- Read Me First
- Zone-Based Policy Firewalls
- Zone-Based Policy Firewall IPv6 Support
- VRF-Aware Cisco IOS XE Firewall
- Layer 2 Transparent Firewalls
- Nested Class Map Support for Zone-Based Policy Firewall
- Zone Mismatch Handling
- Configuring Firewall Stateful Interchassis Redundancy
- Box-to-Box High Availability Support for IPv6 Zone-Based Firewalls
- Interchassis Asymmetric Routing Support for Zone-Based Firewall and NAT
- Interchassis High Availability Support in IPv6 Zone-Based Firewalls
- Firewall Box to Box High Availability Support for Cisco CSR1000v Routers
- Firewall Stateful Inspection of ICMP
- Firewall Support of Skinny Client Control Protocol
- Configuring the VRF-Aware Software Infrastructure
- IPv6 Zone-Based Firewall Support over VASI Interfaces
- Protection Against Distributed Denial of Service Attacks
- Configuring Firewall Resource Management
- IPv6 Firewall Support for Prevention of Distributed Denial of Service Attacks and Resource Management
- Configurable Number of Simultaneous Packets per Flow
- LISP and Zone-Based Firewalls Integration and Interoperability
- Firewall High-Speed Logging
- TCP Reset Segment Control
- Loose Checking Option for TCP Window Scaling in Zone-Based Policy Firewall
- Enabling ALGs and AICs in Zone-Based Policy Firewalls
- Configuring Firewall TCP SYN Cookie
- Object Groups for ACLs
- Cisco Firewall-SIP Enhancements ALG
- MSRPC ALG Support for Firewall and NAT
- Sun RPC ALG Support for Firewalls and NAT
- vTCP for ALG Support
- ALG—H.323 vTCP with High Availability Support for Firewall and NAT
- FTP66 ALG Support for IPv6 Firewalls
- SIP ALG Hardening for NAT and Firewall
- SIP ALG Resilience to DoS Attacks
- Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
- Finding Feature Information
- Restrictions for Zone-Based Policy Firewall IPv6 Support
- Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
- How to Configure Zone-Based Policy Firewall IPv6 Support
- Configuration Examples for Zone-Based Policy Firewall IPv6 Support
- Additional References for Zone-Based Policy Firewall IPv6 Support
- Feature Information for Zone-Based Policy Firewall IPv6 Support
Zone-Based Policy Firewall IPv6 Support
The zone-based policy firewall provides advanced traffic filtering or inspection of IPv4 packets. With IPv6 support, the zone-based policy firewall supports the inspection of IPv6 packets. Prior to IPv6 support, the firewall supported only the inspection of IPv4 packets. Only Layer 4 protocols, Internet Control Messaging Protocol (ICMP), TCP, and UDP packets are subject to IPv6 packet inspection.
This module describes the firewall features that are supported and how to configure a firewall for IPv6 packet inspection.
- Finding Feature Information
- Restrictions for Zone-Based Policy Firewall IPv6 Support
- Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
- How to Configure Zone-Based Policy Firewall IPv6 Support
- Configuration Examples for Zone-Based Policy Firewall IPv6 Support
- Additional References for Zone-Based Policy Firewall IPv6 Support
- Feature Information for Zone-Based Policy Firewall IPv6 Support
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Restrictions for Zone-Based Policy Firewall IPv6 Support
Application-level gateways (ALGs)
Box-to-box high availability (HA)
Distributed Denial-of-Service attacks
Firewall resource management
Layer 7 inspection
Multicast packets
Per-subscriber firewall or the broadband-based firewall
-
Stateless Network Address Translation 64 (NAT64)
VRF-Aware Software Infrastructure (VASI)
-
Wide Area Application Services (WAAS) and Web Cache Communication Protocol (WCCP)
Information About IPv6 Zone-Based Firewall Support over VASI Interfaces
IPv6 Support for Firewall Features
The firewall features described in the table below are supported by IPv6 packet inspection:
Dual-Stack Firewalls
Firewall Actions for IPv6 Header Fields
The firewall actions for IPv6 header fields (in the order they are available in the IPv6 header) are described in the following table:
IPv6 Header Field |
IPv6 Header Field Description |
Firewall Action |
---|---|---|
Version |
Similar to the Version field in the IPv4 packet header, except that this field lists number 6 for IPv6, instead of number 4 for IPv4. |
Must be IPv6. |
Traffic Class |
Similar to the Type of Service (ToS) field in the IPv4 packet header. The Traffic Class field tags packets with a traffic class that is used in differentiated services. |
Not inspected. |
Flow Label |
A new field in the IPv6 packet header. The Flow Label field tags packets with a specific flow that differentiates the packets at the network layer. |
Not inspected. |
Payload Length |
Similar to the Total Length field in the IPv4 packet header. The Payload Length field indicates the total length of the data portion of the packet. |
The firewall uses this field on a limited basis to calculate the length of some of the Layer 4 protocols, such as ICMP and TCP. |
Next Header Length |
