Cisco Firewall :: 1812 - IPV6 - ZBF Not Working
Jan 28, 2012
I'm having several issues with IPv6 and ZBF. I've narrowed one of them to a very simple setup. I tried 15.1(4)M in GNS2 and 15.1(4)M3 on a 1812.
The setup is
[PC] ----- [R1] ------ [R2]
R1 and R2 are interconnected by IPv6 only and there is a tunnel over that link to carry IPv4 from R2 to PC.
And I'm trying to ping PC from R2 with IPv4. We're looking at the R1 config mainly. (the other are included for completeness)
When I try to ping the PC from R2, I get this on R1 console:
%FW-6-DROP_PKT: Dropping icmp session [::]:0 [::]:0 on zone-pair zp_vpn_to_lan class cm_icmp with ip ident 0
Which really doesn't make much sense because zone vpn and zone lan are purely IPv4 and should never see IPv6 traffic as such ...
If I remove all ZBF related config, then traffic flows without problem.
R1 config
class-map type inspect match-all cm_icmp
match protocol icmp
policy-map type inspect pm_icmp
class type inspect cm_icmp
inspect (code)
View 3 Replies
ADVERTISEMENT
Jul 28, 2011
I have Cisco 1812 connected to ISP's router Cisco 870. Both routers have switch module and when I'm connected with PC to 870 I can connect via VPN to remote location.When I'm connected to 1812 remote VPN doesn't work.Client computers are connected to 1812 and they can surf on internet just fine.
View 4 Replies
View Related
Jun 15, 2011
We are trying to get a video conference system (POLYCOM) up running. Thrue a Cisco 1812 router with Firewall feature set.
I Have heard in the past that there should be issues with Polycom and Cisco, but have actually never seen it.I can establish a video call from inside the 1812 to outside.
But when I try from outside to the public ip adress there is nattet to, then it reach the video system and die straight after, so there is never any video session set up.
I have tried to remove everything regarding firewall feature and passing true, so the only thing the 1812 should do is NAT. And still the same.
I can not see anything in the log on the router from the ACL's where I permittet everything, other then it connect on the port TCP 1720, as it should. This is the software I'm running on the router:
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T3, RELEASE SOFTWARE (fc1)
When I search Google, it look like there is a lot issues with Cisco and Polycom, but I have not found any concret solution. Other then I should use a ADSL line with a public IP address. As we probably is going to do.
View 6 Replies
View Related
Sep 6, 2012
I have v4 mpls working fine but v6 refuses to work correctly.Looking at the ipv6 routing table for the VRF we can see prefix's coming from the remote PE's BGP is up in vpnv6 and ipv6 unicast.Everything seems fine but I just cant seem to ping between the sites.as mentioned, ipv4 works fine for the same vrf.
View 16 Replies
View Related
Jan 11, 2013
has quite frankly gotten me absolutely annoyed . I've tried just about everything, from using the netsh commands to changing the dns to 8.8.8.8 or that other one or the other. Nothing is working, I unplugged the router, problem persists, I disabled IPV6 problem persists, I restore, problem persists. The only clue I have is my router, and mysteriously, there are TWO of my computer on it. It might be nothing but most certainly has caught my attention. Also, it gives me this info about my media being disconnected
View 14 Replies
View Related
May 10, 2010
I am using my DIR-825 as a switch and AP. I have turned off DHCP and plugged the internet into the lan-1 port. This works perfectly for IPv4, but I cannot get IPv6 to work. On the outside there is native IPv6 running radvd. How should I configure IPv6 on my DIR-825?
View 2 Replies
View Related
Jul 20, 2011
I recently picked up a Catalyst 2960G and am trying to get SNMP management working over IPv6. I have the IP Address set to the local link, and can successfully ping and telnet to the switch (so the network can get traffic to and from the switch). However, SNMP packets just seem to disappear. I am running WireShark on my machine, and I see the packets go out to the proper IP, but nothing comes back. When I check "sho ipv6 traffic", I can see where there are UDP packets that are received, but, again, none going out. Also, when I run "sho snmp", all of the packet counts are 0.
