Does anyone have any experience with configuring IOS firewall with tunnel interfaces?
Have router with version 15.4(3)M and a 6 rd tunnel configured, and IPv6 is working fine when I remove the interfaces from the security zones.
How does one correctly define the zone pair to let this traffic through from inside to the 6 rd tunnel interface and further out ??
Have tried placing tunnel in inside zone, outside zone, defining zone pairs from inside to tunnel, from tunnel to outside and nothing seems to let this through :)
What am I missing here, does it go through the self zone somehow or does IOS firewall simply not work when you use IPv6 tunneling?
ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel6
! interface Tunnel6 no ip address no ip redirects zone-member security ipv6-zone ipv6 enable tunnel source GigabitEthernet0/0 tunnel mode ipv6ip 6rd tunnel 6rd prefix xxxx:yyyy::/30 tunnel 6rd br z.z.z.z ! interface GigabitEthernet0/0 description $FW_OUTSIDE$$ETH-WAN$ ip address dhcp client-id GigabitEthernet0/0 ip nat outside ip virtual-reassembly in zone-member security out-zone duplex auto speed auto ! interface GigabitEthernet0/1 description Inside$FW_INSIDE$$ETH-LAN$ ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security in-zone duplex auto speed auto ipv6 address DELEGATED_PREFIX ::/64 eui-64 !
policy-map type inspect IN_to_IPv6out class type inspect inside_ipv6 pass class class-default drop
If you want to run the tunnel in its own zone, you'll need to cover multiple zone pairings:
in_zone to ipv6_zone in_zone to out_zone out_zone to.. (?) hmm..what exactly.. "self" (?). one might need need to allow protocol 41 here for the 6RD tunnel... out_zone to in_zone for your exposed hosts (if any) ipv6_zone to in_zone (for your IPv6 host to be reachable)
I never bothered having a "self" or an "ipv6" zone. The tunnel is to be considered "outside", and both fast4 and tunnel6 are members of Z_OUTSIDE. Hence my zone pairings only need to cover Z-INSIDE to Z-OUTSIDE and Z-OUTSIDE to Z-INSIDE.
I succesfully run 6rd on an 881 with this config (the sections are not quite in the order they'll appear in the config file).
Setting up the zones
zone security Z-OUTSIDE description * the outside world * zone security Z-INSIDE description * the inside network *
Pairing the zones using a "policy map type inspect" each
Some traffic I want to inspect specifically (like ftp or so), therefore it has its own class-map, the rest is considered "standard" traffic.
policy-map type inspect PMAP-OUTBOUND-TRAFFIC class type inspect CMAP-OUT-INSPECT-TRAFFIC inspect class type inspect CMAP-OUT-STANDARD-TRAFFIC inspect class class-default drop log
The class-maps used for OUTBOUND traffic and their access-lists (note: CMAP-OUT-INSPECT-TRAFFIC relies on NBAR, not on an ACL)
class-map type inspect match-any CMAP-OUT-INSPECT-TRAFFIC match protocol ftp match protocol sip match protocol sip-tls match protocol ipsec-msft match protocol isakmp
class-map type inspect match-any CMAP-OUT-STANDARD-TRAFFIC match access-group name ACLv4-STANDARD-TRAFFIC match access-group name ACLv6-STANDARD-TRAFFIC
ip access-list extended ACLv4-STANDARD-TRAFFIC permit tcp any any permit udp any any permit icmp any any
ipv6 access-list ACLv6-STANDARD-TRAFFIC permit tcp any any permit udp any any permit icmp any any
The policy-map for INBOUND traffic. Some needs to be "passed" (like ICMP Unreachables, Traceroute replies etc), some I want to be inspected, hence there's two class-maps
policy-map type inspect PMAP-INBOUND-TRAFFIC class type inspect CMAP-IN-TRACE-TRAFFIC pass class type inspect CMAP-IN-INSPECT-TRAFFIC inspect class class-default drop log
The Class-Maps used in the above Policy-Maps for INBOUND traffic, and their access-lists
class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC match access-group name ACLv4-ICMP-UNREACH match access-group name ACLv6-ICMP-UNREACH
ip access-list extended ACLv4-ICMP-UNREACH permit icmp any any time-exceeded permit icmp any any ttl-exceeded permit icmp any any unreachable permit icmp any any administratively-prohibited permit icmp any any packet-too-big ipv6 access-list ACLv6-ICMP-UNREACH permit icmp any any unreachable permit icmp any any time-exceeded permit icmp any any packet-too-big
class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC match access-group name ACLv4-INBOUND-TRAFFIC match access-group name ACLv6-INBOUND-TRAFFIC
ip access-list extended ACLv4-INBOUND-TRAFFIC permit tcp any host <inside IP address> eq 22 permit tcp any host <inside IP address> eq 443 permit udp any host <inside IP address> eq 1194
ipv6 access-list ACLv6-INBOUND-TRAFFIC sequence 30 permit tcp any host <inside public IPV6 address> eq 22 permit icmp any host <inside public IPV6 address> echo-request
An inside Interface (I'm using subnet ...1::/64 from the /60 assigned)
interface VlanXX ip address 172.xx.yy.1 255.255.254.0 no ip redirects no ip proxy-arp ip nat inside ip virtual-reassembly in zone-member security Z-INSIDE ipv6 address GPFX-6RD-MYISP ::1:0:0:0:1/64 ipv6 enable ipv6 nd other-config-flag ipv6 dhcp server DHCP-INSIDEv6
The IPv4 outside interface
interface FastEthernet4 ip address dhcp no ip proxy-arp ip nat outside ip nat enable ip virtual-reassembly in zone-member security Z-OUTSIDE
The 6RD Tunnel outside interface. Make sure you get the ipv6 mtu and tcp adjust-mss bit. I've already come across broken PMTUd on upstream IPv6 networks :-(
interface Tunnel6 description * MYISP 6RD Tunnel * no ip address no ip redirects zone-member security Z-OUTSIDE ipv6 enable ipv6 mtu 1480 ipv6 tcp adjust-mss 1400 tunnel source FastEthernet4 tunnel mode ipv6ip 6rd tunnel 6rd prefix <MyISPs6RDPrefix> /xx tunnel 6rd br <6RD BR IPv4 Address in dotted decimal>
I think that's about it. Hope it helps
Suggestion from experience: For naming ACL, policy maps, class map etc., use ALL CAPS and a prefix like "ACLv4-.." "CMAP-..." "PMAP-....", "Z-...", and don't be afraid to use long names instead of crptc.shrtcts . It helps to understand which config bit uses which other config bit - and where to look for it. Yes, typing show commands will bring more keyboard wear and tear afterwards, but I value config readability higher than a few seconds of more typing. The config above might not quite perfect in this aspect, I must admit.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...