Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
Zone-Based Policy Firewall IPv6 Support
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 6.48MB) | The complete bookePub (ePub - 1.26MB) | The complete bookMobi (Mobi - 2.87MB) | Feedback

Zone-Based Policy Firewall IPv6 Support

Contents

Zone-Based Policy Firewall IPv6 Support

The zone-based policy firewall provides advanced traffic filtering or inspection of IPv4 packets. With IPv6 support, the zone-based policy firewall supports the inspection of IPv6 packets. Prior to IPv6 support, the firewall supported only the inspection of IPv4 packets. Only Layer 4 protocols, Internet Control Messaging Protocol (ICMP), TCP, and UDP packets are subject to IPv6 packet inspection.

This module describes the firewall features that are supported and how to configure a firewall for IPv6 packet inspection.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Restrictions for Zone-Based Policy Firewall IPv6 Support

The following functionalities are not supported:
  • Application-level gateways (ALGs)
  • Box-to-box high availability (HA)
  • Distributed Denial-of-Service attacks
  • Firewall resource management
  • Layer 7 inspection
  • Multicast packets
  • Per-subscriber firewall or the broadband-based firewall
  • Stateless Network Address Translation 64 (NAT64)
  • VRF-Aware Software Infrastructure (VASI)
  • Wide Area Application Services (WAAS) and Web Cache Communication Protocol (WCCP)

Information About IPv6 Zone-Based Firewall Support over VASI Interfaces

IPv6 Support for Firewall Features

The firewall features described in the table below are supported by IPv6 packet inspection:

Table 1 Firewall Features Supported on IPv6

Feature

Configuration Information

Class maps

Zone-Based Policy Firewall module.

Internet Control Message Protocol Version 6 (ICMPv6), TCP, and UDP protocols

  • Firewall Stateful Inspection of ICMP module.
  • Zone-Based Policy Firewall module.

IP fragmentation

Virtual Fragmentation Reassembly module.

Intrachassis HA

Logging of error messages

Zone-Based Policy Firewall module.

Nested class maps

Nested Class Map Support for Zone-Based Policy Firewall module.

Out-of-order packet handling

The “Out-of-Order Packet Handling” section in the Zone-Based Policy Firewall module.

Parameter-maps—For inspect type parameter maps, the number of sessions defined in the parameter map will be cumulative for IPv4 and IPv6 sessions

Zone-Based Policy Firewall module.

Policy maps

Zone-Based Policy Firewall module.

Port-to-application mapping

Stateful Network Address Translation 64 (NAT64)

The Stateful Network Address Translation 64 module in the IP Addressing: NAT Configuration Guide.

TCP SYN Cookie

Configuring Firewall TCP SYN Cookie module.

VPN routing and forwarding (VRF)-aware firewall

VRF-Aware Cisco IOS XE Firewall module.

Virtual fragmentation reassembly (VFR)

Virtual Fragmentation Reassembly module.

Zone, default zone, and zone pair

Zone-Based Policy Firewall module.

Dual-Stack Firewalls

A dual-stack firewall is a firewall running IPv4 and IPv6 traffic at the same time. A dual-stack firewall can be configured in the following scenarios:
  • One firewall zone running IPv4 traffic and another running IPv6 traffic.
  • IPv4 and IPv6 coexist when deployed with stateful Network Address Translation 64 (NAT64). In this scenario, the traffic flows from IPv6 to IPv4 and vice versa.
  • The same zone pair allows both IPv4 and IPv6 traffic.

Firewall Actions for IPv6 Header Fields

The firewall actions for IPv6 header fields (in the order they are available in the IPv6 header) are described in the following table:

Table 2 IPv6 Header Fields

IPv6 Header Field

IPv6 Header Field Description

Firewall Action

Version

Similar to the Version field in the IPv4 packet header, except that this field lists number 6 for IPv6, instead of number 4 for IPv4.

Must be IPv6.

Traffic Class

Similar to the Type of Service (ToS) field in the IPv4 packet header. The Traffic Class field tags packets with a traffic class that is used in differentiated services.

Not inspected.

Flow Label

A new field in the IPv6 packet header. The Flow Label field tags packets with a specific flow that differentiates the packets at the network layer.

Not inspected.

Payload Length

Similar to the Total Length field in the IPv4 packet header. The Payload Length field indicates the total length of the data portion of the packet.

The firewall uses this field on a limited basis to calculate the length of some of the Layer 4 protocols, such as ICMP and TCP.

Next Header Length

Similar to the Protocol field in the IPv4 packet header. The value of the Next Header Length field determines the type of information that follows the basic IPv6 header. The type of information following the basic IPv6 header can be a transport-layer packet, for example, a TCP or a UDP packet, or an extension header.

The firewall must recognize this field to create a session.

Hop Limit

Similar to the Time-to-Live (TTL) field in the IPv4 packet header. The value of the Hop Limit field specifies the maximum number of devices that an IPv6 packet can pass through before the packet is considered invalid. Each device decrements the Hop Limit value by one. Because the IPv6 header does not have a checksum, the device can decrement the value without recalculating the checksum.

Not inspected.

IPv6 Firewall Sessions

To perform stateful inspection of traffic, the firewall creates internal sessions for each traffic flow. The session information includes IP source and destination addresses, UDP or TCP source and destination ports or ICMP types, the Layer 4 protocol type (ICMP, TCP, or UDP), and VPN routing and forwarding (VRF) IDs. For an IPv6 firewall, the source and the destination addresses contain 128 bits of the IPv6 address.

The firewall creates a TCP session after receiving the first packet when the packet matches the configured policy. The firewall tracks the TCP sequence numbers and drops the TCP packets whose sequence numbers are not within the configured range. Sessions are removed when the TCP idle timer expires or when a Reset (RST) or Finish-Acknowledge (FIN-ACK) packet is received with the appropriate sequence numbers.

The firewall creates UDP sessions when the first UDP packet that matches the configured policy arrives and removes sessions when the UDP idle timer expires. The firewall does not create TCP or UDP sessions for IPv6 packets with multicast IPv6 or unknown IPv6 addresses.

Firewall Inspection of Fragmented Packets

The firewall supports the inspection of fragmented IPv6 packets. IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size. In IPv6, end nodes perform a path maximum transmission unit (MTU) discovery to determine the maximum size of the packet that is to be sent and generate IPv6 packets with the fragment extension header for packets larger than the MTU size.

The firewall inspects fragmented packets by using Virtual Fragmentation Reassembly (VFR). VFR examines the fragment extension header for out-of-sequence fragments and puts them in the correct order for inspection. When you enable the firewall on an interface by adding the interface to a zone, VFR is configured automatically on the same interface. If you explicitly disable VFR, the firewall only inspects the first fragments with Layer 4 headers and passes the rest of the fragments without inspection.

The fragment extension header appears in the following order of headers:
  • IPv6 header
  • Hop-by-hop options header
  • Destination options header
  • Routing header
  • Fragment extension header

Cisco Express Forwarding checks IPv6 packets with fragment extension headers so that the firewall need not do further checks before processing the packets.

ICMPv6 Messages

IPv6 uses ICMPv6 to perform diagnostic functions, error reporting, and neighbor discovery. ICMPv6 messages are grouped into informational and error messages.

The firewall inspects only the following ICMPv6 messages:
  • ECHO REQUEST
  • ECHO REPLY
  • DESTINATION UNREACHABLE
  • PACKET TOO BIG
  • PARAMETER PROBLEM
  • TIME EXCEEDED

Note


Neighbor discovery packets are passed and not inspected by the firewall.


Firewall Support of Stateful NAT64

The zone-based policy firewall supports Stateful NAT64. Stateful NAT64 translates IPv6 packets into IPv4 packets and vice versa. When both the firewall and Stateful NAT64 are configured on a router, the firewall uses IP addresses in an access control list (ACL) to filter packets. However, ACL does not support a mix of IPv4 and IPv6 addresses. Before the firewall and Stateful NAT64 can work together, you must use an IPv6 ACL and the IPv4 address must be embedded in the IPv6 ACL.


Note


You cannot use VRF along with a firewall and a Stateful NAT64 configuration because Stateful NAT64 is not VRF-aware.


