IOS firewall and IPv6 rd tunnel

jdo000001 · ‎09-12-2014

Does anyone have any experience with configuring IOS firewall with tunnel interfaces?

Have router with version 15.4(3)M and a 6 rd tunnel configured, and IPv6 is working fine when I remove the interfaces from the security zones.

How does one correctly define the zone pair to let this traffic through from inside to the 6 rd tunnel interface and further out ??

Have tried placing tunnel in inside zone, outside zone, defining zone pairs from inside to tunnel, from tunnel to outside and nothing seems to let this through :)

What am I missing here, does it go through the self zone somehow or does IOS firewall simply not work when you use IPv6 tunneling?

ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel6

!
interface Tunnel6
no ip address
no ip redirects
zone-member security ipv6-zone
ipv6 enable
tunnel source GigabitEthernet0/0
tunnel mode ipv6ip 6rd
tunnel 6rd prefix xxxx:yyyy::/30
tunnel 6rd br z.z.z.z
!
interface GigabitEthernet0/0
description $FW_OUTSIDE$$ETH-WAN$
ip address dhcp client-id GigabitEthernet0/0
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description Inside$FW_INSIDE$$ETH-LAN$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
ipv6 address DELEGATED_PREFIX ::/64 eui-64
!

policy-map type inspect IN_to_IPv6out
class type inspect inside_ipv6
pass
class class-default
drop

zone-pair security inside_ipv6outpair source in-zone destination ipv6-zone
service-policy type inspect IN_to_IPv6out

!

policy-map type inspect In_to_outside_policy
class type inspect in_to_outside
inspect
class class-default
drop

zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect In_to_outside_policy

Marc Luethi · ‎10-15-2014

Hi!

If you want to run the tunnel in its own zone, you'll need to cover multiple zone pairings:

in_zone to ipv6_zone
in_zone to out_zone
out_zone to.. (?) hmm..what exactly.. "self" (?). one might need need to allow protocol 41 here for the 6RD tunnel...
out_zone to in_zone for your exposed hosts (if any)
ipv6_zone to in_zone (for your IPv6 host to be reachable)

I never bothered having a "self" or an "ipv6" zone. The tunnel is to be considered "outside", and both fast4 and tunnel6 are members of Z_OUTSIDE.
Hence my zone pairings only need to cover Z-INSIDE to Z-OUTSIDE and Z-OUTSIDE to Z-INSIDE.

I succesfully run 6rd on an 881 with this config (the sections are not quite in the order they'll appear in the config file).

Setting up the zones

zone security Z-OUTSIDE
description * the outside world *
zone security Z-INSIDE
description * the inside network *

Pairing the zones using a "policy map type inspect" each

zone-pair security ZP-INSIDE-TO-OUTSIDE source Z-INSIDE destination Z-OUTSIDE
service-policy type inspect PMAP-OUTBOUND-TRAFFIC

zone-pair security ZP-OUTSIDE-TO-INSIDE source Z-OUTSIDE destination Z-INSIDE
service-policy type inspect PMAP-INBOUND-TRAFFIC

The policy-map for OUTBOUND traffic.

Some traffic I want to inspect specifically (like ftp or so), therefore it has its own class-map, the rest is considered "standard" traffic.

policy-map type inspect PMAP-OUTBOUND-TRAFFIC
class type inspect CMAP-OUT-INSPECT-TRAFFIC
inspect
class type inspect CMAP-OUT-STANDARD-TRAFFIC
inspect
class class-default
drop log

The class-maps used for OUTBOUND traffic and their access-lists (note: CMAP-OUT-INSPECT-TRAFFIC relies on NBAR, not on an ACL)

class-map type inspect match-any CMAP-OUT-INSPECT-TRAFFIC
match protocol ftp
match protocol sip
match protocol sip-tls
match protocol ipsec-msft
match protocol isakmp

class-map type inspect match-any CMAP-OUT-STANDARD-TRAFFIC
match access-group name ACLv4-STANDARD-TRAFFIC
match access-group name ACLv6-STANDARD-TRAFFIC

ip access-list extended ACLv4-STANDARD-TRAFFIC
permit tcp any any
permit udp any any
permit icmp any any

ipv6 access-list ACLv6-STANDARD-TRAFFIC
permit tcp any any
permit udp any any
permit icmp any any

