×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4

Unanswered Question
May 4th, 2014
User Badges:

I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:

class-map type inspect match-any fullproto
 description Permitted Traffic to internet
 match protocol http
 match protocol https
 match protocol dns
 match protocol imaps
 match protocol icmp
 match protocol ftp
 match protocol ntp
 match protocol rtsp
 match protocol realmedia
 match protocol netshow
 match protocol appleqtc
 match protocol streamworks
 match protocol vdolive
 match protocol ssh
 match protocol user-rdp
 

So far there is only a CBAC solution in place for ipv6.

I'm showing my Interfaces:

interface FastEthernet0/0
 description *** Inside IPV6 ***
 no ip address
 speed auto
 full-duplex
 ipv6 address FE80::1 link-local
 ipv6 address ????:????:????:10::1/64
 ipv6 nd other-config-flag
 ipv6 dhcp relay destination ?:?:?:10::12
 ipv6 traffic-filter inne6-inn in
 no cdp enable
 no mop enabled

interface FastEthernet0/0.4
 description *** Inside IPV4 ***
 encapsulation dot1Q 4
 ip address 82.?.?.129 255.255.255.248
 no cdp enable

interface FastEthernet0/1
 description *** Outside ***
 ip address 82.?.?.42 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 speed auto
 full-duplex
 ipv6 address FE80::2 link-local
 ipv6 address ?:599::2/126
 ipv6 enable
 ipv6 nd prefix default no-advertise
 ipv6 nd prefix ?:599::/126 no-advertise
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
 ipv6 nd router-preference High
 ipv6 inspect ipv6-cbac out
 ipv6 traffic-filter ut-inn6 in
 no cdp enable
 no mop enabled
 

Please advise.

 

Regards,

Henning



 

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Karsten Iwen Sun, 05/04/2014 - 00:58
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

I didn't test it, but what about the following:

  1. Configure a new class-map where you match on an ipv6 access-list "any to any"
  2. Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
  3. For ipv4-traffic you configure a class with a "pass" action in both directions.
henning52 Mon, 05/05/2014 - 01:48
User Badges:

Thanks for the tip !

Would it be possible to add fastethernet 0/0.4 to the outside zone (while fastethernet 0/0 is in the inside zone), hence both ip4 segments in the same zone and no zbf processing?

Karsten Iwen Mon, 05/05/2014 - 09:15
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, VPN

That should also work, but be aware that the way intra-zone-traffic gets inspected changed on some IOS-versions. Perhaps another way: If you can use sub interfaces for inside *and* outside, you could configure one interface for ipv4 and one for ipv6. The ipv4-(sub)-interfaces are not assigned to any zone and so will just route the traffic.

Actions

This Discussion