Zone-Based Policy Firewall IPv6 Support

Zone-Based Policy Firewall IPv6 Support

Last Updated: December 21, 2012

The zone-based policy firewall IPv6 support feature coexists with the zone-based policy firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions. This document describes how to configure parameter-maps, and to create and use class maps, policy maps, zones and zone pairs.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About Zone-Based Policy Firewall IPv6 Support

Zone-Based Policy Firewall IPv6 Support

The zone-based policy firewall for IPv6 coexists with the zone-based policy firewall for IPv4 in order to support IPv6 traffic. The feature provides MIB support for TCP, UDP, ICMPv6, and FTP sessions.

How to Configure Zone-Based Policy Firewall IPv6 Support

Configuring an Inspect-Type Parameter Map

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    parameter-map type inspect {parameter-map-name | global | default}

4.    sessions maximum sessions

5.    ipv6 routing-enforcement-header loose


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
parameter-map type inspect {parameter-map-name | global | default}


Example:

Router(config)# parameter-map type inspect v6-param-map

 

Configures an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, and places the router in parameter map configuration mode.

 
Step 4
sessions maximum sessions


Example:

Router(config-profile)# sessions maximum 10000

 

Sets the maximum number of allowed sessions that can exist on a zone pair.

 
Step 5
ipv6 routing-enforcement-header loose


Example:

Router(config-profile)# ipv6 routing-enforcement-header loose

 

Provides backward compatibility with legacy IPv6 inspection.

 

Creating and Using an Inspect-Type Class Map

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    class-map type inspect {match-any | match-all} class-map-name

4.    match protocol tcp

5.    match protocol udp

6.    match protocol icmp

7.    match protocol ftp


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
class-map type inspect {match-any | match-all} class-map-name


Example:

Router(config-profile)# class-map type inspect match-any v6-class

 

Create an inspect type class map, and places the router in lass-map configuration mode.

 
Step 4
match protocol tcp


Example:

Router(config-cmap)# match protocol tcp

 

Configures the match criterion for a class map based on TCP.

 
Step 5
match protocol udp


Example:

Router(config-cmap)# match protocol udp

 

Configures the match criterion for a class map based on UDP.

 
Step 6
match protocol icmp


Example:

Router(config-cmap)# match protocol icmp

 

Configures the match criterion for a class map based on ICMP.

 
Step 7
match protocol ftp


Example:

Router(config-cmap)# match protocol ftp

 

Configures the match criterion for a class map based on FTP.

 

Creating and Using an Inspect-Type Policy Map

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    policy-map type inspect policy-map-name

4.    class type inspect class-map-name

5.    inspect [parameter-map-name]


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
policy-map type inspect policy-map-name


Example:

Router(config)# policy-map type inspect v6-policy

 

Creates an inspect-type policy map, and places the router in policy-map configuration mode.

 
Step 4
class type inspect class-map-name


Example:

Router(config-pmap)# class type inspect v6-class

 

Specifies the traffic (class) on which an action is to be performed.

 
Step 5
inspect [parameter-map-name]


Example:

Router(config-pmap)# inspect

 

Enables Cisco IOS stateful packet inspection.

 

Creating Security Zones and Zone Pairs

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    zone security {zone-name | default}

4.    zone security {zone-name | default}

5.    zone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}

6.    service-policy type inspect policy-map-name


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Router> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Router# configure terminal

 

Enters global configuration mode.

 
Step 3
zone security {zone-name | default}


Example:

Router(config)# zone security 1

 

Creates a security zone.

  • Cisco recommends that you create at least two security zones so that you can create a zone pair.
 
Step 4
zone security {zone-name | default}


Example:

Router(config)# zone security 2

 

Creates a security zone.

  • Cisco recommends that you create at least two security zones so that you can create a zone pair.
 
Step 5
zone-pair security zone-pair-name source {source-zone-name | self | default} destination {destination-zone-name | self | default}


Example:

Router(config)# zone-pair security zp source z1 destination z2

 

Creates a zone pair, and places the router in zone-pair configuration mode.

 
Step 6
service-policy type inspect policy-map-name


Example:

Router(config-sec-zone-pair)# service-policy type inspect v6-policy

 

Attaches a firewall policy map to a zone pair.

 

Configuration Examples for Zone-Based Policy Firewall IPv6 Support

Example: Configuring Cisco IOS Zone-Based Firewall for IPv6

parameter-map type inspect v6-param-map 
 sessions maximum 10000 
 ipv6 routing-header-enforcement loose 
!
! 
class-map type inspect match-any v6-class
 match protocol tcp
 match protocol udp
 match protocol icmp
 match protocol ftp
! 
! 
policy-map type inspect v6-policy
 class type inspect v6-class 
  inspect 
! 
zone security z1 
zone security z2 
! 
zone-pair security zp source z1 destination z2 
 service-policy type inspect v6-policy 

Additional References

Related Documents

Related Topic Document Title

IPv6 addressing and connectivity

IPv6 Configuration Guide

Cisco IOS commands

Cisco IOS Master Commands List, All Releases

IPv6 commands

Cisco IOS IPv6 Command Reference

Cisco IOS IPv6 features

Cisco IOS IPv6 Feature Mapping

Standards and RFCs

Standard/RFC Title

RFCs for IPv6

IPv6 RFCs

MIBs

MIB

MIBs Link

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

Technical Assistance

Description Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Zone-Based Policy Firewall IPv6 Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for Zone-Based Policy Firewall IPv6 Support
Feature Name Releases Feature Information

Zone-Based Policy Firewall IPv6 Support

15.1(2)T

Cisco zone-based firewall for IPv6 coexists with Cisco zone-based firewall for IPv4 in order to support IPv6 traffic.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.