[c-nsp] FWSM and mixed IPv4/IPv6 access-list

Leif Sawyer lsawyer at gci.com
Tue Mar 3 20:19:58 EST 2009 

Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's?

I'm having trouble with traceroute6 not succeeding, but ping6 working
fine:

access-list From_Internet extended permit udp any range 32768 65535
object-group NMS-HOSTS range 33434 33523 log
access-list From_Internet extended permit icmp any object-group
NMS-HOSTS log
!
access-list PERMIT_ANY extended permit ip any any log
!
ipv6 access-list V6_From_Internet permit udp any range 32768 65535
object-group V6-NMS-HOSTS range 33434 33523 log
ipv6 access-list V6_From_Internet permit icmp6 any object-group
V6-NMS-HOSTS log
!
ipv6 access-list V6_PERMIT_ANY permit ip any any log
!
! for testing, allow anything outbound...
!
access-group PERMIT_ANY in interface inside
access-group V6_PERMIT_ANY in interface inside
!
!
access-group From_Internet in interface outside
access-group V6_From_Internet in interface outside
!
ipv6 icmp permit any inside
ipv6 icmp permit any outside
icmp permit any inside
icmp permit any outside


object-group NMS-HOSTS :== V6-NMS-HOSTS   for the appropriate protocol.


I'm running FWSM  4.0(4)   on top of  12.2.33(SXI) on my 6509.


The above is cut verbatim, but slightly re-arranged.  telnet/ssh work
from
the inside-> outside as well.


here's the output from the FWSM.  First, the successful IPv4, then the
failed IPv6.
The source hosts and destination hosts are equivalent.

Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(60219) -> outside/192.168.3.1(33434) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(38690) -> outside/192.168.3.1(33435) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(60005) -> outside/192.168.3.1(33436) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(53862) -> outside/192.168.3.1(33437) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(35579) -> outside/192.168.3.1(33438) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(57635) -> outside/192.168.3.1(33439) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(59543) -> outside/192.168.3.1(33440) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(42568) -> outside/192.168.3.1(33441) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(45739) -> outside/192.168.3.1(33442) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(38052) -> outside/192.168.3.1(33443) hit-cnt 1
(first hit) [0xd136324, 0x0]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list From_Internet
permitted icmp outside/192.168.3.1(0) -> inside/192.168.1.127(3) hit-cnt
1 (first hit) [0x64d8ffc5, 0x5a3e207a]
Mar  3 16:16:55 fwsm : %FWSM-6-106100: access-list PERMIT_ANY permitted
udp inside/192.168.1.127(50556) -> outside/192.168.3.1(33444) hit-cnt 1
(first hit) [0xd136324, 0x0]



Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(50928) ->
outside/2001:dead:beef:cafe::1(33434) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(40298) ->
outside/2001:dead:beef:cafe::1(33435) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(59693) ->
outside/2001:dead:beef:cafe::1(33436) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(53347) ->
outside/2001:dead:beef:cafe::1(33437) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(40017) ->
outside/2001:dead:beef:cafe::1(33438) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(35667) ->
outside/2001:dead:beef:cafe::1(33439) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(36459) ->
outside/2001:dead:beef:cafe::1(33440) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(45750) ->
outside/2001:dead:beef:cafe::1(33441) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(59125) ->
outside/2001:dead:beef:cafe::1(33442) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(34934) ->
outside/2001:dead:beef:cafe::1(33443) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(48452) ->
outside/2001:dead:beef:cafe::1(33444) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(44628) ->
outside/2001:dead:beef:cafe::1(33445) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(33027) ->
outside/2001:dead:beef:cafe::1(33446) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(45131) ->
outside/2001:dead:beef:cafe::1(33447) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(52958) ->
outside/2001:dead:beef:cafe::1(33448) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-6-106100: access-list V6_PERMIT_ANY
permitted udp inside/2001:dead:beef:3:204:23ff:deaf:bead(33004) ->
outside/2001:dead:beef:cafe::1(33449) hit-cnt 1 first hit
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"
Mar  3 16:09:11 fwsm : %FWSM-4-106023: Deny icmp src
outside:2001:dead:beef:cafe::1 dst
inside:2001:dead:beef:3:204:23ff:deaf:bead (type 1, code 4) by
access-group "V6_From_Internet"

More information about the cisco-nsp mailing list