Unfortunately I didn't discover any configuration switches concerning an IPv6 firewall! So the important question is: Is there any firewall implemented at all? And if so, does it confirm to RFC6092.
View 14 Replies
I currently have ipV4 as the setting on my DIR-825. Other posts seem to want ipV6 which is more secure but is not possible with a DIR-825 Rev A1. I have two routers, a primary router (DIR-825 Rev B1) capable of ipV6 and a secondary router (DIR-825 Rev A1). If I implement ipV6 on the Rev B1 router but keep ipV4 on the secondary router, will this improve the security, or will it just mess things up so nothing works?Certain devices (cell phones and most Tablets) don't deal with ipV6 very well at all. The ones I have tested flat don't connect to the wireless network if the router is set at ipV6. Is ipV4 adequate for a Home/Small Business Network when trying to implement Remote Access and VPN?
View 2 Replies View Relatedour company backbone is hp 5406, and desktop switches are hp 2510 currently we are working with ipv4.if we want to start use IPV6 for test environment, what’s things we need to enable in our backbone/regular switches.i mean for example if we want to set static IPV6 address for 2 servers and send ping between them, or even make new vlan with IVP6 subnet, and use it like regular vlan but with static ip's(until we got ipv6 dhcp).i have hp 5406 manual for IPV6 but i can't understand what i really need to do for start using IPV6.
View 5 Replies View RelatedI'm looking to try and implement ipv6 HSRP on a series of IOS-XR Routers running 4.2.1 following on from successfully setting up IPv6 HSRP on a few cat6509s on VLAN Interfaces in other parts of the network. I have entered the "router hsrp" configuration menu and gone into the interface in question that I'm looking to setup with IPv6 HSRP. Unfortunately, there version 2 or address-family ipv6 commands are not available.
View 2 Replies View RelatedI will be implementing a new firewall (cisco asa 5515x) on my existing 3750x (server switches) and my 2960s (user switches). What should I need to apply on my firewall and swtiches to make the implementation successfull. I will put my 3750x as my DMZ and my 2960s as my inside. The 3750x have multiple subnet and also the 2960s.which features and technologies i need to know on those 3 products. my 3750x and 2960s don't have any ACL defined and most common features are vlan, switchport, trunking, spanning-tree, stacking, vtp.how my asa knows that my 3750x/2960s have multiple vlans. my current connection right now on 3750x and 2960s is just through 6 ports i assigned as one trunk, below is my config [code]
my 2960s vlans are almost the same with my 3750x except vlan 160, 170, 192. but of course when i put this in asa, i have to segragate vlan for 3750x (192, 100, 110,160, 170) and 2960s (130, 150). for my 2960s connection to the asa and since this will have big bandwidth, i will use 3 ports on my asa (and trunk it) connecting to my 2960s and i will use 2 ports on my asa (and trunk it) connecting to my 3750x. the one internet ports and my one management ports on my asa will stay like that.
Just a few questions. We are looking to deploying Cisco ASA 5545 into a network. I have a couple of issues with designing the network correctly.
We need to be able to scale out to more hosts than a single VLAN, we would also be considering adding 4948E switch behind the ASA and potentially a stack in front.
The problems are:
1) If we have an outside stack of public 4948E (so we can connect some hosts outside the firewall, such as additional ASA's running in NAT mode) for VPN. Is this a reliable, recommended configuration? The reason being we need to have the ability to add other seperate ASA protected networks that we don't want going through the 5545 as it's going to quickly run it out of capacity. If I have the L3 switch stack in front I'm guessing we would have a small subnet to link upstream and then sub-subnetwork into two blocks, one on the inside interface and one on the L3 switch for the other hosts? Or would it be better to let the upstream provider do this, and then just get them to provide us with two smaller subnets rather than one big one? As below if we do L3 stack ourselves we would need to small subnets, one to communicate with upstream and one to link ASA subnets. This seems like a waste of IP's. I was wondering if I could use Internal IP space on the L3 > ASA link, but I thought that could be an issue for BOGONS list.
2) If I want to extend the inside network (Cisco ASA would not run NAT, just public IP's on the inside, routed to the outside interface of the ASA) there are two ways. Use the ASA to create subinterfaces/VLANs (but that would be routed via the ASA - may be a performance hit?) or use a L3 switch behind the ASA. How does one accomplish running L3 switch behind ASA properly?
