Cisco 1921 Zone Based Firewall blocking IPv6 ICMP and TCP

I have a Cisco 1921 router running zone-based firewall.  When the inside interface does not have a zone associated IPv6 pings to go through fine, as well as IPv6 HTTP traffic.  When I associate the inside interface with the inside-zone zone the pings and http traffic is dropped.  In the inside-zone to outside-zone and reciprocal zone-pair security policies, I pass traffic matching the AnyIP class-map.  In this map I match tcp, udp, icmp, as well as an ipv6 ACL.  In this ACL I permit any ipv6 and icmp.

What am I doing wrong?  Why is IPv6 traffic being blocked as soon as I associate the inside interface with the in-zone?  (IPv4 traffic is full allowed).  Any suggestions would be greatly appreciated.

class-map type inspect match-any AnyIP
 match protocol tcp
 match protocol udp
 match protocol icmp
 match access-group name AnyIPv6
ipv6 access-list AnyIPv6
 permit ipv6 any any
 permit icmp any any
policy-map type inspect ccp-policy-AnyIP2
 class type inspect AnyIP
 class class-default
policy-map type inspect ccp-inspect
 class type inspect AnyIP
 class class-default
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-policy-AnyIP2
interface GigabitEthernet0/0
 description $FW_OUTSIDE$$ETH-WAN$
 ip address --OUTSIDE IPv4--
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
 no mop enabled
interface GigabitEthernet0/1.1
 description $FW_INSIDE$$ETH-LAN$
 encapsulation dot1Q 1 native
 ip address --INTERNAL IPv4--
 zone-member security in-zone
 ipv6 address --INTERNAL IPv6--
 ipv6 enable
 ipv6 mtu 1472
 ipv6 nd managed-config-flag
 ipv6 nd other-config-flag

Open in new window

Robert DavisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ipv6 does not use ICMP but uses ICMPv6
Robert DavisAuthor Commented:
gheist.  That is correct, IPv6 does use ICMPv6.  So what's your point?  ICMP under an IPv6 ACL is ICMPv6...

Cisco1921(config-ipv6-acl)#permit ?
  <0-255>             An IPv6 protocol number
  X:X:X:X::X/<0-128>  IPv6 source prefix x:x::y/<z>
  ahp                 Authentication Header Protocol
  any                 Any source prefix
  esp                 Encapsulation Security Payload
  hbh                 Hop by Hop options header
  host                A single source host
  icmp                Internet Control Message Protocol
  ipv6                Any IPv6
  pcp                 Payload Compression Protocol
  sctp                Streams Control Transmission Protocol
  tcp                 Transmission Control Protocol
  udp                 User Datagram Protocol

Open in new window

Linux /etc/protocols
icmp    1       ICMP            # internet control message protocol
igmp    2       IGMP            # internet group management protocol
tcp     6       TCP             # transmission control protocol
udp     17      UDP             # user datagram protocol
ipv6    41      IPv6            # IPv6
ipv6-route      43      IPv6-Route      # Routing Header for IPv6
ipv6-frag       44      IPv6-Frag       # Fragment Header for IPv6
ipv6-icmp       58      IPv6-ICMP       # ICMP for IPv6
ipv6-nonxt      59      IPv6-NoNxt      # No Next Header for IPv6
ipv6-opts       60      IPv6-Opts       # Destination Options for IPv6
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

Robert DavisAuthor Commented:
So again, IPv4 and IPv6 ICMP is very different, since IPv6 relies heavily on ICMPv6.  We got it, now in regards to cisco ACLs my ACL is allowing IPv6 TCP and IPv6 ICMPv6 and yet, both are blocked.  So unless you have something helpful to contribute I really don't understand your one sentence responses.
Can you rise debug level to see if packets really arrive on right interfaces etc. It seems really strange that it does not pass
Robert DavisAuthor Commented:
No drop or pass events show up in the log, I have logging enabled for both the pass and implicit deny (just changed the implicit to deny for debugging).  Implicit allow also blocks the IPv6 traffic.  And yet, when I remove the inside interface from the inside-zone traffic passes through freely, so something to do with the ZBF is dropping the IPv6 traffic, but the rules aren't being triggers and as far as I can tell with an implicit allow shouldn't be blocking anyway.

Really has me stumped, may have to open a TAC


P.S. only thing showing up in the log is this:
*Sep  3 18:48:38.687: %FW-6-DROP_PKT: Dropping udp session on zone-pair ccp-zp-in-out class class-default due to  DROP action found in policy-map with ip ident 0 

Open in new window

Robert DavisAuthor Commented:
Aha! Bam, I apologize for not including our tunnel in the original config.  None of the tunnel tutorials I followed included this.  The firewall was indeed dropping the traffic, but not due to any particular rule so it didn't show up in the log.  The problem was the Tunnel was not part of the out-side zone, so there was no rule applied to it in general.  So when traffic passed from a zone-member to a non-zone member, the traffic was dropped.

Cisco1921(config)#int Tunnel 0
Cisco1921-EC(config-if)#zone-member security out-zone 
*Sep  3 18:54:49.107: %FW-6-PASS_PKT: (target:class)-(ccp-zp-out-self:AnyIP) Passing udp pkt => IPv4.Tunnel.IP.Add:443 with ip ident 0 

Open in new window


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Robert DavisAuthor Commented:
IPv6 Tunnel virtual interfaces must be a member of a zone-pair policy.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.