My first attempt at this was not a great success as i was using a router on version 12.4.x which did not support the ZBF using IPv6 – nice to know! Moving on to IOS version 15.x, all seems to be functional. The plan was to create a blueprint for converting customers with IPv4 managed routers to IPv4 _AND_ IPv6. Should be no problem, but there are a few hurdles to overcome:
- IPv4 at end user sites is normally NATted, IPv6 is not
- IPv6 does not run on every router
- Cisco require special access lists for IPv6
Here is my demo network:
R1 is doing most of the work, as its running the ZBF and NAT and DHCP. I’ve plugged a FreeBSD VM into it to simulate a mail/web/SBS server or similar and at the other end is an Ubuntu Desktop machine to simulate the incoming clients. I’ve used OSPFv3 (the IPv6 version) on every interface, including any loopbacks to ensure we have full reachability for IPv6 across the network. OSPF is also used for IPv4 routing but does not include the 10.0.1.0/24 network as this is NATted onto the 10.0.0.1 address on R1. The FreeBSD server has port 22 open so I’m using that as the demo. I want port 22 open to to anybody on either IPv6 or IPv4. The first job is to set up the interfaces (I’m showing R1):
interface FastEthernet1/0 ip address 10.0.0.1 255.255.255.0 ip nat outside ip virtual-reassembly in zone-member security OUTSIDE ip ospf 1 area 0 duplex full speed 100 ipv6 address FE80::1 link-local ipv6 address 20A1:570:1:1::1/64 ipv6 ospf 1 area 0 ! interface FastEthernet1/1 ip address 10.0.1.1 255.255.255.0 ip nat inside ip virtual-reassembly in zone-member security INSIDE duplex full speed 100 ipv6 address FE80::1 link-local ipv6 address 20A1:570:1:2::1/64 ipv6 ospf 1 area 0
Couple of points here, I’ve made the IPv6 link local addresses nice and simple and assigned real IPv6 global addresses, although they are not live! Note the ip ospf 1 area 0
line only appears on the ‘outside’ interface which is for v4 whereas the OSPFv3 commands are on both interfaces. The ZBF interface is already in but thats just because I’m copying it in form the finished setup.
Now the NAT need to be set up to allow incoming sessions to ssh from IPv4 connections:
ip access-list standard FOR-NAT permit 10.0.1.0 0.0.0.255 ip nat inside source static tcp 10.0.1.10 22 interface FastEthernet1/0 22 ip nat inside source list FOR-NAT interface FastEthernet1/0 overload
Bow this should work (if you remove the ZBF commands) and its important to test at this point to ensure that an further development is working of a proper base.
Next is the firewall setup:
1. Create the access lists:
ipv6 access-list TEST-SSH6 permit tcp any host 20A1:570:1:2::10 eq 22 ip access-list extended TEST-SSH permit tcp any host 10.0.1.10 eq 22
2. Create a class map to reference them:
class-map type inspect match-any TEST-SSH-CLASS match access-group name TEST-SSH match access-group name TEST-SSH6 class-map type inspect match-any ALL-TRAFFIC match protocol tcp match protocol udp match protocol icmp
3. Create a couple of policy maps, calling the class maps:
policy-map type inspect IN-2-OUT class type inspect ALL-TRAFFIC inspect policy-map type inspect OUT-2-IN class type inspect TEST-SSH-CLASS inspect
4. Now the zone setup:
zone security INSIDE zone security OUTSIDE zone-pair security IN2OUT source INSIDE destination OUTSIDE service-policy type inspect IN-2-OUT zone-pair security OUT2IN source OUTSIDE destination INSIDE service-policy type inspect OUT-2-IN
So what were the gotchas? The main one was that the 15.x code has changed the NATting in a similar way the the ASA code so the access list (TEST-SSH) is not what I expected. There are a lot of steps with ZBF which when doing a simple setup seems both pointless and frustrating, however I still think its an improvement on the old CBAC style. For info I added a PING class class map to allow the test FreeBSD server to be tested by ping from the Ubuntu box which help check the results, but I removed this for the post for clarity.
The ASA is up next…