When I check for firmware updates for my DIR-825 I get a return that there are none.How do I update for for ipv6 then?
View 5 Replies View RelatedI am using my DIR-825 as a switch and AP. I have turned off DHCP and plugged the internet into the lan-1 port. This works perfectly for IPv4, but I cannot get IPv6 to work. On the outside there is native IPv6 running radvd. How should I configure IPv6 on my DIR-825?
View 2 Replies View RelatedWill there be a way sometime in the future to add static IPv6 routes? I have a routed /64 and a routed /48 from a tunnel broker that terminates on my DIR-815, and I want to hang the /48 off of another router that I have attached to my LAN interface(goes to my home lab setup that I use for my job). I could just move the tunnel endpoint to the other router, but I like having IPv6 access for all my other PCs on the LAN segment.
View 1 Replies View RelatedI'm still using 2.00NA.It seems that whenever I connect to a particular www3 webpage, my modem and router end up rebooting shortly thereafter. This has happened a few times. The modem's log shows in this order1. No Ranging Response received ,2. Unicast Ranging Received Abort Respone ,3. MIMO Event.I've tried to figure this out. My search on the MIMO event revealed one post about IPv4 and IPv6. This indicates to me that I should probably be upgrading the firmware and configuring its use for IPv6 compatibility.If I upgrade to FW 2.30NA, how should I configure the IPv6, i.e., which parameters should I use?
View 6 Replies View RelatedI've had my DIR-615 up for several months, and it's been faultless except for one thing. I have router in front of it and only use the 615 as a switch and AP. My main router provides IPv6 access through a 6to4, using radvd to broadcast to the rest of the network.
Whatever setting I set the 615 to for IPv6, it always sends out a default route. On rare occasion, it'll interfere with the correct route from my main router (whose router preference is set to high, instead of medium). Even in local-only mode, the 615 sends out a default route. It's an E1 with the 5.00NA firmware, which I believe is the latest.
I'd really like to disable the advertisements from the 615 altogether, while keeping L2 IPv6 support on the wireless and all. I picked this router explicitly because many routers don't work with IPv6 over WiFi, but it'd be nice to get it working perfectly. If there aren't any ways to do this, is there a place that I can download the source for the firmware?
I am having a problem which I can't seem to find a way around. I have a DIR-615 E3 that I'm unable to get IPv6 to work properly on.I'm connecting to IPv6 over PPPoE, and I'm unable to change the 'IPv6 LAN Address' to an IP my provider has given me. They've provided a native address in the 2607:: range, however on the router it's stuck at a 6to4 IP which is NOT what they've given me (2002:CEF8:8B79:: IP).
I'm thinking of buying a new router that either has better IPv6 support, or one that supports OpenWRT and working my way through that.
We have some technical issue with IPv6 router configuration[DLINK 655] when we try to connect it with ISP provided static IPv6 connection.
[Code]...
I have a d link dir 615 "ipv6 ready". My internet provider give tome a native ipv6 /48. I configure the router with my ipv6 /48 address the internal propagation of the address is good.
On the status ipv6 page all seems OK marked "connected" but I can't have an ipv6real connection and my provider say to me that i am not connected.
Is there a known problem of connection between an public /48 and the internal /64 and if so could it be corrected.
I could access from outside to dmz but after i moved to IPv6 as there is no nat needed, i applied the acl's but dont know where i'm going wrong. I need access from outside to dmz web server.
View 4 Replies View RelatedI need to understand if ASA 5550 ver 8.2(1) is comptible with IPv6, if not what is the upgrade path to make it IPv6 compatible. The requirement is dual stack of IPv4 and IPv6 should run in the same HA cluster and later will shift IPv6 completely.
The existing infrastructure is equipped with ASA with HA Active/Active mode. The command output for required details are attached here in txt mode.
I tried to create an ACL for IPv6. But the acl always drops my packetes. Only in case I allow an Permit Icmp6 any any statement. It works.
With detailed IPv6 entries. I have got drops.
