[c-nsp] ASA ipv6 + icmp types
Andrew Yourtchenko
ayourtch at cisco.com
Wed Jan 13 08:11:07 EST 2010
On Tue, 12 Jan 2010, Dale W. Carder wrote:
> On Jan 11, 2010, at 1:41 PM, Brandon Applegate wrote:
>
>> So I'm playing around with ipv6 on the ASA. I'm running the latest
>>code (8.2(1)). And in trying to get traceroutes and pings 'through' the
>>ASA, I've found that icmp-types are translated to 'english' but using
>>the ipv4 codes. I.e. code 3 for ipv6 is time-exceeded but shows up in config
>>as unreachable (because unreachable == 3 in ipv4).
>>
>> I'm guessing I should open a TAC case and complain ? You could call it a cosmetic issue, but I see myself making mistakes because the burden is on me to translate the icmp types as I enter config :(
>
>
> I would certainly open a tac case and insist on getting a bug id.
Yeah I asked Brandon unicast to open a new case and get me the #.
However: The issue comes from the icmp-type object group being a separate
entity from an ACL, that is not context-aware ("www" is always 80), and
it can not really be "fixed": if you were to use the same icmp-type OG in
the IPv4 and IPv6 ACL- what should the type "3" correspond to in the
running config within that object group ? There's not always 1:1 mapping
between ICMPv4 and ICMPv6.
So it is not as black and white as printing IPv4 instead of IPv6,
unfortunately...
Looks like the only approach might be creating a new object-group kind
"icmp6-type" - and make the CLI not accept the "icmp-type" object group
for the IPv6 ACLs.
cheers,
andrew
More information about the cisco-nsp
mailing list