Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Preventing Windoze Servers IPv6 Stack From Coming Up Behind FWSM

Hello,

We recently noticed that a sysadmin brought up a Server 2008 box behind one of our firewalls and was able to RDP to the box though we have rules explicity blocking RDP.

Further investigation discovered that the connection was through protocol 41 (ipv6) and that the sysadmin's desktop was Windoze 7 and both it and the 2008 box had their ipv6 stack enabled against our best practices.

Our network is (sort of) ipv6 enabled but there still is no addressing plan nor do I have the near term cycles to translate all my firewall rules from v4 to v6.

It appears that the server got a valid v6 address through stateless autoconfig even though v6 is not enabled on the FWSM it appears to be allowing the Router Solicitations (RS) out and the Router Advertizements (RA) back in which allows the box to autoconfig.

How can I prevent misconfigured systems in the future from getting autoconfig addresses.  My understanding is even if the autoconfig fails and it fails back to a link local address it still may be able to use a Teredo tunnel.

We have blocked protocol 41 explicity on all the interfaces which will drop a lot of the tunneling (back home to Redmond) but we want to ensure that autoconfig fails so the box just gives up on preffing v6 or tunneled interfaces and fails down to v4.  We have observed with a half baked v6 connection the clients have to wait for v6 attempts to time out resulting in complaints that the network or server is slow.

Yes, I know - spank the sysadmin and get them to follow process is one solution as is enabling v6 of the FWSM then dropping all the traffic but I'm looking for a stopgap.

"ipv6 nd suppress" on the cat6500 "outside" vlan does not work as the IOS we are running does not support the "all" keyword so RAs are dropped but those in response to a RS aren't.

Everyone's tags (7)
355
Views
0
Helpful
0
Replies
CreatePlease login to create content