When a firewall class map uses an ACL, the ACL must use the real IP addresses on the host to configure packet flows. If only a source or a destination address is needed, either the IPv4 address or the IPv6 address is used in the class map ACL. Before the packet flow can be filtered based on both the source and destination addresses, the IPv6 address must be used and the IPv4 address must be embedded in the ACL. The ACL has to use IPv6 addresses to filter Stateful NAT64 packets.


Note


Stateless NAT64 with firewall is not supported.


Port-to-Application Mapping

Port-to-application mapping (PAM) allows you to customize TCP or UDP port numbers for network services or applications. The firewall uses PAM to correlate TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations that are not defined by using well known ports. Use the ip port-map command to configure PAM.

High Availability and ISSU

The IPv6 firewall supports Intrabox HA. Firewall sessions are synchronized to the standby Embedded Services Processors (ESP) for a switchover. In Service Software Upgrade (ISSU) is also supported by the IPv6 firewall.

Pass Action for a Traffic Class

In a firewall, a traffic class identifies a set of packets based on its contents. You can define a class and apply an action to the identified traffic that reflects a policy. An action is a specific functionality that is associated with a traffic class. You can configure inspect, drop, and pass actions for a class.

The pass action passes the traffic from one zone to another. When the pass action is configured, the firewall does not inspect the traffic; it passes the traffic. In the IPv6 firewall, you must explicitly configure the pass action for the return traffic by defining a zone pair and a policy map with pass action.

The following example shows how to configure the pass action for policy maps, outside-to-inside-policy, and inside-to-outside-policy for IPv6 traffic:

policy-map type inspect outside-to-inside-policy
 class type inspect ipv6-class
  pass (Defines pass action for the ipv6-class from the outside to the inside)
!
 class class-default
!
policy-map type inspect inside-to-outside-policy
 class type inspect ipv4-class
  inspect (Defines inspect action for ipv4-class)
 class type inspect v6_class
  pass (Defines pass action for ipv6-class from the inside to the outside) 
 class class-default
!
!         
zone security inside
!
zone security outside
!
zone-pair security in-out source inside destination outside
 service-policy type inspect inside-to-outside-policy
!
zone-pair security out-in source outside destination inside
 service-policy type inspect outside-to-inside-policy

How to Configure Zone-Based Policy Firewall IPv6 Support

Configuring an IPv6 Firewall

The steps to configure an IPv4 firewall and an IPv6 firewall are the same. To configure an IPv6 firewall, you must configure the class map in such a way that only an IPv6 address family is matched.

The match protocol command applies to both IPv4 and IPv6 traffic and can be included in either an IPv4 policy or an IPv6 policy.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    vrf-definition vrf-name

    4.    address-family ipv6

    5.    exit-address-family

    6.    exit

    7.    parameter-map type inspect parameter-map-name

    8.    sessions maximum sessions

    9.    exit

    10.    ipv6 unicast-routing

    11.    ip port-map appl-name port port-num list list-name

    12.    ipv6 access-list access-list-name

    13.    permit ipv6 any any

    14.    exit

    15.    class-map type inspect match-all class-map-name

    16.    match access-group name access-group-name

    17.    match protocol protocol-name

    18.    exit

    19.    policy-map type inspect policy-map-name

    20.    class type inspect class-map-name

    21.    inspect [parameter-map-name]

    22.    end


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     
    Enters privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 vrf-definition vrf-name


    Example:
    Device(config)# vrf-definition VRF1
     

    Configures a virtual routing and forwarding (VRF) routing table instance and enters VRF configuration mode.

     
    Step 4 address-family ipv6


    Example:
    Device(config-vrf)# address-family ipv6
     

    Enters VRF address family configuration mode and configures sessions that carry standard IPv6 address prefixes.

     
    Step 5 exit-address-family


    Example:
    Device(config-vrf-af)# exit-address-family
     

    Exits VRF address family configuration mode and enters VRF configuration mode.

     
    Step 6 exit


    Example:
    Device(config-vrf)# exit
     

    Exits VRF configuration mode and enters global configuration mode.

     
    Step 7 parameter-map type inspect parameter-map-name


    Example:
    Device(config)# parameter-map type inspect ipv6-param-map
     

    Enables a global inspect-type parameter map for the firewall to connect thresholds, timeouts, and other parameters that pertain to the inspect action, and enters parameter-map type inspect configuration mode.

