IPv6 IOS Firewall

IPv6 IOS Firewall

Last Updated: March 22, 2012

With IPv6 support, the Cisco firewall inspects both IPv4 and IPv6 packets on routers with dual stacks. Routers that support IPv4 and IPv6 packet inspection are called dual stack routers. This feature also provides MIB support for TCP, UDP, ICMPv6, and FTP sessions.

This module describes how to configure a firewall and Port Address Translation (PAM) for IPv6.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Restrictions for IPv6 IOS Firewall

Cisco IOS Intrusion Detection System (IDS) is not supported for IPv6.

Information About IPv6 IOS Firewall

Cisco IOS Firewall for IPv6

The Cisco IOS Firewall feature provides advanced traffic filtering functionality as an integral part of a network's firewall. Cisco IOS Firewall for IPv6 enables you to implement Cisco IOS Firewall in IPv6 networks. Cisco IOS Firewall coexists with Cisco IOS Firewall for IPv4 networks and is supported on all dual-stack routers.

Cisco IOS Firewall for IPv6 features are as follows:

  • Fragmented packet inspection--The fragment header is used to trigger fragment processing. Cisco IOS Firewall virtual fragment reassembly (VFR) examines out-of-sequence fragments and switches the packets into correct order, examines the number of fragments from a single IP given a unique identifier (Denial of Service [DoS] attack), and performs virtual reassembly to move packets to upper-layer protocols.
  • IPv6 DoS attack mitigation--Mitigation mechanisms have been implemented in the same fashion as for IPv4 implementation, including SYN half-open connections.
  • Tunneled packet inspection--Tunneled IPv6 packets terminated at a Cisco IOS firewall router can be inspected by the Cisco IOS Firewall for IPv6.
  • Stateful packet inspection--The feature provides stateful packet inspection of TCP, UDP, Internet Control Message Protocol version 6 (ICMPv6), and FTP sessions.
  • Stateful inspection of packets originating from the IPv4 network and terminating in an IPv6 environment--This feature uses IPv4-to-IPv6 translation services.
  • Interpretation or recognition of most IPv6 extension header information--The feature provides IPv6 extension header information including routing header, hop-by-hop options header, and fragment header is interpreted or recognized.
  • Port-to-application mapping (PAM)--Cisco IOS Firewall for IPv6 includes PAM.

PAM in Cisco IOS Firewall for IPv6

PAM allows you to customize TCP or UDP port numbers for network services or applications. PAM uses this information to support network environments that run services using ports that are different from the registered or well-known ports associated with an application.

Using the port information, PAM establishes a table of default port-to-application mapping information at the firewall. The information in the PAM table enables Context-based Access Control (CBAC) supported services to run on nonstandard ports. CBAC is limited to inspecting traffic using only the well-known or registered ports associated with an application, whereas PAM allows network administrators to customize network access control for specific applications and services.

PAM also supports host- or subnet-specific port mapping, which allows you to apply PAM to a single host or subnet using standard ACLs. Host- or subnet-specific port mapping is done using standard ACLs.

Cisco IOS Firewall Alerts Audit Trails and System Logging

Cisco IOS Firewall generates real-time alerts and audit trails based on events tracked by the firewall. Enhanced audit trail features use system logging to track all network transactions; to record time stamps, source host, destination host, and ports used; and to record the total number of transmitted bytes for advanced, session-based reporting. Real-time alerts send system logging error messages to central management consoles when the system detects suspicious activity. Using Cisco IOS Firewall inspection rules, you can configure alerts and audit trail information on a per-application protocol basis. For example, if you want to generate audit trail information for TCP traffic, you can specify the generation of this information in the Cisco IOS Firewall rule that defines TCP inspection.

The Cisco IOS Firewall provides audit trail messages to record details about inspected sessions. Audit trail information is configurable on a per-application basis using the CBAC inspection rules. To determine which protocol was inspected, use the port number associated with the responder. The port number appears immediately after the address.

