[c-nsp] IPv6 firewall rules/inspection on ASAs
Justin M. Streiner
streiner at cluebyfour.org
Wed Sep 12 00:21:47 EDT 2012
A number of people have asked to see the ruleset, so I've posted it here:
http://www.cluebyfour.org/ipv6/
What I've posted is the IPv6 portion of the configuration for my test
zone.
jms
On Fri, 7 Sep 2012, Justin M. Streiner wrote:
> This is as much of a general query as anything else. I'm just trying to get
> a sense for how people are building default firewall rule sets on their ASAs.
>
> I have a fairly detailed inbound and outbound default IPv6 firewall rule set
> worked up, which I can share with people who are interested. SLAAC and any
> type of 'normal' IPv6 traffic I could come up with in my lab works just fine.
> I wrote rules for DHCPv6, but haven't tested them yet - hoping to have a
> DHCPv6 server online in the next week or two.
>
> Most of the default rules cover stuff like SLAAC, the various ICMPv6 messages
> that are required/desirable to pass (per RFC 4890), and some other stuff I've
> found through trial and error that needed to be on for IPv6 to work.
>
> I'm still wrapping my head around IPv6 inspection and what explicitly-defined
> rules I can knock out of my ruleset, if any, because the inspection would
> cover them. IPv6 inspection on the ASA doesn't seem to be terribly
> intuitive/functional at this point and not especially well documented. Are
> people even bothering with this right now?
>
> The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at the
> moment. The IPv6 test network dual-stacked and the firewall is running in
> transparent mode.
>
> jms
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list