     
    Step 8 sessions maximum sessions


    Example:
    Device(config-profile)# sessions maximum 10000
     

    Sets the maximum number of allowed sessions that can exist on a zone pair.

     
    Step 9 exit


    Example:
    Device(config-profile)# exit
     

    Exits parameter-map type inspect configuration mode and enters global configuration mode.

     
    Step 10 ipv6 unicast-routing


    Example:
    Device(config)# ipv6 unicast-routing
     

    Enables the forwarding of IPv6 unicast datagrams.

     
    Step 11 ip port-map appl-name port port-num list list-name


    Example:
    Device(config)# ip port-map ftp port 8090 list ipv6-acl
     

    Establishes a port to application mapping (PAM) by using the IPv6 access control list (ACL).

     
    Step 12 ipv6 access-list access-list-name


    Example:
    Device(config)# ipv6 access-list ipv6-acl
     

    Defines an IPv6 access list and enters IPv6 access list configuration mode.

     
    Step 13 permit ipv6 any any


    Example:
    Device(config-ipv6-acl)# permit ipv6 any any
     

    Sets permit conditions for an IPv6 access list.

     
    Step 14 exit


    Example:
    Device(config-ipv6-acl)# exit
     

    Exits IPv6 access list configuration mode and enters global configuration mode.

     
    Step 15 class-map type inspect match-all class-map-name


    Example:
    Device(config)# class-map type inspect match-all ipv6-class
     

    Creates an application-specific inspect type class map and enters QoS class-map configuration mode.

     
    Step 16 match access-group name access-group-name


    Example:
    Device(config-cmap)# match access-group name ipv6-acl
     

    Configures the match criteria for a class map on the basis of the specified ACL.

     
    Step 17 match protocol protocol-name


    Example:
    Device(config-cmap)# match protocol tcp
     

    Configures a match criterion for a class map on the basis of the specified protocol.

     
    Step 18 exit


    Example:
    Device(config-cmap)# exit
     

    Exits QoS class-map configuration mode and enters global configuration mode.

     
    Step 19 policy-map type inspect policy-map-name


    Example:
    Device(config)# policy-map type inspect ipv6-policy
     

    Creates a protocol-specific inspect type policy map and enters QoS policy-map configuration mode.

     
    Step 20 class type inspect class-map-name


    Example:
    Device(config-pmap)# class type inspect ipv6-class
     

    Specifies the traffic class on which an action is to be performed and enters QoS policy-map class configuration mode.

     
    Step 21 inspect [parameter-map-name]


    Example:
    Device(config-pmap-c)# inspect ipv6-param-map
     

    Enables stateful packet inspection.

     
    Step 22 end


    Example:
    Device(config-pmap-c)# end
     

    Exits QoS policy-map class configuration mode and enters privileged EXEC mode.

     

    Configuring Zones and Applying Zones to Interfaces

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    zone security zone-name

      4.    exit

      5.    zone security zone-name

      6.    exit

      7.    zone-pair security zone-pair-name [source source-zone destination destination-zone]

      8.    service-policy type inspect policy-map-name

      9.    exit

      10.    interface type number

      11.    ipv6 address ipv6-address/prefix-length

      12.    encapsulation dot1q vlan-id

      13.    zone-member security zone-name

      14.    end

      15.    show policy-map type inspect zone-pair sessions


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       
      Enters privileged EXEC mode.
      • Enter your password if prompted.
       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 zone security zone-name


      Example:
      Device(config)# zone security z1
       

      Creates a security zone and enters security zone configuration mode.

       
      Step 4 exit


      Example:
      Device(config-sec-zone)# exit
       

      Exits security zone configuration mode and enters global configuration mode.

       
      Step 5 zone security zone-name


      Example:
      Device(config)# zone security z2
       

      Creates a security zone and enters security zone configuration mode.

       
      Step 6 exit


      Example:
      Device(config-sec-zone)# exit
       

      Exits security zone configuration mode and enters global configuration mode.

       
      Step 7 zone-pair security zone-pair-name [source source-zone destination destination-zone]


      Example:
      Device(config)# zone-pair security in-2-out source z1 destination z2
       

      Creates a zone pair and enters security zone-pair configuration mode.

       
      Step 8 service-policy type inspect policy-map-name


      Example:
      Device(config-sec-zone-pair)# service-policy type inspect ipv6-policy
       

      Attaches a policy map to a top-level policy map.

       
      Step 9 exit


      Example:
      Device(config-sec-zone-pair)# exit
       

      Exits security zone-pair configuration mode and enters global configuration mode.

       
      Step 10 interface type number


      Example:
      Device(config)# interface gigabitethernet 0/0/0.1
       

      Configures a subinterface and enters subinterface configuration mode.

       
      Step 11 ipv6 address ipv6-address/prefix-length


      Example:
      Device(config-subif)# ipv6 address 2001:DB8:2222:7272::72/64
       

      Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface or a subinterface.

       
      Step 12 encapsulation dot1q vlan-id


      Example:
      Device(config-subif)# encapsulation dot1q 2
       

      Sets the encapsulation method used by the interface.

       
      Step 13 zone-member security zone-name


      Example:
      Device(config-subif)# zone member security z1
       
      Configures the interface as a zone member.
      • For the zone-name argument, you must configure one of the zones that you had configured by using the zone security command.
      • When an interface is in a security zone, all traffic to and from that interface (except traffic going to the device or initiated by the device) is dropped by default. To permit traffic through an interface that is a zone member, you must make that zone part of the zone pair to which you apply a policy. If the policy permits traffic (via inspect or pass actions), traffic can flow through the interface.
       
      Step 14 end


      Example:
      Device(config-subif)# end
       

      Exits subinterface configuration mode and enters privileged EXEC mode.

       
      Step 15 show policy-map type inspect zone-pair sessions


      Example:
      Device# show policy-map type inspect zone-pair sessions
       
      Displays the stateful packet inspection sessions created because a policy map is applied on a specified zone pair.
      • The output of this command displays both IPv4 and IPv6 firewall sessions.
       

      Example

      The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv4 address and vice versa:

      Device# show policy-map type inspect zone-pair sessions
      
        Zone-pair: in-to-out 
        Service-policy inspect : in-to-out
          
          Class-map: ipv6-class (match-any)  
            Match: protocol ftp
            Match: protocol tcp
            Match: protocol udp
            Inspect
              Established Sessions
               Session 110D930C [2001:DB8:1::103]:32847=>(209.165.201.2:21) ftp SIS_OPEN
                Created 00:00:00, Last heard 00:00:00
                Bytes sent (initiator:responder) [37:84]
              
              Half-open Sessions
               Session 110D930C [2001:DB8:1::104]:32848=>(209.165.201.2:21) ftp SIS_OPENING
                Created 00:00:00, Last heard 00:00:00
                Bytes sent (initiator:responder) [0:0]
      
      

      The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv6 address:

      Device# show policy-map type inspect zone-pair sessions
      
        Zone-pair: in-to-out 
        Service-policy inspect : in-to-out
      
          Class-map: ipv6-class (match-any)  
            Match: protocol ftp
            Match: protocol tcp
            Match: protocol udp
            Inspect
              Established Sessions
               Session 110D930C [2001:DB8:1::103]:63=>[2001:DB8:2::102]:63 udp SIS_OPEN
                Created 00:00:02, Last heard 00:00:01
                Bytes sent (initiator:responder) [162:0]
      

      Configuring an IPv6 Firewall and Stateful NAT64 Port Address Translation

      The following task configures an IPv6 firewall with Stateful NAT64 dynamic port address translation (PAT).

      A PAT configuration maps multiple IPv6 hosts to a pool of available IPv4 addresses on a first-come first-served basis. The dynamic PAT configuration directly helps conserve the scarce IPv4 address space while providing connectivity to the IPv4 Internet.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    ipv6 unicast-routing

        4.    interface type number

        5.    no ip address

        6.    zone-member security zone-name

        7.    negotiation auto

        8.    ipv6 address ipv6-address/prefix-length

        9.    ipv6 enable

        10.    nat64 enable

        11.    exit

        12.    interface type number

        13.    ip address ip-address mask

        14.    zone member security zone-name

        15.    negotiation auto

        16.    nat64 enable

        17.    exit

        18.    ipv6 access-list access-list-name

        19.    permit ipv6 host source-ipv6-address host destination-ipv6-address

        20.    exit

        21.    ipv6 route ipv6-prefix/length interface-type interface-number

        22.    ipv6 neighbor ipv6-address interface-type interface-number hardware-address

        23.    nat64 v4 pool pool-name start-ip-address end-ip-address

        24.    nat64 v6v4 list access-list-name pool pool-name overload

        25.    end


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         
        Enters privileged EXEC mode.
        • Enter your password if prompted.
         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 ipv6 unicast-routing


        Example:
        Device(config)# ipv6 unicast-routing
         

        Enables the forwarding of IPv6 unicast datagrams.

         
        Step 4 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/0/0
         

        Configures an interface and enters interface configuration mode.

         
        Step 5 no ip address


        Example:
        Device(config-if)# no ip address
         

        Removes an IP address or disables IP processing.

         
        Step 6 zone-member security zone-name


        Example:
        Device(config-if)# zone member security z1
         

        Attaches an interface to a security zone.

         
        Step 7 negotiation auto


        Example:
        Device(config-if)# negotiation auto
         

        Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

         
        Step 8 ipv6 address ipv6-address/prefix-length


        Example:
        Device(config-if)# ipv6 address 2001:DB8:1::2/96
         

        Configures an IPv6 address based on an IPv6 general prefix and enables IPv6 processing on an interface.

         
        Step 9 ipv6 enable


        Example:
        Device(config-if)# ipv6 enable
         

        Enables IPv6 processing on an interface that has not been configured with an explicit IPv6 address.

         
        Step 10 nat64 enable


        Example:
        Device(config-if)# nat64 enable
         

        Enables NAT64 on an interface.

         
        Step 11 exit


        Example:
        Device(config-if)# exit
         

        Exits interface configuration mode and enters global configuration mode.

         
        Step 12 interface type number


        Example:
        Device(config)# interface gigabitethernet 0/0/1
         

        Configures an interface and enters interface configuration mode.

         
        Step 13 ip address ip-address mask


        Example:
        Device(config-if)# ip address 209.165.201.25 255.255.255.0
         

        Sets a primary or secondary IP address for an interface.

         
        Step 14 zone member security zone-name


        Example:
        Device(config-if)# zone member security z2
         

        Attaches an interface to a security zone.

         
        Step 15 negotiation auto


        Example:
        Device(config-if)# negotiation auto
         

        Enables the autonegotiation protocol to configure the speed, duplex, and automatic flow control of the Gigabit Ethernet interface.

         
        Step 16 nat64 enable


        Example:
        Device(config-if)# nat64 enable
         

        Enables NAT64 on an interface.

         
        Step 17 exit


        Example:
        Device(config-if)# exit
         

        Exits interface configuration mode and enters global configuration mode.

         
        Step 18 ipv6 access-list access-list-name


        Example:
        Device(config)# ipv6 access-list ipv6-ipv4-pair
         

        Defines an IPv6 access list and enters IPv6 access list configuration mode.

         
        Step 19 permit ipv6 host source-ipv6-address host destination-ipv6-address


        Example:
        Device(config-ipv6-acl)# permit ipv6 host 2001:DB8:1::2 host 209.165:201.25
         

        Sets permit conditions for an IPv6 access list, a source IPv6 host address, and a destination IPv6 host address.

         
        Step 20 exit


        Example:
        Device(config-ipv6-acl)# exit
         

        Exits IPv6 access list configuration mode and enters global configuration mode.

         
        Step 21 ipv6 route ipv6-prefix/length interface-type interface-number


        Example:
        Device(config)# ipv6 route 2001:DB8:1::2/96 gigabitethernet 0/0/0
         

        Establishes static IPv6 routes.

         
        Step 22 ipv6 neighbor ipv6-address interface-type interface-number hardware-address


        Example:
        Device(config)# ipv6 neighbor 2001:DB8:1::2/96 gigabitethernet 0/0/0 0000.29f1.4841
         

        Configures a static entry in the IPv6 neighbor discovery cache.

         
        Step 23 nat64 v4 pool pool-name start-ip-address end-ip-address


        Example:
        Device(config)# nat64 v4 pool pool1 209.165.201.25 209.165.201.125
         

        Defines a Stateful NAT64 IPv4 address pool.

         
        Step 24 nat64 v6v4 list access-list-name pool pool-name overload


        Example:
        Device(config)# nat64 v6v4 list nat64-ipv6-any pool pool1 overload
         

        Enables NAT64 PAT or overload address translation.

         
        Step 25 end


        Example:
        Device(config)# end
         

        Exits global configuration mode and enters privileged EXEC mode.

         

        Configuration Examples for Zone-Based Policy Firewall IPv6 Support

        Example: Configuring an IPv6 Firewall

        Device# configure terminal
        Device(config)# vrf-definition VRF1
        Device(config-vrf)# address-family ipv6
        Device(config-vrf-af)# exit-address-family
        Device(config-vrf)# exit
        Device(config)# parameter-map type inspect ipv6-param-map
        Device(config-profile)# sessions maximum 10000
        Device(config-profile)# exit
        Device(config)# ipv6 unicast-routing
        Device(config)# ip port-map ftp port 8090 list ipv6-acl
        Device(config)# ipv6 access-list ipv6-acl
        Device(config-ipv6-acl)# permit ipv6 any any
        Device(config-ipv6-acl)# exit
        Device(config)# class-map type inspect match-all ipv6-class
        Device(config-cmap)# match access-group name ipv6-acl
        Device(config-cmap)# match protocol tcp
        Device(config-cmap)# exit
        Device(config)# policy-map type inspect ipv6-policy
        Device(config-pmap)# class type inspect ipv6-class
        Device(config-pmap-c)# inspect ipv6-param-map
        Device(config-pmap-c)# end

        Example: Configuring Zones and Applying Zones to Interfaces

        Device# configure terminal
        Device(config)# zone security z1
        Device(config-sec-zone)# exit
        Device(config)# zone security z2
        Device(config-sec-zone)# exit
        Device(config)# zone-pair security in-to-out source z1 destination z2
        Device(config-sec-zone-pair)# service-policy type inspect ipv6-policy
        Device(config-sec-zone-pair)# exit
        Device(config)# interface gigabitethernet 0/0/0.1
        Device(config-if)# ipv6 address 2001:DB8:2222:7272::72/64
        Device(config-if)# encapsulation dot1q 2
        Device(config-if)# zone member security z1
        Device(config-if)# end

        Example: Configuring an IPv6 Firewall and Stateful NAT64 Port Address Translation

        configure terminal
         ipv6 unicast-routing
         interface gigabitethernet 0/0/0
          no ip address
          zone member security z1
          negotiation auto
          ipv6 address 2001:DB8:1::2/96
          ipv6 enable
          nat64 enable
        !
         interface gigabitethernet 0/0/1
          ip address 209.165.201.25 255.255.255.0
          zone member security z2
          negotiation auto
          nat64 enable
        !
         ipv6 access-list ipv6-ipv4-pair
          permit ipv6 host 2001:DB8:1::2 host 209.165:201.25
        !
         ipv6 route 2001:DB8:1::2/96 gigabitethernet 0/0/0
         ipv6 neighbor 2001:DB8:1::2/96 gigabitethernet 0/0/0 0000.29f1.4841
         nat64 v4 pool pool1 209.165.201.25 209.165.201.125
         nat64 v6v4 list nat64-ipv6-any pool pool1 overload

        Additional References for Zone-Based Policy Firewall IPv6 Support

        Standards and RFCs

        Standard/RFC

        Title

        RFC 2460

        Internet Protocol, Version 6 (IPv6) Specification

        RFC 2473

        Generic Packet Tunneling in IPv6 Specification

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for Zone-Based Policy Firewall IPv6 Support

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 3 Feature Information for Zone-Based Policy Firewall IPv6 Support

        Feature Name

        Releases

        Feature Information

        Zone-Based Policy Firewall IPv6 Support

        Cisco IOS XE Release 3.6S

        The Zone-Based Policy firewall supports the inspection of IPv6 packets.

        The following commands were introduced or modified: ip port-map and show policy-map type inspect zone-pair.