- About This Guide
- Index
- Glossary
-
- Configuring IPSec and ISAKMP
- Configuring L2TP over IPSec
- Setting General VPN Parameters
- Configuring Tunnel Groups, Group Policies, and Users
- Configuring IP Addresses for VPN
- Configuring Remote Access VPNs
- Configuring Network Admission Control
- Configuring Easy VPN on the ASA 5505
- Configuring the PPPoE Client
- Configuring LAN-to-LAN VPNs
- Configuring Clientless SSL VPN
- Configuring AnyConnect VPN Client Connections
- Configuring AnyConnect Host Scan
- Information About IPv6 Access Lists
- Licensing Requirements for IPv6 Access Lists
- Prerequisites for Adding IPv6 Access Lists
- Guidelines and Limitations
- Default Settings
- Configuring IPv6 Access Lists
- Monitoring IPv6 Access Lists
- Configuration Examples for IPv6 Access Lists
- Where to Go Next
- Feature History for IPv6 Access Lists
Adding an IPv6 Access List
This chapter describes how to configure IPv6 access lists to control and filter traffic through the ASA.
This chapter includes the following sections:
- Information About IPv6 Access Lists
- Licensing Requirements for IPv6 Access Lists
- Prerequisites for Adding IPv6 Access Lists
- Guidelines and Limitations
- Default Settings
- Configuring IPv6 Access Lists
- Monitoring IPv6 Access Lists
- Configuration Examples for IPv6 Access Lists
- Where to Go Next
- Feature History for IPv6 Access Lists
Information About IPv6 Access Lists
The typical access list functionality in IPv6 is similar to access lists in IPv4. Access lists determine which traffic to block and which traffic to forward at router interfaces. Access lists allow filtering based upon source and destination addresses, inbound and outbound to specific interfaces. Each access list has an implicit deny statement at the end. You define IPv6 access lists and set their deny and permit conditions using the ipv6 access-list command with the deny and permit keywords in global configuration mode.
Licensing Requirements for IPv6 Access Lists
The following table shows the licensing requirements for this feature:
|
|
---|---|
Prerequisites for Adding IPv6 Access Lists
You should be familiar with IPv6 addressing and basic configuration. See the ipv6 commands in the Cisco Security Appliance Command Reference for more information about configuring IPv6.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Supported in single and multiple context modes.
Supported in routed and transparent firewall modes.
Additional Guidelines and Limitations
The following guidelines and limitations apply to IPv6 access lists:
- The ipv6 access-list command allows you to specify whether an IPv6 address is permitted or denied access to a port or protocol. Each command is called an ACE. One or more ACEs with the same access list name are referred to as an access list. Apply an access list to an interface using the access-group command.
- The ASA denies all packets from an outside interface to an inside interface unless you specifically permit access using an access list. All packets are allowed by default from an inside interface to an outside interface unless you specifically deny access.
- The ipv6 access-list command is similar to the access-list command, except that it is IPv6-specific. For additional information about access lists, refer to the access-list extended command.
- The ipv6 access-list icmp command is used to filter ICMPv6 messages that pass through the ASA.To configure the ICMPv6 traffic that is allowed to originate and terminate at a specific interface, use the ipv6 icmp command.
- See the object-group command for information on how to configure object groups.
- Possible operands for the operator option of the ipv6 access-list command include lt for less than, gt for greater than, eq for equal to, neq for not equal to, and range for an inclusive range. Use the ipv6 access-list command without an operator and port to indicate all ports by default.
- ICMP message types are filtered by the access rule. Omitting the icmp_type argument indicates all ICMP types. If you specify ICMP types, the value can be a valid ICMP type number (from 0 to 255) or one of the following ICMP type literals:
Default Settings
Table 19-1 lists the default settings for IPv6 access list parameters.