Here are some relavant snipets from my "sho run":
interface Vlan1
no ip address
no ip route-cache
ipv6 enable
[code]....
View 5 Replies
View Related
Jun 9, 2011
I have a Dlink DIR-825 B1 with firmware 2.05NA. I recently reset it to factory defaults to make sure I didn't misconfigure something.
I have been struggling to get a IPv6 in IPv4 tunnel working with tunnelbroker.net. I think the issue is a problem with the router itself and i'm not sure how to get it fixed.
All of my machines were getting IPv6 addresses (both windows, mac, linux) but none of them seemed to work. All I was able to do was ping the gateway itself using the local lan address. In each case they were missing a default IPv6 route. If I added a default route then it would work.
I started looking at the packets using a network sniffer and the Router Advertisements all had a Router lifetime value of "0" which is RFC4816 speak for "don't use this router as the default router". So Windows/Linux is exactly right by not setting a default route.
The strange thing was that when I reboot the router I would briefly get a router advertisement with a lifetime of 1800s, the corrert prefix and dns server but then another router advertisement would come along 5 seconds later with a router advertisement of 0.
I have TCP' Other observations
... using 6to4 I would get working IPv6 address. The difference again seemed to be the Router Lifetime. But I want to use a permanent tunnel. I have found 6to4 unreliable.
... the router never responds to router solicitations. It only sends a router advertisement when it wants to.
... the router never responds to DHCPv6 when that is configured.
View 1 Replies
View Related
Feb 7, 2013
Have a v2 E1200. Connect with PPPoE to ISP. IPv4 works fine. With firmware included on router, 2.0.01, it would receive a /64 of IPv6 from the ISP. This /64 would show up under 'status' / 'local network'. Although it did not seem to advertise this space to PC's on my network so I was unable to use it. I updated firmware to 2.0.04. Now it does not even pick up the IPv6 /64 at all.
Anyone have PPPoE and IPv6 working? Anywhere I can download 2.0.01 to try it again?
Is there a model of router that actually works with IPv6?
View 2 Replies
View Related
Jun 11, 2013
I could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server.
View 4 Replies
View Related
May 21, 2013
I need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
View 2 Replies
View Related
Mar 19, 2013
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
View 4 Replies
View Related
Mar 29, 2011
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies
View Related
Oct 4, 2011
I am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
View 1 Replies
View Related
Nov 26, 2011
i have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?
View 1 Replies
View Related
Aug 5, 2012
My VPN users are able to access IPV4 resources, but not IPV6, all of my other user who are not VPN users are able to access everything V4 and V6. So my network goes:
IPV4 flow = FIOS > ASA5505(IPV4 Router) > Switch > ipv4 Clients
IPV6 flow = FIOS > ASA5505(IPV4 Router) > switch > win2k8 (IPV6 Router / Tunnel) > ipv6 clients
View 1 Replies
View Related
Apr 17, 2012
Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
View 14 Replies
View Related
May 31, 2011
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
View 5 Replies
View Related
Dec 7, 2011
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
View 3 Replies
View Related
Oct 9, 2011
below is my sanitized ASA 5510 config. got an IPv6 T1 from at&t and im unable to pass any traffic from my LAN clients out.
:
ASA Version 8.2(2)
!
enable password PoBmYYxuAzCciKRA encrypted
[Code].....
View 6 Replies
View Related
Jan 19, 2012
At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
View 1 Replies
View Related
Nov 3, 2009
Would like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.
I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .
Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!! None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.
For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.
View 3 Replies
View Related
Jul 12, 2011
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
View 7 Replies
View Related
Jan 17, 2012
I have switch cisco 2960 ,When you boot it displays the message that is unknown for me.
