×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Filtering IPv6 extension headers on FWSM

Unanswered Question
Jul 5th, 2012
User Badges:

Hello,


We want to filter IPv6 extension headers on FWSM (4.1.x) and we discovered that filtering does not works at all. For example to filter destination options we used the following IPv6 ACE:

ipv6 access-list OUTSIDE6_IN deny 60 any any


Then packets are sent using extended IPv6 ping from IOS router and FWSM ignores above ACE and forwards the packet to the destination. The same thing happens when using Scapy as packet generator.


The packet is good  because it matches IOS IPv6 ACL Destination options ACE.


I didn't checked but my colleague reported me the same issue with filtering Hop-by-hop option on FWSM.


So, is something wrong with the procedure or this is about new bug?



Regards,

Igor

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 07/05/2012 - 07:34
User Badges:
  • Cisco Employee,

Did you assign the access-list to the interface using the "access-group" command?

igor.mamuzic Thu, 07/05/2012 - 10:33
User Badges:

Jenifer,


ACL is assigned to the interface... Other ACEs are being matched so ACL works but it does not match extension headers correctly:


ipv6 access-list OUTSIDE6_IN line 1 deny 60 any any log debugging interval 300 (hitcnt=0) 0xbb24b0a2

ipv6 access-list OUTSIDE6_IN line 2 permit tcp any any eq www log debugging interval 300 (hitcnt=2) 0xbde27d7c

Karsten Iwen Thu, 07/05/2012 - 11:14
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

Not related to your problem: You know that the FWSM is a really slow Firewall when it comes to IPv6? Everything has to be processed in the CPU as the Network-Processors are not able to process IPv6.

Jennifer Halim Thu, 07/05/2012 - 20:09
User Badges:
  • Cisco Employee,

To block IPv6 ping/icmp, the access-list should be:


ipv6 access-list OUTSIDE6_IN deny icmp6 any any

igor.mamuzic Thu, 07/05/2012 - 23:39
User Badges:

My intention was not to block ICMP, what I need is blocking all packets containing IPv6 destination option in extension header.


Sent from Cisco Technical Support iPhone App

sumbhat Wed, 08/08/2012 - 23:24
User Badges:

FWSM does not support inspection of IPv6 and hence no way to block extension headers. This can be achieved in ASA.

Actions

This Discussion

Related Content