Configuring IPv6 Access Lists
This section includes the following topics:
Task Flow for Configuring IPv6 Access Lists
Use the following guidelines to create and implement an access list:
- Create an access list by adding an ACE and applying an access list name, as shown in the “Adding IPv6 Access Lists” section.
- Apply the access list to an interface. (See the “Configuring Access Rules” section for more information.)
Adding IPv6 Access Lists
You can add a regular IPv6 access list or add an IPv6 access list with TCP.
To add a regular IPv6 access list, enter the following command:
|
|
---|---|
hostname(config)# ipv6 access-list acl_grp permit tcp any host 3001:1::203:A0FF:FED6:162D |
Configures an IPv6 access list. The any keyword is an abbreviation for the IPv6 prefix ::/0, indicating any IPv6 address. The deny keyword denies access if the conditions are matched. The destination-ipv6-address argument identifies the IPv6 address of the host receiving the traffic. The destination-ipv6-prefix argument identifies the IPv6 network address where the traffic is destined. The disable option disables syslog messaging. The host keyword indicates that the address refers to a specific host. The id keyword specifies the number of an access list. The line line-num option specifies the line number for inserting the access rule into the list. By default, the ACE is added to the end of the access list. The network_obj_grp_id argument specifies existing network object group identification. The object-group option specifies an object group. The operator option compares the source IP address or destination IP address ports. For a list of permitted operands, see the “Guidelines and Limitations” section. The permit keyword permits access if the conditions are matched. The port option specifies the port that you permit or deny access. You can specify the port either by a number in the range of 0 to 65535 or by a literal name if the protocol is tcp or udp. For a list of permitted TCP or UDP literal names, see the “Guidelines and Limitations” section. The prefix-length argument indicates how many of the high-order, contiguous bits of the address comprise the IPv6 prefix. The protocol argument specifies the name or number of an IP protocol. The protocol_obj_grp_id indicates the existing protocol object group ID. The service_obj_grp_id option specifies the object group. The source-ipv6-address specifies the address of the host sending traffic. The source-ipv6-prefix specifies the IPv6 address of traffic origin. |
To configure an IPv6 access list with ICMP, enter the following command:
|
|
---|---|
hostname(config)# ipv6 access list acl_grp permit tcp any host 3001:1::203:AOFF:FED6:162D |
Configures an IPv6 access list with ICMP. The icmp6 keyword specifies that the access rule applies to ICMPv6 traffic passing through the ASA. The icmp_type argument specifies the ICMP message type being filtered by the access rule. The value can be a valid ICMP type number from 0 to 255. (For a list of the permitted ICMP type literals, see the “Guidelines and Limitations” section.) The icmp_type_obj_grp_id option specifies the object group ICMP type ID. For details about additional ipv6 access-list command parameters, see the preceding procedure for adding a regular IPv6 access list, or see the ipv6 access-list command in the Cisco Security Appliance Command Reference. |
Adding Remarks to Access Lists
You can include remarks about entries in any access list, including extended, EtherType, IPv6, standard, and Webtype access lists. The remarks make the access list easier to understand.
To add a remark after the last access-list command you entered, enter the following command:
You can add remarks before each ACE, and the remarks appear in the access list in these locations. Entering a dash (-) at the beginning of a remark helps set it apart from an ACE.
Monitoring IPv6 Access Lists
To monitor IPv6 access lists, perform one of the following tasks:
|
|
---|---|
|
Configuration Examples for IPv6 Access Lists
The following example shows how to configure IPv6 access lists:
The following example allows any host using TCP to access the 3001:1::203:A0FF:FED6:162D server:
The following example uses eq and a port to deny access to just FTP:
The following example uses lt to permit access to all ports less than port 2025, which permits access to the well-known ports (1 to 1024):
Where to Go Next
Apply the access list to an interface. (See the “Configuring Access Rules” section for more information.)
Feature History for IPv6 Access Lists
Table 19-2 lists each feature change and the platform release in which it was implemented.
|
|
|
---|---|---|