IPv6 – Setting up a connection to a Tunnel Broker (Part 5) Firewall

Now that you have a Tunnel Broker connection up and running, you need to put up some type of firewall since you are open to the outside world. The NAT functionality you setup only applies to the IPv4 connection to the ISP. The first four lines to protocol inspection so that any traffic you generate on IPv6 through the Tunnel is allowed to return from the Internet. Anything else will be dropped because of the IPv6-FILTER IPv6 ACL that you have in the inbound traffic coming into the Tunnel0 interface.

ipv6 inspect name IPv6-INSPECT tcp
ipv6 inspect name IPv6-INSPECT udp
ipv6 inspect name IPv6-INSPECT ftp
ipv6 inspect name IPv6-INSPECT icmp
!
! Apply the IPv6 inspect to the outbound traffic and allow the return traffic
! to what you originated to pas. The IPv6-FILTER ACL will block all
! other traffic other than ICMP.
!
interface tunnel0
ipv6 traffic-filter IPv6-FILTER in
ipv6 inspect IPv6-INSPECT out
!
ipv6 access-list IPv6-FILTER
permit icmp any any
deny ipv6 any any log

To look at how the IPv6 inspect is working, you can start with sh ipv6 inspect all. By doing a debug ipv6 inspect events will show you in realtime the Cisco IOS firewall events. If you want to see a little more detail, you can use debug ipv6 inspect detailed. Remember to do a term mon so that you can see the messages on the console as they come in.

This is what the debug output should like –

Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Session does not exist, hash now
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Session does not exist, hash now
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:05: FIREWALL: Hash Bucket: 73
Feb 4 19:19:05: FIREWALL:Sid matches
Feb 4 19:19:05: FIREWALL: insp_sis already set
Feb 4 19:19:05: FIREWALL* FUNC: ipv6_insp_inspect_pak — session = 85527CA8, L4 = tcp, L7 =
Feb 4 19:19:10: FIREWALL: Hash on addresses 22001:0db8:3100:A006:1:: 2001:0db8:1F11:102:5AB0:35FF:FE88:D4C6
Feb 4 19:19:10: FIREWALL: Protocol: tcp Src Hash Bucket: 73

Send to Kindle
This entry was posted in Blog Entries and tagged . Bookmark the permalink.