[c-nsp] IPv6 firewall rules/inspection on ASAs

Justin M. Streiner streiner at cluebyfour.org
Thu Sep 13 14:01:04 EDT 2012


On Wed, 12 Sep 2012, Justin M. Streiner wrote:

> A number of people have asked to see the ruleset, so I've posted it here:
>
> http://www.cluebyfour.org/ipv6/
>
> What I've posted is the IPv6 portion of the configuration for my test zone.

I see a number of people have viewed the config since I posted it.  If 
anyone has questions/comments/suggestions/concerns, please feel free to 
post them here.

Thanks
jms

> On Fri, 7 Sep 2012, Justin M. Streiner wrote:
>
>>  This is as much of a general query as anything else.  I'm just trying to
>>  get a sense for how people are building default firewall rule sets on
>>  their ASAs.
>>
>>  I have a fairly detailed inbound and outbound default IPv6 firewall rule
>>  set worked up, which I can share with people who are interested.  SLAAC
>>  and any type of 'normal' IPv6 traffic I could come up with in my lab works
>>  just fine. I wrote rules for DHCPv6, but haven't tested them yet - hoping
>>  to have a DHCPv6 server online in the next week or two.
>>
>>  Most of the default rules cover stuff like SLAAC, the various ICMPv6
>>  messages that are required/desirable to pass (per RFC 4890), and some
>>  other stuff I've found through trial and error that needed to be on for
>>  IPv6 to work.
>>
>>  I'm still wrapping my head around IPv6 inspection and what
>>  explicitly-defined rules I can knock out of my ruleset, if any, because
>>  the inspection would cover them.  IPv6 inspection on the ASA doesn't seem
>>  to be terribly intuitive/functional at this point and not especially well
>>  documented.  Are people even bothering with this right now?
>>
>>  The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at
>>  the moment.  The IPv6 test network dual-stacked and the firewall is
>>  running in transparent mode.
>>
>>  jms
>>
>>  _______________________________________________
>>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list