

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr
_fw_ps10592_TSD_Products_Configuration_Guide_Chapter.html

The following should suffice as a simple stateful IPv6 firewall (no
reflection or zoning):

!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect udp idle-time 120
ipv6 inspect tcp max-incomplete host 250 block-time 0
ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp
!
int X/Y
desc WAN
ipv6 enable
ipv6 traffic-filter ipv6-internet-in in
ipv6 inspect cbac-ipv6 out
!
ipv6 access-list ipv6-internet-in
permit icmp fe80::/64 any nd-na
permit icmp fe80::/64 any nd-ns
deny ipv6 any any log
!

However, this results in some odd behaviour, when "debug ipv6 inspect
detailed" is enabled and traffic is sent through the firewall, the
following message is logged for every packet :

Jul 13 09:54:14 BST: FIREWALL: acl or insp_list not found

Can somebody tell me what I'm missing?


#sh ver | in UNIV
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
15.0(1)M2, RELEASE SOFTWARE (fc2)

#sh lic
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 3 Feature: datak9
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 4 Feature: SSL_VPN
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: 75/0/0 (Active/In-use/Violation)
License Priority: None
Index 5 Feature: ios-ips-update


Thanks in advance


Dave.






_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
-Hammer-
2011-07-13 14:16:45 UTC
Permalink
If anyone is interested I've been building an IPv6 specific router
config/template for routing and security. I've been trying to work with
the team Cymru but progress is slow. Looking for collaborators....

Ping me offline if interested.

-Hammer-

"I was a normal American nerd"
-Jack Herer
Post by David Freedman
According to the documentation at
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr
_fw_ps10592_TSD_Products_Configuration_Guide_Chapter.html
The following should suffice as a simple stateful IPv6 firewall (no
!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect udp idle-time 120
ipv6 inspect tcp max-incomplete host 250 block-time 0
ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp
!
int X/Y
desc WAN
ipv6 enable
ipv6 traffic-filter ipv6-internet-in in
ipv6 inspect cbac-ipv6 out
!
ipv6 access-list ipv6-internet-in
permit icmp fe80::/64 any nd-na
permit icmp fe80::/64 any nd-ns
deny ipv6 any any log
!
However, this results in some odd behaviour, when "debug ipv6 inspect
detailed" is enabled and traffic is sent through the firewall, the
Jul 13 09:54:14 BST: FIREWALL: acl or insp_list not found
Can somebody tell me what I'm missing?
#sh ver | in UNIV
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
15.0(1)M2, RELEASE SOFTWARE (fc2)
#sh lic
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 3 Feature: datak9
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 4 Feature: SSL_VPN
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: 75/0/0 (Active/In-use/Violation)
License Priority: None
Index 5 Feature: ios-ips-update
Thanks in advance
Dave.
_______________________________________________
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
_______________________________________________
cisco-nsp mailing list cisco-***@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Loading...