The policy-map for INBOUND traffic. Some needs to be "passed" (like ICMP Unreachables, Traceroute replies etc), some I want to be inspected, hence there's two class-maps

policy-map type inspect PMAP-INBOUND-TRAFFIC
class type inspect CMAP-IN-TRACE-TRAFFIC
pass
class type inspect CMAP-IN-INSPECT-TRAFFIC
inspect
class class-default
drop log

The Class-Maps used in the above Policy-Maps for INBOUND traffic, and their access-lists

class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
match access-group name ACLv4-ICMP-UNREACH
match access-group name ACLv6-ICMP-UNREACH

ip access-list extended ACLv4-ICMP-UNREACH
permit icmp any any time-exceeded
permit icmp any any ttl-exceeded
permit icmp any any unreachable
permit icmp any any administratively-prohibited
permit icmp any any packet-too-big
ipv6 access-list ACLv6-ICMP-UNREACH
permit icmp any any unreachable
permit icmp any any time-exceeded
permit icmp any any packet-too-big

class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
match access-group name ACLv4-INBOUND-TRAFFIC
match access-group name ACLv6-INBOUND-TRAFFIC

ip access-list extended ACLv4-INBOUND-TRAFFIC
permit tcp any host <inside IP address> eq 22
permit tcp any host <inside IP address> eq 443
permit udp any host <inside IP address> eq 1194

ipv6 access-list ACLv6-INBOUND-TRAFFIC
sequence 30 permit tcp any host <inside public IPV6 address> eq 22
permit icmp any host <inside public IPV6 address> echo-request

Some general/global bits:

ipv6 general-prefix GPFX-6RD-MYISP 6rd Tunnel6
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool DHCP-INSIDEv6
domain-name mylocaldomain.tld

The bits for IPv4 NAT, with three inbound portforwardings and a route-map & ACL to define what is eligible for being overload-NATted to the outside world.

ip nat inside source static tcp <inside ip> 443 interface FastEthernet4 443
ip nat inside source static tcp <inside ip> 22 interface FastEthernet4 22
ip nat inside source static udp <inside ip> 1194 interface FastEthernet4 1194
ip nat inside source route-map RMAP-NAT-TO-OUTSIDE interface FastEthernet4 overload

route-map RMAP-NAT-TO-OUTSIDE permit 10
match ip address ACLv4-NAT-TO-OUTSIDE
set interface FastEthernet4

ip access-list extended ACLv4-NAT-TO-OUTSIDE
permit ip <inside range> any

The routing bits:

ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ipv6 route ::/0 Tunnel6 <MyISPs6RDPrefix><6rd-BR-IPv4-Addr-as-Hex>::

An inside Interface (I'm using subnet ...1::/64 from the /60 assigned)

interface VlanXX
ip address 172.xx.yy.1 255.255.254.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security Z-INSIDE
ipv6 address GPFX-6RD-MYISP ::1:0:0:0:1/64
ipv6 enable
ipv6 nd other-config-flag
ipv6 dhcp server DHCP-INSIDEv6

The IPv4 outside interface

interface FastEthernet4
ip address dhcp
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly in
zone-member security Z-OUTSIDE

The 6RD Tunnel outside interface. Make sure you get the ipv6 mtu and tcp adjust-mss bit. I've already come across broken PMTUd on upstream IPv6 networks :-(

interface Tunnel6
description * MYISP 6RD Tunnel *
no ip address
no ip redirects
zone-member security Z-OUTSIDE
ipv6 enable
ipv6 mtu 1480
ipv6 tcp adjust-mss 1400
tunnel source FastEthernet4
tunnel mode ipv6ip 6rd
tunnel 6rd prefix <MyISPs6RDPrefix> /xx
tunnel 6rd br <6RD BR IPv4 Address in dotted decimal>

I think that's about it. Hope it helps

cheers

Marc

Suggestion from experience: For naming ACL, policy maps, class map etc., use ALL CAPS and a prefix like "ACLv4-.." "CMAP-..." "PMAP-....", "Z-...", and don't be afraid to use long names instead of crptc.shrtcts . It helps to understand which config bit uses which other config bit - and where to look for it. Yes, typing show commands will bring more keyboard wear and tear afterwards, but I value config readability higher than a few seconds of more typing. The config above might not quite perfect in this aspect, I must admit.