Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS Release 15M&T
Zone-Based Policy Firewall IPv6 Support
Downloads: This chapterpdf (PDF - 1.25MB) The complete bookPDF (PDF - 4.86MB) | The complete bookePub (ePub - 1.03MB) | Feedback

Zone-Based Policy Firewall IPv6 Support

Zone-Based Policy Firewall IPv6 Support

The zone-based policy firewall IPv6 support feature coexists with the zone-based policy firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions. This document describes how to configure parameter-maps, and to create and use class maps, policy maps, zones and zone pairs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Zone-Based Policy Firewall IPv6 Support

Zone-Based Policy Firewall IPv6 Support

The zone-based policy firewall for IPv6 coexists with the zone-based policy firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions.

How to Configure Zone-Based Policy Firewall IPv6 Support

Configuring an Inspect-Type Parameter Map

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    parameter-map type inspect {parameter-map-name | global | default}

    4.    sessions maximum sessions

    5.    ipv6 routing-enforcement-header loose


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Router> enable 
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Router# configure terminal 
     

    Enters global configuration mode.

     
    Step 3 parameter-map type inspect {parameter-map-name | global | default}


    Example:
    Router(config)# parameter-map type inspect v6-param-map 
     

    Configures an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, and places the router in parameter map configuration mode.

     
    Step 4 sessions maximum sessions


    Example:
    Router(config-profile)# sessions maximum 10000 
     

    Sets the maximum number of allowed sessions that can exist on a zone pair.

     
    Step 5 ipv6 routing-enforcement-header loose


    Example:
    Router(config-profile)# ipv6 routing-enforcement-header loose 
     

    Provides backward compatibility with legacy IPv6 inspection.

     

    Creating and Using an Inspect-Type Class Map

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    class-map type inspect {match-any | match-all} class-map-name

      4.    match protocol tcp

      5.    match protocol udp

      6.    match protocol icmp

      7.    match protocol ftp


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Router> enable 
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Router# configure terminal 
       

      Enters global configuration mode.

       
      Step 3 class-map type inspect {match-any | match-all} class-map-name


      Example:
      Router(config-profile)# class-map type inspect match-any v6-class 
       

      Create an inspect type class map, and places the router in lass-map configuration mode.

       
      Step 4 match protocol tcp


      Example:
      Router(config-cmap)# match protocol tcp
       

      Configures the match criterion for a class map based on TCP.

       
      Step 5 match protocol udp


      Example:
      Router(config-cmap)# match protocol udp
       

      Configures the match criterion for a class map based on UDP.

       
      Step 6 match protocol icmp


      Example:
      Router(config-cmap)# match protocol icmp 
       

      Configures the match criterion for a class map based on ICMP.

       
      Step 7 match protocol ftp


      Example:
      Router(config-cmap)# match protocol ftp 
       

      Configures the match criterion for a class map based on FTP.

       

      Creating and Using an Inspect-Type Policy Map

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    policy-map type inspect policy-map-name

        4.    class type inspect class-map-name

        5.    inspect [parameter-map-name]


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Router> enable 
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Router# configure terminal 
         

        Enters global configuration mode.

         
        Step 3 policy-map type inspect policy-map-name


        Example:
        Router(config)# policy-map type inspect v6-policy 
         

        Creates an inspect-type policy map, and places the router in policy-map configuration mode.

         
        Step 4 class type inspect class-map-name


        Example:
        Router(config-pmap)# class type inspect v6-class 
         

        Specifies the traffic (class) on which an action is to be performed.

         
        Step 5 inspect [parameter-map-name]


        Example:
        Router(config-pmap)# inspect 
         

        Enables Cisco IOS stateful packet inspection.

         

        Creating Security Zones and Zone Pairs

        SUMMARY STEPS

          1.    enable

          2.    configure terminal

          3.    zone security {zone-name | default}

          4.    zone security {zone-name | default}

          5.    zone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}

          6.    service-policy type inspect policy-map-name


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Router> enable 
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.
           
          Step 2 configure terminal


          Example:
          Router# configure terminal 
           

          Enters global configuration mode.

           
          Step 3 zone security {zone-name | default}


          Example:
          Router(config)# zone security 1 
           

          Creates a security zone.

          • Cisco recommends that you create at least two security zones so that you can create a zone pair.
           
          Step 4 zone security {zone-name | default}


          Example:
          Router(config)# zone security 2 
           

          Creates a security zone.

          • Cisco recommends that you create at least two security zones so that you can create a zone pair.
           
          Step 5 zone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}


          Example:
          Router(config)# zone-pair security zp source z1 destination z2 
           

          Creates a zone pair, and places the router in zone-pair configuration mode.

           
          Step 6 service-policy type inspect policy-map-name


          Example:
          Router(config-sec-zone-pair)# service-policy type inspect v6-policy 
           

          Attaches a firewall policy map to a zone pair.

           

          Configuration Examples for Zone-Based Policy Firewall IPv6 Support

          Example: Configuring Cisco IOS Zone-Based Firewall for IPv6

          parameter-map type inspect v6-param-map 
           sessions maximum 10000 
           ipv6 routing-header-enforcement loose 
          !
          ! 
          class-map type inspect match-any v6-class
           match protocol tcp
           match protocol udp
           match protocol icmp
           match protocol ftp
          ! 
          ! 
          policy-map type inspect v6-policy
           class type inspect v6-class 
            inspect 
          ! 
          zone security z1 
          zone security z2 
          ! 
          zone-pair security zp source z1 destination z2 
           service-policy type inspect v6-policy 

          Additional References for Zone-Based Policy Firewall IPv6 Support

          Related Documents

          Related Topic

          Document Title

          IPv6 addressing and connectivity

          IPv6 Configuration Guide

          Cisco IOS commands

          Cisco IOS Master Commands List, All Releases

          IPv6 commands

          Cisco IOS IPv6 Command Reference

          Cisco IOS IPv6 features

          Cisco IOS IPv6 Feature Mapping

          Standards and RFCs

          Standard/RFC

          Title

          RFCs for IPv6

          IPv6 RFCs

          MIBs

          MIB

          MIBs Link

          To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

          http:/​/​www.cisco.com/​go/​mibs

          Technical Assistance

          Description

          Link

          The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

          http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

          Feature Information for Zone-Based Policy Firewall IPv6 Support

          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

          Table 1 Feature Information for Zone-Based Policy Firewall IPv6 Support

          Feature Name

          Releases

          Feature Information

          Zone-Based Policy Firewall IPv6 Support

          15.1(2)T

          Cisco zone-based firewall for IPv6 coexists with Cisco zone-based firewall for IPv4 in order to support IPv6 traffic.