[c-nsp] IPv6 Stateful IOS Firewall
-Hammer-
bhmccie at gmail.com
Wed Jul 13 10:16:45 EDT 2011
If anyone is interested I've been building an IPv6 specific router
config/template for routing and security. I've been trying to work with
the team Cymru but progress is slow. Looking for collaborators....
Ping me offline if interested.
-Hammer-
"I was a normal American nerd"
-Jack Herer
On 07/13/2011 03:57 AM, David Freedman wrote:
> According to the documentation at
>
> http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-sec_trfltr
> _fw_ps10592_TSD_Products_Configuration_Guide_Chapter.html
>
> The following should suffice as a simple stateful IPv6 firewall (no
> reflection or zoning):
>
> !
> ipv6 unicast-routing
> ipv6 cef
> ipv6 inspect udp idle-time 120
> ipv6 inspect tcp max-incomplete host 250 block-time 0
> ipv6 inspect name cbac-ipv6 tcp
> ipv6 inspect name cbac-ipv6 udp
> ipv6 inspect name cbac-ipv6 icmp
> ipv6 inspect name cbac-ipv6 ftp
> !
> int X/Y
> desc WAN
> ipv6 enable
> ipv6 traffic-filter ipv6-internet-in in
> ipv6 inspect cbac-ipv6 out
> !
> ipv6 access-list ipv6-internet-in
> permit icmp fe80::/64 any nd-na
> permit icmp fe80::/64 any nd-ns
> deny ipv6 any any log
> !
>
> However, this results in some odd behaviour, when "debug ipv6 inspect
> detailed" is enabled and traffic is sent through the firewall, the
> following message is logged for every packet :
>
> Jul 13 09:54:14 BST: FIREWALL: acl or insp_list not found
>
> Can somebody tell me what I'm missing?
>
>
> #sh ver | in UNIV
> Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version
> 15.0(1)M2, RELEASE SOFTWARE (fc2)
>
> #sh lic
> Index 1 Feature: ipbasek9
> Period left: Life time
> License Type: Permanent
> License State: Active, In Use
> License Count: Non-Counted
> License Priority: Medium
> Index 2 Feature: securityk9
> Period left: Life time
> License Type: Permanent
> License State: Active, In Use
> License Count: Non-Counted
> License Priority: Medium
> Index 3 Feature: datak9
> Period left: 8 weeks 4 days
> License Type: Evaluation
> License State: Active, Not in Use, EULA not accepted
> License Count: Non-Counted
> License Priority: None
> Index 4 Feature: SSL_VPN
> Period left: 8 weeks 4 days
> License Type: Evaluation
> License State: Active, Not in Use, EULA not accepted
> License Count: 75/0/0 (Active/In-use/Violation)
> License Priority: None
> Index 5 Feature: ios-ips-update
>
>
> Thanks in advance
>
>
> Dave.
>
>
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list