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da
ipv6 access-list ipv6-inside line 3 permit ip 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x5b6258d3
ipv6 access-list ipv6-inside line 4 permit icmp6 2001:a128:0:170::/64 any log informational interval 300 (hitcnt=0) 0x7778f0a9
This is the one with the permit icmp6 any any statement, it works !!
ipv6 access-list ipv6-inside; 6 elements; name hash: 0xd5eb1808
ipv6 access-list ipv6-inside line 1 permit ip host fe80::21d:71ff:fe99:d1c0 any log informational interval 300 (hitcnt=0) 0xbb4badda
ipv6 access-list ipv6-inside line 2 permit ip host 2001:a128:0:170::1 any log informational interval 300 (hitcnt=0) 0x473626da(code)
I want to ask that does ASA 5580 support the nat-pt for IPv6?
View 2 Replies View RelatedI am trying to configure Zone Based Firewall (IOS 15.2T) on Cisco 881 router for IPv6. Current setup is simple:
Zone:
LAN --> WAN zone security LAN
zone security WAN
!
class-map type inspect match-any Internet-cmap
match protocol dns
match protocol http
match protocol https
[ code ] ........
Current configuration behaves as expected for IPv4, but blocks all IPv6 traffic. If zone-security is removed from WAN interface IPv6 works normally (connected to Internet). As soon as zone-security is enabled on WAN interface all IPV6 traffic is discarded when connecting to Internet from local LAN.
Error messages on console: Half-open Sessions source destination tcp SIS_OPENING/TCP_SYNSENT
Are there any special settings for ZBF which should be turned on for IPv6 protocol?
i have a 5505 running 8.4, and my ISP is giving me a /64 IPv6 Prefix. Basically, I have a subnet between my ASA and my ISP's box which is my outside, running into a private subnet (192.168.0.0), as most of ISP does.I have my ASA behind, and i'd like to turn on IPv6 for my inside hosts, but the problem is that I can't modify the routing on y ISP's side, and thus it will assume all host are directly connected in my outside. Thus, I would need some kind of Neighbor Discovery Proxy on the Outside of the ASA. Is there such feature ?
View 1 Replies View RelatedI'm having several issues with IPv6 and ZBF. I've narrowed one of them to a very simple setup. I tried 15.1(4)M in GNS2 and 15.1(4)M3 on a 1812.
The setup is
[PC] ----- [R1] ------ [R2]
R1 and R2 are interconnected by IPv6 only and there is a tunnel over that link to carry IPv4 from R2 to PC.
And I'm trying to ping PC from R2 with IPv4. We're looking at the R1 config mainly. (the other are included for completeness)
When I try to ping the PC from R2, I get this on R1 console:
%FW-6-DROP_PKT: Dropping icmp session [::]:0 [::]:0 on zone-pair zp_vpn_to_lan class cm_icmp with ip ident 0
Which really doesn't make much sense because zone vpn and zone lan are purely IPv4 and should never see IPv6 traffic as such ...
If I remove all ZBF related config, then traffic flows without problem.
R1 config
class-map type inspect match-all cm_icmp
match protocol icmp
policy-map type inspect pm_icmp
class type inspect cm_icmp
inspect (code)
My VPN users are able to access IPV4 resources, but not IPV6, all of my other user who are not VPN users are able to access everything V4 and V6. So my network goes:
IPV4 flow = FIOS > ASA5505(IPV4 Router) > Switch > ipv4 Clients
IPV6 flow = FIOS > ASA5505(IPV4 Router) > switch > win2k8 (IPV6 Router / Tunnel) > ipv6 clients
Recently I wanted to setup IPv6 for my home network. I signed up for tunnelbroker.net service and was provided with IPs. Then I configured the IP address in my DIR-615. But It's not working..
Screenshot of IPv6 config (router) : Screenshot of my Win 8 network Config : I also tested at [URL] but failed...
I am having trouble with a DAP-1522 in AP mode dropping IPv6 packets. It is running in AP mode to supply connectivity to a number of laptops + a 2nd DAP-1522 in bridge mode. The laptops are able to get IPv6 router advertisements from the same wired network the DAP-1522 is plugged into, but they get nothing when connection to the wireless. Tcpdump sees no router adv's coming over the wireless interfaces when sniffing.This appears to be something others have hit as well url...
View 3 Replies View RelatedI have a Dlink DIR-825 B1 with firmware 2.05NA. I recently reset it to factory defaults to make sure I didn't misconfigure something.
I have been struggling to get a IPv6 in IPv4 tunnel working with tunnelbroker.net. I think the issue is a problem with the router itself and i'm not sure how to get it fixed.
All of my machines were getting IPv6 addresses (both windows, mac, linux) but none of them seemed to work. All I was able to do was ping the gateway itself using the local lan address. In each case they were missing a default IPv6 route. If I added a default route then it would work.
