Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IOS firewall and IPv6 rd tunnel

Does anyone have any experience with configuring IOS firewall with tunnel interfaces?

Have router with version 15.4(3)M and a 6 rd tunnel configured, and IPv6 is working fine when I remove the interfaces from the security zones.

How does one correctly define the zone pair to let this traffic through from inside to the 6 rd tunnel interface and further out ??

Have tried placing tunnel in inside zone, outside zone, defining zone pairs from inside to tunnel, from tunnel to outside and nothing seems to let this through :)

What am I missing here, does it go through the self zone somehow or does IOS firewall simply not work when you use IPv6 tunneling?



ipv6 general-prefix DELEGATED_PREFIX 6rd Tunnel6

interface Tunnel6
 no ip address
 no ip redirects
 zone-member security ipv6-zone
 ipv6 enable
 tunnel source GigabitEthernet0/0
 tunnel mode ipv6ip 6rd
 tunnel 6rd prefix xxxx:yyyy::/30
 tunnel 6rd br z.z.z.z
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address dhcp client-id GigabitEthernet0/0
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
interface GigabitEthernet0/1
 description Inside$FW_INSIDE$$ETH-LAN$
 ip address
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 duplex auto
 speed auto
 ipv6 address DELEGATED_PREFIX ::/64 eui-64

policy-map type inspect IN_to_IPv6out
 class type inspect inside_ipv6
 class class-default

zone-pair security inside_ipv6outpair source in-zone destination ipv6-zone
 service-policy type inspect IN_to_IPv6out


policy-map type inspect In_to_outside_policy
 class type inspect in_to_outside
 class class-default

zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect In_to_outside_policy

  • IPv6 Integration and Transition
New Member

Hi!I succesfully run 6rd on


If you want to run the tunnel in its own zone, you'll need to cover multiple zone pairings:

in_zone to ipv6_zone
in_zone to out_zone

out_zone to.. (?)   hmm..what exactly.. "self" (?). one might need need to allow protocol 41 here for the 6RD tunnel...
out_zone to in_zone for your exposed hosts (if any)
ipv6_zone to in_zone  (for your IPv6 host to be reachable)

I never bothered having a "self" or an "ipv6" zone. The tunnel is to be considered "outside", and both fast4 and tunnel6 are members of Z_OUTSIDE. 
Hence my zone pairings only need to cover Z-INSIDE to Z-OUTSIDE and Z-OUTSIDE to Z-INSIDE. 

I succesfully run 6rd on an 881 with this config (the sections are not quite in the order they'll appear in the config file).


Setting up the zones

zone security Z-OUTSIDE
 description * the outside world *
zone security Z-INSIDE
 description * the inside network *

Pairing the zones using a "policy map type inspect" each

zone-pair security ZP-INSIDE-TO-OUTSIDE source Z-INSIDE destination Z-OUTSIDE
 service-policy type inspect PMAP-OUTBOUND-TRAFFIC

zone-pair security ZP-OUTSIDE-TO-INSIDE source Z-OUTSIDE destination Z-INSIDE
 service-policy type inspect PMAP-INBOUND-TRAFFIC


The policy-map for OUTBOUND traffic.

Some traffic I want to inspect specifically (like ftp or so), therefore it has its own class-map, the rest is considered "standard" traffic.

policy-map type inspect PMAP-OUTBOUND-TRAFFIC
 class type inspect CMAP-OUT-INSPECT-TRAFFIC
 class type inspect CMAP-OUT-STANDARD-TRAFFIC
 class class-default
  drop log

The class-maps used for OUTBOUND traffic and their access-lists (note: CMAP-OUT-INSPECT-TRAFFIC relies on NBAR, not on an ACL)

class-map type inspect match-any CMAP-OUT-INSPECT-TRAFFIC
 match protocol ftp
 match protocol sip
 match protocol sip-tls
 match protocol ipsec-msft
 match protocol isakmp

class-map type inspect match-any CMAP-OUT-STANDARD-TRAFFIC
 match access-group name ACLv4-STANDARD-TRAFFIC
 match access-group name ACLv6-STANDARD-TRAFFIC

ip access-list extended ACLv4-STANDARD-TRAFFIC
 permit tcp any any
 permit udp any any
 permit icmp any any

ipv6 access-list ACLv6-STANDARD-TRAFFIC
 permit tcp any any

 permit udp any any
 permit icmp any any


The policy-map for INBOUND traffic.  Some needs to be "passed" (like ICMP Unreachables, Traceroute replies etc), some I want to be inspected, hence there's two class-maps

policy-map type inspect PMAP-INBOUND-TRAFFIC
 class type inspect CMAP-IN-TRACE-TRAFFIC
 class type inspect CMAP-IN-INSPECT-TRAFFIC
 class class-default
  drop log


The Class-Maps used in the above Policy-Maps for INBOUND traffic, and their access-lists

class-map type inspect match-any CMAP-IN-TRACE-TRAFFIC
 match access-group name ACLv4-ICMP-UNREACH
 match access-group name ACLv6-ICMP-UNREACH

ip access-list extended ACLv4-ICMP-UNREACH
 permit icmp any any time-exceeded
 permit icmp any any ttl-exceeded
 permit icmp any any unreachable
 permit icmp any any administratively-prohibited
 permit icmp any any packet-too-big
ipv6 access-list ACLv6-ICMP-UNREACH
 permit icmp any any unreachable
 permit icmp any any time-exceeded
 permit icmp any any packet-too-big


class-map type inspect match-any CMAP-IN-INSPECT-TRAFFIC
 match access-group name ACLv4-INBOUND-TRAFFIC
 match access-group name ACLv6-INBOUND-TRAFFIC

ip access-list extended ACLv4-INBOUND-TRAFFIC
 permit tcp any host <inside IP address> eq 22
 permit tcp any host <inside IP address> eq 443
 permit udp any host <inside IP address> eq 1194

ipv6 access-list ACLv6-INBOUND-TRAFFIC
 sequence 30 permit tcp any host <inside public IPV6  address> eq 22
 permit icmp any host <inside public IPV6  address> echo-request


Some general/global bits:

ipv6 general-prefix GPFX-6RD-MYISP 6rd Tunnel6
ipv6 unicast-routing
ipv6 cef
ipv6 dhcp pool DHCP-INSIDEv6
 domain-name mylocaldomain.tld


The bits for IPv4 NAT, with three inbound portforwardings and a route-map & ACL to define what is eligible for being overload-NATted to the outside world.

ip nat inside source static tcp <inside ip> 443 interface FastEthernet4 443
ip nat inside source static tcp <inside ip> 22 interface FastEthernet4 22
ip nat inside source static udp <inside ip> 1194 interface FastEthernet4 1194
ip nat inside source route-map RMAP-NAT-TO-OUTSIDE interface FastEthernet4 overload

route-map RMAP-NAT-TO-OUTSIDE permit 10
 match ip address ACLv4-NAT-TO-OUTSIDE
 set interface FastEthernet4

ip access-list extended ACLv4-NAT-TO-OUTSIDE
 permit ip <inside range> any


The routing bits:

ip route FastEthernet4 dhcp
ipv6 route ::/0 Tunnel6 <MyISPs6RDPrefix><6rd-BR-IPv4-Addr-as-Hex>::


An inside Interface (I'm using subnet ...1::/64 from the /60 assigned)

interface VlanXX
 ip address 172.xx.yy.1
 no ip redirects
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 zone-member security Z-INSIDE
 ipv6 address
GPFX-6RD-MYISP ::1:0:0:0:1/64
 ipv6 enable
 ipv6 nd other-config-flag
 ipv6 dhcp server DHCP-INSIDEv6


The IPv4 outside interface 

interface FastEthernet4
 ip address dhcp
 no ip proxy-arp
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 zone-member security Z-OUTSIDE



The 6RD Tunnel outside interface. Make sure you get the ipv6 mtu and tcp adjust-mss bit. I've already come across broken PMTUd on upstream IPv6 networks :-(

interface Tunnel6
 description * MYISP 6RD Tunnel *
 no ip address
 no ip redirects
 zone-member security Z-OUTSIDE
 ipv6 enable
 ipv6 mtu 1480
 ipv6 tcp adjust-mss 1400
 tunnel source FastEthernet4
 tunnel mode ipv6ip 6rd
 tunnel 6rd prefix <MyISPs6RDPrefix> /xx
 tunnel 6rd br <6RD BR IPv4 Address in dotted decimal>


I think that's about it. Hope it helps






Suggestion from experience: For naming ACL, policy maps, class map etc., use ALL CAPS and a prefix like "ACLv4-.." "CMAP-..." "PMAP-....", "Z-...", and don't be afraid to use long names instead of crptc.shrtcts . It helps to understand which config bit uses which other config bit - and where to look for it. Yes, typing show commands will bring more keyboard wear and tear afterwards, but I value config readability higher than a few seconds of more typing. The config above might not quite perfect in this aspect, I must admit.