I'm trying to configure IPv6 packet inspection on a 2911 router (IOS 15.1(2)T5) but I'm unable to inspect router-generated traffic. There isn't an option "ipv6 inspect name xxxx udp router-traffic" as in IPv4. Thus I'm unable to ping from the router to a remote host.
I could solve the ping problem by simply adding a "permit icmp any any echo-reply" on my ACL, but I'm still unable to access TCP or UDP-based services (DNS, HTTP...).
Does anyone know if is it possible to enable IPv6 router-generated traffic, or is there any other solution for this problem? If so, how can I do that?
ipv6 inspect name SPI_DIALER1_OUT tcp ipv6 inspect name SPI_DIALER1_OUT udp ipv6 inspect name SPI_DIALER1_OUT icmp ipv6 inspect name SPI_DIALER1_OUT ftp
interface Dialer1 ipv6 inspect SPI_DIALER1_OUT out ipv6 traffic-filter acl6_dialer1_in in
ipv6 access-list acl6_dialer1_in sequence 10 permit icmp any any nd-ns sequence 20 permit icmp any any nd-na sequence 30 permit icmp any any router-advertisement sequence 40 permit icmp any any echo-reply deny ipv6 any any log
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...