View 4 Replies
View Related
Nov 29, 2012
i want to configure a new cisco 1812.what i want is : we have 5 external ip addresses from our ISP.we want that the FE0 ( wan port ) can route all those ip addresses.so when we put a firewall on port number 8 with 1 of the 5 external ip addresses we have internet.and when we put a firewall with another external ip adres on port 4 we have internet.
View 6 Replies
View Related
Sep 29, 2011
is it possible to boot the image from a usb stick on a 1812? if so, what are the requirements?
View 14 Replies
View Related
Jun 8, 2012
I need to change the source IP of a packet for one of my NAT's.I currently have an Cisco 1812.I have an PPPoE connection as Dialer 0.I have another VLAN that is connected to an Netscreen SSG5 VPN gateway via another Cisco switch.I have a vlan trunk between the switch and the 1812. What I would like to achive is the following :-For any traffic going to the following three ranges make it apear as if it was coming from the VLAN50 address [code]I can ping my netscreen on 10.27.30.255 fine from the Cisco 1812. But any other PC fails, as for some reasion the traffic has a source of my Dialer 0 interface.How can I write a nat to change the source just for the tree destitnations ?
View 7 Replies
View Related
Aug 27, 2012
I have a Cisco 1812 with IOS 12.4(15)T17.I would like to perform pppoe dialing using this device to my ISP. My ISP is using VLAN id 500 for Internet. I configure like below but seem unsuccessful. From the console, I can't even ping to internet.ip nat inside source route-map nonat interface Dialer1 overload.
View 5 Replies
View Related
Mar 20, 2011
I am trying to get this VPN Client (5.0.07.0410) to connect to the remote LAN behind the cisco 1812. Here is my config. I am able to get everything connected and IP assigned to the client and can even ping local LAN and Internet but can't ping to the remote LAN behind the 1812. I feel it's a routing issue or an ACL issue.SHUMAMKERRTR>enPassword:SHUMAMKERRTR#sh runBuilding configuration...
Current configuration : 2910 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname SHUMAMKERRTR!boot-start-markerboot-end-marker!enable secret 5 password!aaa new-model!!aaa authentication login userauthen localaaa authorization network groupauthor local!aaa session-id commonno network-clock-participate slot 1no network-clock-participate wic 0ip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 192.168.7.1 192.168.7.10!ip dhcp pool SHUMAKER network 192.168.7.0 255.255.255.0 dns-server 192.168.7.1 default-router 192.168.7.1!!ip domain name shumaker.nothingip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!!!!!!!!!!!!!!!username cisco privilege 15 secret 5 password!!ip ssh rsa keypair-name SHUMAMKERRTR.shumaker.nothingip ssh version 2!!crypto isakmp policy 1 encr 3des authentication pre-share group 2!crypto
[code].....
View 3 Replies
View Related
Aug 9, 2012
At the moment I am trying to connect to a DHCP ISP, but the connection only last for 10-15mins and then it will automatically disconnected. Every time I reset the WAN port , service back to normal for another 10-15 mins ><
[code]...
View 2 Replies
View Related
Jul 24, 2011
we are trying to configure PPPOA over Ethernet on Cisco 1812 Router, we have 2 ethernet ports and no ATM ports, hence PPPOA must be applied at a global setting.
View 3 Replies
View Related
Nov 1, 2011
I have 5 cisco 1812 routers that i set up in a hub-spoke dmvpn configuration between 5 sites. All routers have a secondary internet connection . Could i set up a second tunnel interface on each router to create a backup dmvpn that will use this secondary internet connection? i use EIGRP for routing.
View 2 Replies
View Related
Dec 26, 2011
I am using Cisco 1812 as EZVPN server. I want to use Active directory for VPN user authentication. I am trying from couple of days but no success.With ASA, i am able to authenticate against AD, but not with IOS router. Below are my configurationsIf kerberos authentication is not possible, I would like to know the possibility of using AD as ACS external database. I am running both AD and ACS in the same server. If i can integrate AD with ACS, i can use TACACS or RADIUS for the authentication.
View 3 Replies
View Related
