Quick question, or more so looking for confirmation of my assumptions about IPv6 tunnel and zbfw, i couldn’t find any information so i thought i would ask here. I hope this is the appropriate forum (verse the ipv6 one). TIA
Router in question is setup as a typical broadband router: NAT and ZBFW. using an ipv6 tunnelbroker on outside interface. Working like a charm.
(its my home router - who doesn’t use a cisco device for their home broadband rtr anyway?? lol)
Here are my assumptions that i hope someone can verify for me.
1) I picture the ZBFW inspect as something that dynamically creates the established acl, in other words if traffic goes out, there is a way to come back in.
With that said, i assume the same concept applies to the tunnel traffic(protocol 41, not the actual ipv6 traffic) since it uses the outside interface for tunnel. so that if tunnel traffic (proto 41) goes out from my router, it can come back in. but not the other way around.
Based on assumption 1 comes assumption 2, that if my router has not initiated the tunnel (proto 41 to the tunnelbroker) then the tunnel broker cant send any traffic to me (until i initiate the tunnel first) since the tunnel goes through the outside interface.
If that is absolutely the case, that can be remedied by adding the following to the ACL applied to the zone pair self to outside policy/class map
permit 41 host 209.51.xxx.xxx any
(209.51.xxx.xxx = ip of tunnel broker, any because dynamic ip)
2) I think to verify that assumption i need to know how an ipv6ip tunnel is initiated, who initiates the tunnel? source/destination or both try to initiate and whoever’s packet gets there first wins?
Right now i assume that both try to initiate the tunnel because i dont have that ACL and the tunnel has been working.
I would rather confirm that than just assume.
I hope that is clear, attached are relevant parts of config.
lease let me know if you would like me clearify anything!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :