[c-nsp] FWSM and mixed IPv4/IPv6 access-list

Andrew Yourtchenko ayourtch at cisco.com
Thu Mar 5 11:22:44 EST 2009



On Tue, 3 Mar 2009, Justin M. Streiner wrote:

> On Tue, 3 Mar 2009, Leif Sawyer wrote:
>
>>  Is anybody working with FWSM's and mixed-mode IPv4+IPv6 ACL's?
>>
>>  I'm having trouble with traceroute6 not succeeding, but ping6 working
>>  fine:
>
> You might be getting caught by flawed behavior of the FWSM.  I've run into 
> something similar with straight v4 firewall zones where certain flavors of 
> traceroute will be dropped by the blade.  When it was first reported to us, 
> we thought is was a broken fixup, but the behavior persisted after the fixup 
> was disabled.  No word on a fix from Cisco.

traceroute relies on the party that is doing the traceroute being able to 
receive the ICMP TTL expired from all the nodes along the path back to 
the originator. In the presence of nat(ipv4)/ACLs you would need the icmp 
inspection to have it working.

"Classic" traceroute uses UDP as probe packets, but windows boxes use
ICMP for that purpose. If you had issues with the latter but not with the 
former, CSCsj53485 might be what you were encountering. If it does not 
match what you were experiencing and you have a case#, unicast it to me 
please.

>
> On a somewhat unrelated note, how has the v6 performance been on the FWSMs 
> for you?  Everything I've heard from Cisco and other sources suggests that 
> the v6 packets are much more expensive for the FWSM to forward, so 
> performance would suffer greatly.

Correct.

thanks,
andrew


More information about the cisco-nsp mailing list