[c-nsp] IPv6 firewall rules/inspection on ASAs

Joseph Jackson recourse at gmail.com
Thu Sep 13 15:25:54 EDT 2012


Silly question - How come you are having to deny certain things,  if
traffic from a lower security interface tries to access a higher
security interface unless its permit it should be denied by default.
Are you putting those deny statements in there just to log the hits?
Also notice there is a deny ip any any.  At the end of the access-list
there is already an implied deny if nothing matches.

On Thu, Sep 13, 2012 at 1:01 PM, Justin M. Streiner
<streiner at cluebyfour.org> wrote:
> On Wed, 12 Sep 2012, Justin M. Streiner wrote:
>
>> A number of people have asked to see the ruleset, so I've posted it here:
>>
>> http://www.cluebyfour.org/ipv6/
>>
>> What I've posted is the IPv6 portion of the configuration for my test
>> zone.
>
>
> I see a number of people have viewed the config since I posted it.  If
> anyone has questions/comments/suggestions/concerns, please feel free to post
> them here.
>
> Thanks
>
> jms
>
>> On Fri, 7 Sep 2012, Justin M. Streiner wrote:
>>
>>>  This is as much of a general query as anything else.  I'm just trying to
>>>  get a sense for how people are building default firewall rule sets on
>>>  their ASAs.
>>>
>>>  I have a fairly detailed inbound and outbound default IPv6 firewall rule
>>>  set worked up, which I can share with people who are interested.  SLAAC
>>>  and any type of 'normal' IPv6 traffic I could come up with in my lab
>>> works
>>>  just fine. I wrote rules for DHCPv6, but haven't tested them yet -
>>> hoping
>>>  to have a DHCPv6 server online in the next week or two.
>>>
>>>  Most of the default rules cover stuff like SLAAC, the various ICMPv6
>>>  messages that are required/desirable to pass (per RFC 4890), and some
>>>  other stuff I've found through trial and error that needed to be on for
>>>  IPv6 to work.
>>>
>>>  I'm still wrapping my head around IPv6 inspection and what
>>>  explicitly-defined rules I can knock out of my ruleset, if any, because
>>>  the inspection would cover them.  IPv6 inspection on the ASA doesn't
>>> seem
>>>  to be terribly intuitive/functional at this point and not especially
>>> well
>>>  documented.  Are people even bothering with this right now?
>>>
>>>  The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at
>>>  the moment.  The IPv6 test network dual-stacked and the firewall is
>>>  running in transparent mode.
>>>
>>>  jms
>>>
>>>  _______________________________________________
>>>  cisco-nsp mailing list  cisco-nsp at puck.nether.net
>>>  https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>  archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list