[c-nsp] FWSM and mixed IPv4/IPv6 access-list
Andrew Yourtchenko
ayourtch at cisco.com
Thu Mar 5 11:22:44 EST 2009
On Tue, 3 Mar 2009, Justin M. Streiner wrote:
> On Tue, 3 Mar 2009, Leif Sawyer wrote:
>
>> Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's?
>>
>> I'm having trouble with traceroute6 not succeeding, but ping6 working
>> fine:
>
> You might be getting caught by flawed behavior of the FWSM. I've run into
> something similar with straight v4 firewall zones where certain flavors of
> traceroute will be dropped by the blade. When it was first reported to us,
> we thought is was a broken fixup, but the behavior persisted after the fixup
> was disabled. No word on a fix from Cisco.
traceroute relies on the party that is doing the traceroute being able to
receive the ICMP TTL expired from all the nodes along the path back to
the originator. In the presence of nat(ipv4)/ACLs you would need the icmp
inspection to have it working.
"Classic" traceroute uses UDP as probe packets, but windows boxes use
ICMP for that purpose. If you had issues with the latter but not with the
former, CSCsj53485 might be what you were encountering. If it does not
match what you were experiencing and you have a case#, unicast it to me
please.
>
> On a somewhat unrelated note, how has the v6 performance been on the FWSMs
> for you? Everything I've heard from Cisco and other sources suggests that
> the v6 packets are much more expensive for the FWSM to forward, so
> performance would suffer greatly.
Correct.
thanks,
andrew
More information about the cisco-nsp
mailing list