[c-nsp] IPv6 firewall rules/inspection on ASAs
Justin M. Streiner
streiner at cluebyfour.org
Fri Sep 7 09:58:36 EDT 2012
This is as much of a general query as anything else. I'm just trying to get a
sense for how people are building default firewall rule sets on their ASAs.
I have a fairly detailed inbound and outbound default IPv6 firewall rule set
worked up, which I can share with people who are interested. SLAAC and any
type of 'normal' IPv6 traffic I could come up with in my lab works just fine.
I wrote rules for DHCPv6, but haven't tested them yet - hoping to have a DHCPv6
server online in the next week or two.
Most of the default rules cover stuff like SLAAC, the various ICMPv6 messages
that are required/desirable to pass (per RFC 4890), and some other stuff I've
found through trial and error that needed to be on for IPv6 to work.
I'm still wrapping my head around IPv6 inspection and what explicitly-defined
rules I can knock out of my ruleset, if any, because the inspection would cover
them. IPv6 inspection on the ASA doesn't seem to be terribly
intuitive/functional at this point and not especially well documented. Are
people even bothering with this right now?
The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at the
moment. The IPv6 test network dual-stacked and the firewall is running in
transparent mode.
jms
More information about the cisco-nsp
mailing list