Mixing IPv4 and IPv6 on Cisco Zone Based Firewall

My first attempt at this was not a great success as i was using a router on version 12.4.x which did not support the ZBF using IPv6 – nice to know! Moving on to IOS version 15.x, all seems to be functional. The plan was to create a blueprint for converting customers with IPv4 managed routers to IPv4 _AND_ IPv6. Should be no problem, but there are a few hurdles to overcome:

  1. IPv4 at end user sites is normally NATted, IPv6 is not
  2. IPv6 does not run on every router
  3. Cisco require special access lists for IPv6

Here is my demo network:

ipv6FW

 

R1 is doing most of the work, as its running the ZBF and NAT and DHCP. I’ve plugged  a FreeBSD VM into it to simulate a mail/web/SBS server or similar and at the other end is an Ubuntu Desktop machine to simulate the incoming clients. I’ve used OSPFv3 (the IPv6 version) on every interface, including any loopbacks to ensure we have full reachability for IPv6 across the network. OSPF is also used for IPv4 routing but does not include the 10.0.1.0/24 network as this is NATted onto the 10.0.0.1 address on R1. The FreeBSD server has port 22 open so I’m using that as the demo. I want port 22 open to to anybody on either IPv6 or IPv4. The first job is to set up the interfaces (I’m showing R1):

interface FastEthernet1/0
 ip address 10.0.0.1 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 ip ospf 1 area 0
 duplex full
 speed 100
 ipv6 address FE80::1 link-local
 ipv6 address 20A1:570:1:1::1/64
 ipv6 ospf 1 area 0
!         
interface FastEthernet1/1
 ip address 10.0.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
 duplex full
 speed 100
 ipv6 address FE80::1 link-local
 ipv6 address 20A1:570:1:2::1/64
 ipv6 ospf 1 area 0

Couple of points here, I’ve made the IPv6 link local addresses nice and simple and assigned real IPv6 global addresses, although they are not live! Note the ip ospf 1 area 0 line only appears on the ‘outside’ interface which is for v4 whereas the OSPFv3 commands are on both interfaces. The ZBF interface is already in but thats just because I’m copying it in form the finished setup.

Now the NAT need to be set up to allow incoming sessions to ssh from IPv4 connections:

ip access-list standard FOR-NAT
 permit 10.0.1.0 0.0.0.255

ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet1/0 22
ip nat inside source list FOR-NAT interface FastEthernet1/0 overload

Bow this should work (if you remove the ZBF commands) and its important to test at this point to ensure that an further development is working of a proper base.

Next is the firewall setup:

1. Create the access lists:

ipv6 access-list TEST-SSH6
 permit tcp any host 20A1:570:1:2::10 eq 22

ip access-list extended TEST-SSH
 permit tcp any host 10.0.1.10 eq 22

2. Create a class map to reference them:

class-map type inspect match-any TEST-SSH-CLASS
 match access-group name TEST-SSH
 match access-group name TEST-SSH6

class-map type inspect match-any ALL-TRAFFIC
 match protocol tcp
 match protocol udp
 match protocol icmp

3. Create a couple of policy maps, calling the class maps:

policy-map type inspect IN-2-OUT
 class type inspect ALL-TRAFFIC
  inspect 

policy-map type inspect OUT-2-IN
 class type inspect TEST-SSH-CLASS
  inspect

4. Now the zone setup:

zone security INSIDE
zone security OUTSIDE

zone-pair security IN2OUT source INSIDE destination OUTSIDE
 service-policy type inspect IN-2-OUT

zone-pair security OUT2IN source OUTSIDE destination INSIDE
 service-policy type inspect OUT-2-IN

So what were the gotchas? The main one was that the 15.x code has changed the NATting in a similar way the the ASA code so the access list (TEST-SSH) is not what I expected. There are a lot of steps with ZBF which when doing a simple setup seems both pointless and frustrating, however I still think its an improvement on the old CBAC style.  For info I added a PING class class map to allow the test FreeBSD server to be tested by ping from the Ubuntu box which help check the results, but I removed this for the post for clarity.

The ASA is up next…

This entry was posted in Cisco, IPv6 and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *