[c-nsp] IPv6 firewall rules/inspection on ASAs
Justin M. Streiner
streiner at cluebyfour.org
Thu Sep 13 19:31:14 EDT 2012
On Thu, 13 Sep 2012, Joseph Jackson wrote:
> Silly question - How come you are having to deny certain things, if
> traffic from a lower security interface tries to access a higher
> security interface unless its permit it should be denied by default.
> Are you putting those deny statements in there just to log the hits?
Some of the ICMP stuff is in there largely for debugging purposes at this
point. i.e. to figure out what's needed for things to work, but not
create any gaping security holes in the process.
> Also notice there is a deny ip any any. At the end of the access-list
> there is already an implied deny if nothing matches.
It's there to log the denies.
> On Thu, Sep 13, 2012 at 1:01 PM, Justin M. Streiner
> <streiner at cluebyfour.org> wrote:
>> On Wed, 12 Sep 2012, Justin M. Streiner wrote:
>>
>>> A number of people have asked to see the ruleset, so I've posted it here:
>>>
>>> http://www.cluebyfour.org/ipv6/
>>>
>>> What I've posted is the IPv6 portion of the configuration for my test
>>> zone.
>>
>>
>> I see a number of people have viewed the config since I posted it. If
>> anyone has questions/comments/suggestions/concerns, please feel free to post
>> them here.
>>
>> Thanks
>>
>> jms
>>
>>> On Fri, 7 Sep 2012, Justin M. Streiner wrote:
>>>
>>>> This is as much of a general query as anything else. I'm just trying to
>>>> get a sense for how people are building default firewall rule sets on
>>>> their ASAs.
>>>>
>>>> I have a fairly detailed inbound and outbound default IPv6 firewall rule
>>>> set worked up, which I can share with people who are interested. SLAAC
>>>> and any type of 'normal' IPv6 traffic I could come up with in my lab
>>>> works
>>>> just fine. I wrote rules for DHCPv6, but haven't tested them yet -
>>>> hoping
>>>> to have a DHCPv6 server online in the next week or two.
>>>>
>>>> Most of the default rules cover stuff like SLAAC, the various ICMPv6
>>>> messages that are required/desirable to pass (per RFC 4890), and some
>>>> other stuff I've found through trial and error that needed to be on for
>>>> IPv6 to work.
>>>>
>>>> I'm still wrapping my head around IPv6 inspection and what
>>>> explicitly-defined rules I can knock out of my ruleset, if any, because
>>>> the inspection would cover them. IPv6 inspection on the ASA doesn't
>>>> seem
>>>> to be terribly intuitive/functional at this point and not especially
>>>> well
>>>> documented. Are people even bothering with this right now?
>>>>
>>>> The test environment an ASA 5540 running 8.4(4)1 code and ASDM 6.4(9) at
>>>> the moment. The IPv6 test network dual-stacked and the firewall is
>>>> running in transparent mode.
>>>>
>>>> jms
>>>>
>>>> _______________________________________________
>>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>>
>>> _______________________________________________
>>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>>
>> _______________________________________________
>> cisco-nsp mailing list cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
More information about the cisco-nsp
mailing list