Similar to the Protocol field in the IPv4 packet header. The value of the Next Header Length field determines the type of information that follows the basic IPv6 header. The type of information following the basic IPv6 header can be a transport-layer packet, for example, a TCP or a UDP packet, or an extension header. |
The firewall must recognize this field to create a session. |
Hop Limit |
Similar to the Time-to-Live (TTL) field in the IPv4 packet header. The value of the Hop Limit field specifies the maximum number of devices that an IPv6 packet can pass through before the packet is considered invalid. Each device decrements the Hop Limit value by one. Because the IPv6 header does not have a checksum, the device can decrement the value without recalculating the checksum. |
Not inspected. |
IPv6 Firewall Sessions
To perform stateful inspection of traffic, the firewall creates internal sessions for each traffic flow. The session information includes IP source and destination addresses, UDP or TCP source and destination ports or ICMP types, the Layer 4 protocol type (ICMP, TCP, or UDP), and VPN routing and forwarding (VRF) IDs. For an IPv6 firewall, the source and the destination addresses contain 128 bits of the IPv6 address.
The firewall creates a TCP session after receiving the first packet when the packet matches the configured policy. The firewall tracks the TCP sequence numbers and drops the TCP packets whose sequence numbers are not within the configured range. Sessions are removed when the TCP idle timer expires or when a Reset (RST) or Finish-Acknowledge (FIN-ACK) packet is received with the appropriate sequence numbers.
The firewall creates UDP sessions when the first UDP packet that matches the configured policy arrives and removes sessions when the UDP idle timer expires. The firewall does not create TCP or UDP sessions for IPv6 packets with multicast IPv6 or unknown IPv6 addresses.
Firewall Inspection of Fragmented Packets
The firewall supports the inspection of fragmented IPv6 packets. IP fragmentation is the process of breaking up a single IP datagram into multiple packets of smaller size. In IPv6, end nodes perform a path maximum transmission unit (MTU) discovery to determine the maximum size of the packet that is to be sent and generate IPv6 packets with the fragment extension header for packets larger than the MTU size.
The firewall inspects fragmented packets by using Virtual Fragmentation Reassembly (VFR). VFR examines the fragment extension header for out-of-sequence fragments and puts them in the correct order for inspection. When you enable the firewall on an interface by adding the interface to a zone, VFR is configured automatically on the same interface. If you explicitly disable VFR, the firewall only inspects the first fragments with Layer 4 headers and passes the rest of the fragments without inspection.
Cisco Express Forwarding checks IPv6 packets with fragment extension headers so that the firewall need not do further checks before processing the packets.
ICMPv6 Messages
IPv6 uses ICMPv6 to perform diagnostic functions, error reporting, and neighbor discovery. ICMPv6 messages are grouped into informational and error messages.
Note | Neighbor discovery packets are passed and not inspected by the firewall. |
Firewall Support of Stateful NAT64
The zone-based policy firewall supports Stateful NAT64. Stateful NAT64 translates IPv6 packets into IPv4 packets and vice versa. When both the firewall and Stateful NAT64 are configured on a router, the firewall uses IP addresses in an access control list (ACL) to filter packets. However, ACL does not support a mix of IPv4 and IPv6 addresses. Before the firewall and Stateful NAT64 can work together, you must use an IPv6 ACL and the IPv4 address must be embedded in the IPv6 ACL.
Note | You cannot use VRF along with a firewall and a Stateful NAT64 configuration because Stateful NAT64 is not VRF-aware. |
When a firewall class map uses an ACL, the ACL must use the real IP addresses on the host to configure packet flows. If only a source or a destination address is needed, either the IPv4 address or the IPv6 address is used in the class map ACL. Before the packet flow can be filtered based on both the source and destination addresses, the IPv6 address must be used and the IPv4 address must be embedded in the ACL. The ACL has to use IPv6 addresses to filter Stateful NAT64 packets.
Note | Stateless NAT64 with firewall is not supported. |
Port-to-Application Mapping
Port-to-application mapping (PAM) allows you to customize TCP or UDP port numbers for network services or applications. The firewall uses PAM to correlate TCP or UDP port numbers to specific network services or applications. By mapping port numbers to network services or applications, an administrator can force firewall inspection on custom configurations that are not defined by using well known ports. Use the ip port-map command to configure PAM.
High Availability and ISSU
The IPv6 firewall supports Intrabox HA. Firewall sessions are synchronized to the standby Embedded Services Processors (ESP) for a switchover. In Service Software Upgrade (ISSU) is also supported by the IPv6 firewall.
Pass Action for a Traffic Class
In a firewall, a traffic class identifies a set of packets based on its contents. You can define a class and apply an action to the identified traffic that reflects a policy. An action is a specific functionality that is associated with a traffic class. You can configure inspect, drop, and pass actions for a class.
The pass action passes the traffic from one zone to another. When the pass action is configured, the firewall does not inspect the traffic; it passes the traffic. In the IPv6 firewall, you must explicitly configure the pass action for the return traffic by defining a zone pair and a policy map with pass action.
The following example shows how to configure the pass action for policy maps, outside-to-inside-policy, and inside-to-outside-policy for IPv6 traffic:
policy-map type inspect outside-to-inside-policy class type inspect ipv6-class pass (Defines pass action for the ipv6-class from the outside to the inside) ! class class-default ! policy-map type inspect inside-to-outside-policy class type inspect ipv4-class inspect (Defines inspect action for ipv4-class) class type inspect v6_class pass (Defines pass action for ipv6-class from the inside to the outside) class class-default ! ! zone security inside ! zone security outside ! zone-pair security in-out source inside destination outside service-policy type inspect inside-to-outside-policy ! zone-pair security out-in source outside destination inside service-policy type inspect outside-to-inside-policy
How to Configure Zone-Based Policy Firewall IPv6 Support
Configuring an IPv6 Firewall
The steps to configure an IPv4 firewall and an IPv6 firewall are the same. To configure an IPv6 firewall, you must configure the class map in such a way that only an IPv6 address family is matched.
The match protocol command applies to both IPv4 and IPv6 traffic and can be included in either an IPv4 policy or an IPv6 policy.
1.
enable
2.
configure terminal
3.
vrf-definition
vrf-name
4.
address-family ipv6
5.
exit-address-family
6.
exit
7.
parameter-map type inspect
parameter-map-name
8.
sessions maximum
sessions
9.
exit
10.
ipv6 unicast-routing
11.
ip port-map
appl-name port
port-num
list
list-name
12.
ipv6 access-list
access-list-name
13.
permit ipv6 any any
14.
exit
15.
class-map type inspect match-all
class-map-name
16.
match access-group name
access-group-name
17.
match protocol
protocol-name
18.
exit
19.
policy-map type inspect
policy-map-name
20.
class type inspect
class-map-name
21.
inspect
[parameter-map-name]
22.
end
DETAILED STEPS
Configuring Zones and Applying Zones to Interfaces
1.
enable
2.
configure terminal
3.
zone security
zone-name
4.
exit
5.
zone security
zone-name
6.
exit
7.
zone-pair security
zone-pair-name
[source
source-zone
destination
destination-zone]
8.
service-policy type inspect
policy-map-name
9.
exit
10.
interface
type number
11.
ipv6 address
ipv6-address/prefix-length
12.
encapsulation dot1q
vlan-id
13.
zone-member security
zone-name
14.
end
15.
show policy-map type inspect zone-pair sessions
DETAILED STEPS
Example
The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv4 address and vice versa:
Device# show policy-map type inspect zone-pair sessions Zone-pair: in-to-out Service-policy inspect : in-to-out Class-map: ipv6-class (match-any) Match: protocol ftp Match: protocol tcp Match: protocol udp Inspect Established Sessions Session 110D930C [2001:DB8:1::103]:32847=>(209.165.201.2:21) ftp SIS_OPEN Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [37:84] Half-open Sessions Session 110D930C [2001:DB8:1::104]:32848=>(209.165.201.2:21) ftp SIS_OPENING Created 00:00:00, Last heard 00:00:00 Bytes sent (initiator:responder) [0:0]
The following sample output from the show policy-map type inspect zone-pair sessions command displays the translation of packets from an IPv6 address to an IPv6 address:
Device# show policy-map type inspect zone-pair sessions Zone-pair: in-to-out Service-policy inspect : in-to-out Class-map: ipv6-class (match-any) Match: protocol ftp Match: protocol tcp Match: protocol udp Inspect Established Sessions Session 110D930C [2001:DB8:1::103]:63=>[2001:DB8:2::102]:63 udp SIS_OPEN Created 00:00:02, Last heard 00:00:01 Bytes sent (initiator:responder) [162:0]
Configuring an IPv6 Firewall and Stateful NAT64 Port Address Translation
The following task configures an IPv6 firewall with Stateful NAT64 dynamic port address translation (PAT).
A PAT configuration maps multiple IPv6 hosts to a pool of available IPv4 addresses on a first-come first-served basis. The dynamic PAT configuration directly helps conserve the scarce IPv4 address space while providing connectivity to the IPv4 Internet.
1.
enable
2.
configure terminal
3.
ipv6 unicast-routing
4.
interface
type number
5.
no ip address
6.
zone-member security
zone-name
7.
negotiation auto
8.
ipv6 address
ipv6-address/prefix-length
9.
ipv6 enable
10.
nat64 enable
11.
exit
12.
interface
type number
13.
ip address
ip-address mask
14.
zone member security
zone-name
15.
negotiation auto
16.
nat64 enable
17.
exit
18.
ipv6 access-list
access-list-name
19.
permit ipv6 host
source-ipv6-address
host
destination-ipv6-address
20.
exit
21.
ipv6 route
ipv6-prefix/length interface-type interface-number
22.
ipv6 neighbor
ipv6-address interface-type interface-number hardware-address
23.
nat64 v4 pool
pool-name start-ip-address end-ip-address
24.
nat64 v6v4 list
access-list-name
pool
pool-name
overload
25.
end
DETAILED STEPS
Configuration Examples for Zone-Based Policy Firewall IPv6 Support
Example: Configuring an IPv6 Firewall
Device# configure terminal Device(config)# vrf-definition VRF1 Device(config-vrf)# address-family ipv6 Device(config-vrf-af)# exit-address-family Device(config-vrf)# exit Device(config)# parameter-map type inspect ipv6-param-map Device(config-profile)# sessions maximum 10000 Device(config-profile)# exit Device(config)# ipv6 unicast-routing Device(config)# ip port-map ftp port 8090 list ipv6-acl Device(config)# ipv6 access-list ipv6-acl Device(config-ipv6-acl)# permit ipv6 any any Device(config-ipv6-acl)# exit Device(config)# class-map type inspect match-all ipv6-class Device(config-cmap)# match access-group name ipv6-acl Device(config-cmap)# match protocol tcp Device(config-cmap)# exit Device(config)# policy-map type inspect ipv6-policy Device(config-pmap)# class type inspect ipv6-class Device(config-pmap-c)# inspect ipv6-param-map Device(config-pmap-c)# end
Example: Configuring Zones and Applying Zones to Interfaces
Device# configure terminal Device(config)# zone security z1 Device(config-sec-zone)# exit Device(config)# zone security z2 Device(config-sec-zone)# exit Device(config)# zone-pair security in-to-out source z1 destination z2 Device(config-sec-zone-pair)# service-policy type inspect ipv6-policy Device(config-sec-zone-pair)# exit Device(config)# interface gigabitethernet 0/0/0.1 Device(config-if)# ipv6 address 2001:DB8:2222:7272::72/64 Device(config-if)# encapsulation dot1q 2 Device(config-if)# zone member security z1 Device(config-if)# end
Example: Configuring an IPv6 Firewall and Stateful NAT64 Port Address Translation
configure terminal ipv6 unicast-routing interface gigabitethernet 0/0/0 no ip address zone member security z1 negotiation auto ipv6 address 2001:DB8:1::2/96 ipv6 enable nat64 enable ! interface gigabitethernet 0/0/1 ip address 209.165.201.25 255.255.255.0 zone member security z2 negotiation auto nat64 enable ! ipv6 access-list ipv6-ipv4-pair permit ipv6 host 2001:DB8:1::2 host 209.165:201.25 ! ipv6 route 2001:DB8:1::2/96 gigabitethernet 0/0/0 ipv6 neighbor 2001:DB8:1::2/96 gigabitethernet 0/0/0 0000.29f1.4841 nat64 v4 pool pool1 209.165.201.25 209.165.201.125 nat64 v6v4 list nat64-ipv6-any pool pool1 overload
Additional References for Zone-Based Policy Firewall IPv6 Support
Related Documents
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Security commands |
|
Stateful NAT64 |
Standards and RFCs
Standard/RFC |
Title |
---|---|
RFC 2460 |
Internet Protocol, Version 6 (IPv6) Specification |
RFC 2473 |
Generic Packet Tunneling in IPv6 Specification |
Technical Assistance
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
Feature Information for Zone-Based Policy Firewall IPv6 Support
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
Zone-Based Policy Firewall IPv6 Support |
Cisco IOS XE Release 3.6S |
The Zone-Based Policy firewall supports the inspection of IPv6 packets. The following commands were introduced or modified: ip port-map and show policy-map type inspect zone-pair. |