Preventing Windoze Servers IPv6 Stack From Coming Up Behind FWSM
We recently noticed that a sysadmin brought up a Server 2008 box behind one of our firewalls and was able to RDP to the box though we have rules explicity blocking RDP.
Further investigation discovered that the connection was through protocol 41 (ipv6) and that the sysadmin's desktop was Windoze 7 and both it and the 2008 box had their ipv6 stack enabled against our best practices.
Our network is (sort of) ipv6 enabled but there still is no addressing plan nor do I have the near term cycles to translate all my firewall rules from v4 to v6.
It appears that the server got a valid v6 address through stateless autoconfig even though v6 is not enabled on the FWSM it appears to be allowing the Router Solicitations (RS) out and the Router Advertizements (RA) back in which allows the box to autoconfig.
How can I prevent misconfigured systems in the future from getting autoconfig addresses. My understanding is even if the autoconfig fails and it fails back to a link local address it still may be able to use a Teredo tunnel.
We have blocked protocol 41 explicity on all the interfaces which will drop a lot of the tunneling (back home to Redmond) but we want to ensure that autoconfig fails so the box just gives up on preffing v6 or tunneled interfaces and fails down to v4. We have observed with a half baked v6 connection the clients have to wait for v6 attempts to time out resulting in complaints that the network or server is slow.
Yes, I know - spank the sysadmin and get them to follow process is one solution as is enabling v6 of the FWSM then dropping all the traffic but I'm looking for a stopgap.
"ipv6 nd suppress" on the cat6500 "outside" vlan does not work as the IOS we are running does not support the "all" keyword so RAs are dropped but those in response to a RS aren't.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :