Hello,
i have a problem regarding an IPv6 ACL on a Cisco 2801. I run IOS Version 12.4(15)T3 Advanced IP Services. You will find below, what I put in my configuration.
My problem is that the outbound acl never matches anything. For example my tunnel broker pings the tunnel endpoint every 30 minutes i can see the echo requests in TU0-INBOUND. If i ping something i see the replies in TU0-INBOUND. But the match counters of TU0-OUTBOUND remain zero.
If i make a telnet like this 'telnet ipv6.google.com 80' i get '% Connection timed out; remote host not responding'. I would expect a match in line 3 of TU0-OUTBOUND and the router should create the temporary acl REFLECTOUT. But all what matches is the implicit deny of TU0-INBOUND causing the above time out. :-(
What am i missing here is it a bug or is there an error in my configuration?
Carsten
interface Tunnel0
description IPv6 uplink to SixXS
no ip address
ipv6 address 2A01:aaa:bbb:cc::d/64
ipv6 enable
ipv6 traffic-filter TU0-INBOUND in
ipv6 traffic-filter TU0-OUTBOUND out
tunnel source Dialer0
tunnel destination a.b.c.d
tunnel mode ipv6ip
!
ipv6 access-list TU0-INBOUND
permit icmp any host 2A01:aaa:bbb:cc::d echo-request
permit icmp any host 2A01:aaa:bbb:cc::d echo-reply
evaluate REFLECTOUT
deny ipv6 any any log-input
!
ipv6 access-list TU0-OUTBOUND
permit icmp host 2A01:aaa:bbb:cc::d any echo-reply
permit icmp host 2A01:aaa:bbb:cc::d any echo-request
permit tcp any any reflect REFLECTOUT
permit udp any any reflect REFLECTOUT
deny ipv6 any any log-input