[c-nsp] IPv6 firewall rules/inspection on ASAs
Joseph Jackson
recourse at gmail.com
Thu Sep 13 15:25:54 EDT 2012
Silly question - How come you are having to deny certain things, if
traffic from a lower security interface tries to access a higher
security interface unless its permit it should be denied by default.
Are you putting those deny statements in there just to log the hits?
Also notice there is a deny ip any any. At the end of the access-list
there is already an implied deny if nothing matches.
On Thu, Sep 13, 2012 at 1:01 PM, Justin M. Streiner
<streiner at cluebyfour.org> wrote:
> On Wed, 12 Sep 2012, Justin M. Streiner wrote:
>
>> A number of people have asked to see the ruleset, so I've posted it here:
>>
>> http://www.cluebyfour.org/ipv6/
>>
>> What I've posted is the IPv6 portion of the configuration for my test
>> zone.
>
>
> I see a number of people have viewed the config since I posted it. If
> anyone has questions/comments/suggestions/concerns, please feel free to post
> them here.
>
> Thanks
>
> jms
>
>> On Fri, 7 Sep 2012, Justin M. Streiner wrote:
>>
>>> This is as much of a general query as anything else. I'm just trying to
>>> get a sense for how people are building default firewall rule sets on
>>> their ASAs.
>>>
>>> I have a fairly detailed inbound and outbound default IPv6 firewall rule
>>> set worked up, which I can share with people who are interested. SLAAC
>>> and any type of 'normal' IPv6 traffic I could come up with in my lab
>>> works
>>> just fine. I wrote rules for DHCPv6, but haven't tested them yet -
>>> hoping
>>> to have a DHCPv6 server online in the next week or two.
>>>
>>> Most of the default rules cover stuff like SLAAC, the various ICMPv6
>>> messages that are required/desirable to pass (per RFC 4890), and some
>>> other stuff I've found through trial and error that needed to be on for
>>> IPv6 to work.
>>>
>>> I'm still wrapping my head around IPv6 inspection and what
>>> explicitly-defined rules I can knock out of my ruleset, if any, because
>>> the inspection would cover them. IPv6 inspection on the ASA doesn't
>>> seem
>>> to be terribly intuitive/functional at this point and not especially
>>> well
>>> documented. Are people even bothering with this right now?
>>>
>>> The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at
>>> the moment. The IPv6 test network dual-stacked and the firewall is
>>> running in transparent mode.
>>>
>>> jms
>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list