[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 871
  • Last Modified:

Cisco 1921 Zone Based Firewall blocking IPv6 ICMP and TCP

I have a Cisco 1921 router running zone-based firewall.  When the inside interface does not have a zone associated IPv6 pings to ipv6.google.com go through fine, as well as IPv6 HTTP traffic.  When I associate the inside interface with the inside-zone zone the pings and http traffic is dropped.  In the inside-zone to outside-zone and reciprocal zone-pair security policies, I pass traffic matching the AnyIP class-map.  In this map I match tcp, udp, icmp, as well as an ipv6 ACL.  In this ACL I permit any ipv6 and icmp.

What am I doing wrong?  Why is IPv6 traffic being blocked as soon as I associate the inside interface with the in-zone?  (IPv4 traffic is full allowed).  Any suggestions would be greatly appreciated.

class-map type inspect match-any AnyIP
 match protocol tcp
 match protocol udp
 match protocol icmp
 match access-group name AnyIPv6
ipv6 access-list AnyIPv6
 permit ipv6 any any
 permit icmp any any
!
policy-map type inspect ccp-policy-AnyIP2
 class type inspect AnyIP
  pass
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect AnyIP
  pass
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-policy-AnyIP2
! 
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address --OUTSIDE IPv4--
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1.1
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 1 native
 ip address --INTERNAL IPv4--
 zone-member security in-zone
 ipv6 address --INTERNAL IPv6--
 ipv6 enable
 ipv6 mtu 1472
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag
!

Open in new window

0
Robert Davis
Asked:
Robert Davis
  • 5
  • 3
1 Solution
 
gheistCommented:
ipv6 does not use ICMP but uses ICMPv6
0
 
Robert DavisAuthor Commented:
gheist.  That is correct, IPv6 does use ICMPv6.  So what's your point?  ICMP under an IPv6 ACL is ICMPv6...

Cisco1921(config-ipv6-acl)#permit ?
  <0-255>             An IPv6 protocol number
  X:X:X:X::X/<0-128>  IPv6 source prefix x:x::y/<z>
  ahp                 Authentication Header Protocol
  any                 Any source prefix
  esp                 Encapsulation Security Payload
  hbh                 Hop by Hop options header
  host                A single source host
  icmp                Internet Control Message Protocol
  ipv6                Any IPv6
  pcp                 Payload Compression Protocol
  sctp                Streams Control Transmission Protocol
  tcp                 Transmission Control Protocol
  udp                 User Datagram Protocol

Open in new window

0
 
gheistCommented:
OK
Linux /etc/protocols
icmp    1       ICMP            # internet control message protocol
igmp    2       IGMP            # internet group management protocol
tcp     6       TCP             # transmission control protocol
udp     17      UDP             # user datagram protocol
ipv6    41      IPv6            # IPv6
ipv6-route      43      IPv6-Route      # Routing Header for IPv6
ipv6-frag       44      IPv6-Frag       # Fragment Header for IPv6
ipv6-icmp       58      IPv6-ICMP       # ICMP for IPv6
ipv6-nonxt      59      IPv6-NoNxt      # No Next Header for IPv6
ipv6-opts       60      IPv6-Opts       # Destination Options for IPv6
0
Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
Robert DavisAuthor Commented:
So again, IPv4 and IPv6 ICMP is very different, since IPv6 relies heavily on ICMPv6.  We got it, now in regards to cisco ACLs my ACL is allowing IPv6 TCP and IPv6 ICMPv6 and yet, both are blocked.  So unless you have something helpful to contribute I really don't understand your one sentence responses.
0
 
gheistCommented:
Can you rise debug level to see if packets really arrive on right interfaces etc. It seems really strange that it does not pass
0
 
Robert DavisAuthor Commented:
gheist,
No drop or pass events show up in the log, I have logging enabled for both the pass and implicit deny (just changed the implicit to deny for debugging).  Implicit allow also blocks the IPv6 traffic.  And yet, when I remove the inside interface from the inside-zone traffic passes through freely, so something to do with the ZBF is dropping the IPv6 traffic, but the rules aren't being triggers and as far as I can tell with an implicit allow shouldn't be blocking anyway.

Really has me stumped, may have to open a TAC

Best,
Robert

P.S. only thing showing up in the log is this:
*Sep  3 18:48:38.687: %FW-6-DROP_PKT: Dropping udp session 169.254.31.222:137 169.254.255.255:137 on zone-pair ccp-zp-in-out class class-default due to  DROP action found in policy-map with ip ident 0 

Open in new window

0
 
Robert DavisAuthor Commented:
Aha! Bam, I apologize for not including our tunnel in the original config.  None of the tunnel tutorials I followed included this.  The firewall was indeed dropping the traffic, but not due to any particular rule so it didn't show up in the log.  The problem was the Tunnel was not part of the out-side zone, so there was no rule applied to it in general.  So when traffic passed from a zone-member to a non-zone member, the traffic was dropped.

Cisco1921(config)#int Tunnel 0
Cisco1921-EC(config-if)#zone-member security out-zone 
Cisco1921-EC(config-if)#
*Sep  3 18:54:49.107: %FW-6-PASS_PKT: (target:class)-(ccp-zp-out-self:AnyIP) Passing udp pkt 173.8.181.13:49427 => IPv4.Tunnel.IP.Add:443 with ip ident 0 

Open in new window

0
 
Robert DavisAuthor Commented:
IPv6 Tunnel virtual interfaces must be a member of a zone-pair policy.
0

Featured Post

Exciting career futures for women in IT

Education has the power to transform lives and open the door to new career opportunities. By earning an IT degree from WGU, you can become a highly skilled IT professional. Get the credentials and certifications you need to become a leader in this rewarding field.  

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now