[c-nsp] IPv6 Stateful IOS Firewall
David Freedman
david.freedman at uk.clara.net
Wed Jul 13 04:57:47 EDT 2011
According to the documentation at
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr
_fw_ps10592_TSD_Products_Configuration_Guide_Chapter.html
The following should suffice as a simple stateful IPv6 firewall (no
reflection or zoning):
!
ipv6 unicast-routing
ipv6 cef
ipv6 inspect udp idle-time 120
ipv6 inspect tcp max-incomplete host 250 block-time 0
ipv6 inspect name cbac-ipv6 tcp
ipv6 inspect name cbac-ipv6 udp
ipv6 inspect name cbac-ipv6 icmp
ipv6 inspect name cbac-ipv6 ftp
!
int X/Y
desc WAN
ipv6 enable
ipv6 traffic-filter ipv6-internet-in in
ipv6 inspect cbac-ipv6 out
!
ipv6 access-list ipv6-internet-in
permit icmp fe80::/64 any nd-na
permit icmp fe80::/64 any nd-ns
deny ipv6 any any log
!
However, this results in some odd behaviour, when "debug ipv6 inspect
detailed" is enabled and traffic is sent through the firewall, the
following message is logged for every packet :
Jul 13 09:54:14 BST: FIREWALL: acl or insp_list not found
Can somebody tell me what I'm missing?
#sh ver | in UNIV
Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
15.0(1)M2, RELEASE SOFTWARE (fc2)
#sh lic
Index 1 Feature: ipbasek9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 2 Feature: securityk9
Period left: Life time
License Type: Permanent
License State: Active, In Use
License Count: Non-Counted
License Priority: Medium
Index 3 Feature: datak9
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: Non-Counted
License Priority: None
Index 4 Feature: SSL_VPN
Period left: 8 weeks 4 days
License Type: Evaluation
License State: Active, Not in Use, EULA not accepted
License Count: 75/0/0 (Active/In-use/Violation)
License Priority: None
Index 5 Feature: ios-ips-update
Thanks in advance
Dave.
More information about the cisco-nsp
mailing list