[c-nsp] IPv6 Stateful IOS Firewall

-Hammer- bhmccie at gmail.com
Wed Jul 13 10:16:45 EDT 2011


If anyone is interested I've been building an IPv6 specific router 
config/template for routing and security. I've been trying to work with 
the team Cymru but progress is slow. Looking for collaborators....

Ping me offline if interested.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 07/13/2011 03:57 AM, David Freedman wrote:
> According to the documentation at
>
> http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr
> _fw_ps10592_TSD_Products_Configuration_Guide_Chapter.html
>
> The following should suffice as a simple stateful IPv6 firewall (no
> reflection or zoning):
>
> !
> ipv6 unicast-routing
> ipv6 cef
> ipv6 inspect udp idle-time 120
> ipv6 inspect tcp max-incomplete host 250 block-time 0
> ipv6 inspect name cbac-ipv6 tcp
> ipv6 inspect name cbac-ipv6 udp
> ipv6 inspect name cbac-ipv6 icmp
> ipv6 inspect name cbac-ipv6 ftp
> !
> int X/Y
>   desc WAN
>   ipv6 enable
>   ipv6 traffic-filter ipv6-internet-in in
>   ipv6 inspect cbac-ipv6 out
> !
> ipv6 access-list ipv6-internet-in
>   permit icmp fe80::/64 any nd-na
>   permit icmp fe80::/64 any nd-ns
>   deny ipv6 any any log
> !
>
> However, this results in some odd behaviour, when "debug ipv6 inspect
> detailed" is enabled and traffic is sent through the firewall, the
> following message is logged for every packet :
>
> Jul 13 09:54:14 BST: FIREWALL: acl or insp_list not found
>
> Can somebody tell me what I'm missing?
>
>
> #sh ver | in UNIV
> Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
> 15.0(1)M2, RELEASE SOFTWARE (fc2)
>
> #sh lic
> Index 1 Feature: ipbasek9
>          Period left: Life time
>          License Type: Permanent
>          License State: Active, In Use
>          License Count: Non-Counted
>          License Priority: Medium
> Index 2 Feature: securityk9
>          Period left: Life time
>          License Type: Permanent
>          License State: Active, In Use
>          License Count: Non-Counted
>          License Priority: Medium
> Index 3 Feature: datak9
>          Period left: 8  weeks 4  days
>          License Type: Evaluation
>          License State: Active, Not in Use, EULA not accepted
>          License Count: Non-Counted
>          License Priority: None
> Index 4 Feature: SSL_VPN
>          Period left: 8  weeks 4  days
>          License Type: Evaluation
>          License State: Active, Not in Use, EULA not accepted
>          License Count: 75/0/0  (Active/In-use/Violation)
>          License Priority: None
> Index 5 Feature: ios-ips-update
>
>
> Thanks in advance
>
>
> Dave.
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>    


More information about the cisco-nsp mailing list