I started looking at the packets using a network sniffer and the Router Advertisements all had a Router lifetime value of "0" which is RFC4816 speak for "don't use this router as the default router". So Windows/Linux is exactly right by not setting a default route.
The strange thing was that when I reboot the router I would briefly get a router advertisement with a lifetime of 1800s, the corrert prefix and dns server but then another router advertisement would come along 5 seconds later with a router advertisement of 0.
I have TCP' Other observations
... using 6to4 I would get working IPv6 address. The difference again seemed to be the Router Lifetime. But I want to use a permanent tunnel. I have found 6to4 unreliable.
... the router never responds to router solicitations. It only sends a router advertisement when it wants to.
... the router never responds to DHCPv6 when that is configured.
We have been testing out IPv6 configurations on a 5520 running 8.2(4). We have assigned EUI-64 prefix addresses to sub-interfaces to allow clients to auto-configure there IPv6 IPs and it works correctly. I used ASDM to do the original configuration and noticed that there were two different ways to do it, both of which seem to work. I can add a prefix under the Interface IPv6 Addresses dialog box and check EUI64 or I can add it under the Interface IPv6 Prefixes. But using the two methods yields two different interface configurations:
1.
interface GigabitEthernet0/1.40
vlan 40
nameif test
[Code].....
Region : UnitedStates
Model : TL-WDR4300
Hardware Version : V1
Firmware Version : 3.13.23 Build 121225 Rel.37950n
ISP : Comcast
just upgrade to the latest firmware and was checking to see if I had IPv6 going with the router but it seems like it's not enabled?I went into my local area network properties and it shows checked and obtain automatically.went into the router ipv6 support tab and it shows:
IPv6 Status
WAN
Connection Type:
DHCPv6
IPv6 Address:
[code].....
ASA 5520 running 8.2
Is it possible to do static (inside,outside) with the outside address being IPv6 and the inside IPv4?
If yes, is it possible to do this in parallel with an existing static mapping that goes IPv4 to IPv4?
below is my sanitized ASA 5510 config. got an IPv6 T1 from at&t and im unable to pass any traffic from my LAN clients out.
:
ASA Version 8.2(2)
!
enable password PoBmYYxuAzCciKRA encrypted
[Code].....
At this moment (firmware 1.0.3.5) the router has no IPv6 firewall and therefore when used in a typical dual stack IPv4/IPv6 network it has no protection regarding IPv6 traffic. Hopefully this will be fixed with a firmware update before the World IPv6 Day on the 6th of June 2012.
View 1 Replies View RelatedWould like to learn from you what tools I could use in a Network that provides IPv6 visibility and also completely blocks IPv6 from being tunneled through ipv4 only networks.
I have tested this from Linux running some internal penetration test apps,but specifically running Teredo tunneling in Local LAN that is able to completely bypass security paremeters such as websence filtering servers and be able to accessing internet IPv6 sites, even its equivalent IPv6 address based on its IPv4 PAT address could be pinged from outside.. is like the PIX firewall never existed - wide opened door .
Blocking in outbound and inbound direction udp ports 3545 and 3544 seem to done the trick in dropping IPv6 at the PIX/ASA from being tunneled out or in.. Is this so ? Realy ? not to fast!! None of our local systems - users PCs or servers have IPv6 stack enabled as a policy, however, in reality this poses a serious thread.
For example, Teredo tunneling running in a host inside LAN say by a user who is a hacker can use different UDP ports from the standard listening udp 3545/3544 ports, host will still be able to tunnel IPv6 through IPv4 again, in this case I want to have tool or a strategy that can detect this internally beside being blocked at the firewall, I am looking at AIP for our ASAs would this help? What other tools could I utilized to have some sort of IPv6 awareness in our LAN without having to rung IPv6 that can provide some visibility of this invisible traffic in IPv4 LANs.
To show up the ASA as a hop in a traceroute, one can use the 'set connection decrement-ttl' feature in a policy map.During my tests I recognized, that this behaviour only affects IPv4 traffic.
An IPv6 traceroute still does not show the ASA as a hop.How can I configure the ASA to show up as a hop in an IPv6 traceroute?The ASA is a 5520 with v8.4(1) installed.
I have switch cisco 2960 ,When you boot it displays the message that is unknown for me.
View 4 Replies View Related