IPv6 Packet Inspection

The following header fields are all used for IPv6 inspection--traffic class, flow label, payload length, next header, hop limit, and source or destination address. For further information on and descriptions of the IPv6 header fields, see RFC 2474.

Tunneling Support

IPv6 packets tunneled in IPv4 are not inspected. If a tunnel terminates on a router, and IPv6 traffic exiting the tunnel is nonterminating, then the traffic is inspected.

Virtual Fragment Reassembly

When VFR is enabled, VFR processing begins after ACL input lists are checked against incoming packets. The incoming packets are tagged with the appropriate VFR information.

How to Configure IPv6 IOS Firewall

Configuring the Cisco IOS Firewall for IPv6

This configuration scenario uses both packet inspection and ACLs.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 unicast-routing

4.    ipv6 inspect name inspection-name protocol [alert {on | off}] [audit-trail{on | off}] [timeout seconds]

5.    interface type number

6.    ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits / prefix-length

7.    ipv6 enable

8.    ipv6 traffic-filter access-list-name {in | out

9.    ipv6 inspect inspection-name {in | out

10.    ipv6 access-list access-list-name

11.   Do one of the following:

  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol {source-ipv6-prefix / prefix-length | any| host source-ipv6-address | auth} [operator[port-number]] {destination-ipv6-prefix/prefix-length | any host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name ] [undetermined-transport]


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 unicast-routing


Example:

Router(config)# ipv6 unicast-routing

 

Enables IPv6 unicast routing.

 
Step 4
ipv6 inspect name inspection-name protocol [alert {on | off}] [audit-trail{on | off}] [timeout seconds]


Example:

Router(config)# ipv6 inspect name ipv6_test icmp timeout 60

 

Defines a set of IPv6 inspection rules for the firewall.

 
Step 5
interface type number


Example:

Router(config)# interface FastEthernet0/0

 

Specifies the interface on which the inspection will occur.

 
Step 6
ipv6 address {ipv6-address / prefix-length | prefix-name sub-bits / prefix-length


Example:

Router(config-if)# ipv6 address 3FFE:C000:0:7::/64 eui-64

 

Provides the address for the inspection interface.

 
Step 7
ipv6 enable


Example:

Router(config-if)# ipv6 enable

 

Enables IPv6 routing.

Note    This step is optional if the IPv6 address is specified in step 6.
 
Step 8
ipv6 traffic-filter access-list-name {in | out


Example:

Router(config-if)# ipv6 traffic-filter outbound out

 

Applies the specified IPv6 access list to the interface specified in the previous step.

 
Step 9
ipv6 inspect inspection-name {in | out


Example:

Router(config)# ipv6 inspect ipv6_test in

 

Applies the set of inspection rules.

 
Step 10
ipv6 access-list access-list-name


Example:

Router(config)# ipv6 access-list outbound

 

Defines an IPv6 ACL and enters IPv6 access list configuration mode. The router prompt changes to Router(config-ipv6-acl)#.

 
Step 11
Do one of the following:
  • permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix / prefix-length| any | host destination-ipv6-address| auth} [operator [port-number]] [dest-option-type [doh-number| doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol {source-ipv6-prefix / prefix-length | any| host source-ipv6-address | auth} [operator[port-number]] {destination-ipv6-prefix/prefix-length | any host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name ] [undetermined-transport]


Example:

Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 any reflect reflectout



Example:



Example:

Router(config-ipv6-acl)# deny tcp fec0:0:0:0201::/64 any

 

Specifies permit or deny conditions for an IPv6 ACL.

 

Configuring PAM for IPv6

Creating an IPv6 Access Class Filter for PAM

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 access-list access-list-name

4.   Do one of the following:

  • permit protocol {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix /prefix-length | any | hostdestination-ipv6-address | auth} [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscpvalue ] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] destination-ipv6-prefix/prefix-length any host destination-ipv6-address | auth} [operator port-number]] dest-option-type [doh-number | doh-type]] [dscp value flow-label value fragments log log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name undetermined-transport


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 access-list access-list-name


Example:

Router(config)# ipv6 access-list outbound

 

Defines an IPv6 ACL and enters IPv6 access list configuration mode.

 
Step 4
Do one of the following:
  • permit protocol {source-ipv6-prefix/prefix-length | any | hostsource-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix /prefix-length | any | hostdestination-ipv6-address | auth} [operator [port-number ]] [dest-option-type [doh-number | doh-type ]] [dscpvalue ] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
  • deny protocol source-ipv6-prefix / prefix-length | any | host source-ipv6-address | auth} [operator port-number]] destination-ipv6-prefix/prefix-length any host destination-ipv6-address | auth} [operator port-number]] dest-option-type [doh-number | doh-type]] [dscp value flow-label value fragments log log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name undetermined-transport


Example:

Router(config-ipv6-acl)# permit tcp 2001:DB8:0300:0201::/32 any reflect reflectout



Example:



Example:

Router(config-ipv6-acl)# deny tcp fec0:0:0:0201::/64 any

 

Specifies permit or deny conditions for an IPv6 ACL.

 

Applying the IPv6 Access Class Filter to PAM

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    ipv6 port-map application-name port port-num [list acl-name


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
ipv6 port-map application-name port port-num [list acl-name


Example:

Router(config)# ipv6 port-map ftp port 8090 list PAMACL

 

Establishes PAM for the system.

 

Configuration Examples for IPv6 IOS Firewall

Example: Configuring Cisco IOS Firewall for IPv6

This Cisco IOS Firewall configuration example uses inbound and outbound filters for inspection and makes use of access lists to manage the traffic. The inspect mechanism is the method of permitting return traffic based upon a packet being valid for an existing session for which the state is being maintained:

enable
configure terminal
 ipv6 unicast-routing
  ipv6 inspect name ipv6_test icmp timeout 60
  ipv6 inspect name ipv6_test tcp timeout 60
  ipv6 inspect name ipv6_test udp timeout 60
 
interface FastEthernet0/0
  ipv6 address 3FFE:C000:0:7::/64 eui-64
  ipv6 enable
  ipv6 traffic-filter INBOUND out
  ipv6 inspect ipv6_test in
 
interface FastEthernet0/1
  ipv6 address 3FFE:C000:1:7::/64 eui-64
  ipv6 enable
  ipv6 traffic-filter OUTBOUND in
 
! This is used for 3745b connection to tftpboot server 
interface FastEthernet4/0
  ip address 192.168.17.33 255.255.255.0
  duplex auto
  speed 100
 
ip default-gateway 192.168.17.8
! end of tftpboot server config
  
! Access-lists to deny everything except for Neighbor Discovery ICMP messages
ipv6 access-list INBOUND
  permit icmp any any nd-na
  permit icmp any any nd-ns
  deny ipv6 any any log
 
ipv6 access-list OUTBOUND
  permit icmp any any nd-na
  permit icmp any any nd-ns
  deny ipv6 any any log

Additional References

Related Documents

Related Topic Document Title

IPv6 addressing and connectivity

IPv6 Configuration Guide

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IPv6 commands

Cisco IOS IPv6 Command Reference

Cisco IOS IPv6 features

Cisco IOS IPv6 Feature Mapping

Standards and RFCs

Standard/RFC Title

RFCs for IPv6

IPv6 RFCs

MIBs

MIB

MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for IPv6 IOS Firewall

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for IPv6 IOS Firewall
Feature Name Releases Feature Information

IPv6 IOS Firewall

12.3(7)T

This feature provides advanced traffic filtering functionality as an integral part of a network's firewall.

IPv6 Services--IPv6 IOS Firewall FTP Application Support

12.3(11)T

IPv6 supports this feature.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.