[c-nsp] IPv6 firewall rules/inspection on ASAs

Justin M. Streiner streiner at cluebyfour.org
Fri Sep 7 09:58:36 EDT 2012


This is as much of a general query as anything else.  I'm just trying to get a 
sense for how people are building default firewall rule sets on their ASAs.

I have a fairly detailed inbound and outbound default IPv6 firewall rule set 
worked up, which I can share with people who are interested.  SLAAC and any 
type of 'normal' IPv6 traffic I could come up with in my lab works just fine. 
I wrote rules for DHCPv6, but haven't tested them yet - hoping to have a DHCPv6 
server online in the next week or two.

Most of the default rules cover stuff like SLAAC, the various ICMPv6 messages 
that are required/desirable to pass (per RFC 4890), and some other stuff I've 
found through trial and error that needed to be on for IPv6 to work.

I'm still wrapping my head around IPv6 inspection and what explicitly-defined 
rules I can knock out of my ruleset, if any, because the inspection would cover 
them.  IPv6 inspection on the ASA doesn't seem to be terribly 
intuitive/functional at this point and not especially well documented.  Are 
people even bothering with this right now?

The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at the 
moment.  The IPv6 test network dual-stacked and the firewall is running in 
transparent mode.

jms



More information about the cisco-nsp mailing list