• Welcome to Hurricane Electric's IPv6 Tunnel Broker Forums.

Is This an OK place to talk about Cisco Firewalls?

Started by UltraZero, February 22, 2011, 06:55:23 PM

Previous topic - Next topic

UltraZero

So.. I have a question.  Is anyone trying to put a Cisco Pix firewall in place with the tunnel??

If so, I'd like to know the headaches if there are any.  I have been reading that I think versions below 7 don't work.  I saw Cisco offers a free 3des upgrade.  Just wanted to know what people are doing. 

Not to mention, Is there IPv6 support and if so, I guess this unit would be placed behind the router or can the unit be installed behind a modem and perform all NAT functions and PPPoe /DHCP in stead of the modem.

Also, If anyone is using a cable modem setup, which cable modem are you using and is it flexible in regards to setup. 

Thanks

antillie

Yes the PIX and ASA both support IPv6 in firmware version 7.0 and later. Version 6.x is IPv4 only though. Check out this post.

Under firmware version 7.x and later the PIX and the ASA are basically the same from a configuration and feature perspective. The ASA is just faster and supports AnyConnect SSL VPN (and a few other things added in the ASA only 8.2, 8.3, and 8.4 code versions that you probably won't need). The ASA's ASDM GUI interface is much better than the PIX's PDM GUI but on the CLI they are 99% the same. If you are used to IOS routers then learning PIX/ASA 7.x or later isn't much of a change. (6.x is another matter, its a bit different)

If you are using an ASA as your edge device it can be made to forward protocol 41 to a router somewhere behind it in firmware version 8.3 and later just like you forward a TCP or UDP port. This would let you place the ASA in front of your tunnel device but it would also prevent the ASA from filtering your incoming IPv6 traffic.  However a PIX cannot forward protocol 41 without a dedicated NAT translation. So if you wanted to use a PIX as your edge device you would need a second IP from your ISP for the tunnel to HE.net. If you want to use a PIX/ASA to filter your IPv6 traffic you will need to terminate the 6in4 tunnel on a router in front of the firewall.

According to this it looks like both the PIX and ASA support PPPoE in 7.2(1) and later.

I use a Motorola Surfboard SB5101 cable modem. All I had to do to set it up was call my ISP and read the MAC address on the bottom of the modem to them over the phone and plug it in. My cable ISP uses straight DHCP and the modem is a dumb bridge device for all practical purposes, no PPPoE or other funny configuration needed on my edge router.

UltraZero

Nice to know.  I am going to pull the unit out of the storage box.  Hopefully, I can use it.

Seeing  you are using basically the same setup, is you bandwidth consistent??  I'm seeing differences during the day as to bandwidth.  bought a 12 meg connection and I see lows around 5 and highs around 22..

No issues re tunnel, but, I do have a few routing issues of my own.  I seem to not be able to route from the sub interfaces below my top level router.  I have to manually go in and establish static routes in order for the data to get out.  Kinda sucks.  I thought that what routing protocols did..


cholzhauer

Quote
(and a few other things added in the ASA only 8.2, 8.3, and 8.4 code versions that you probably won't need)

Is 8.4 out?


SomeJoe7777

UltraZero,

I think you said in another thread you were using a Cisco 3640?  If you have a recent IOS build (12.4, 12.4T, or 15.0) of the proper feature set (need at least IP/FW), the firewall within the IOS works well.  Context-based access control (CBAC) is fully functional for IPv6.  I'm using it on my 2811 for IPv6 and IPv4.

You can also use the Intrusion Prevention System (IPS) if you want, although I'm not sure how many signatures inspect IPv6 packets under 12.4 and earlier.

UltraZero

Hmm.  Maybe I will have to do a router swap.  I don't think I have 12.4 on this unit.  Maybe another one. 

I'll have to check the version of he Pix as well.

I guess in worse case, I can use the pix to deal with IPv4 traffic and then use the firewall features of the router if I have a higher version to handle the IPv6 stuff.  I guess standard ipv6 access lists will have to do for now.

BTW, are we talking basically the same kind of items to block on IPv6 just like IPv4??   I guess I'll  have to look to see what port are what???


UltraZero

Hmm.  IPS or IDS.  I think the IPSs are expensive.....  Brrrrrrr..

Last I looked. 

SomeJoe7777

IDS (Intrusion Detection System) was replaced with IPS (Intrusion Prevention System) in the 12.4 IOS train.  By the way, Cisco does have separate devices that can run IPS, but I'm talking about running the IPS in the IOS software on a routing platform.  It obviously cannot handle as much traffic as a dedicated IPS device, but it does work.

CBAC works very well as a firewall for both IPv4 and IPv6 and doesn't require any other hardware.  CBAC for IPv4 is in the IOS as early as 12.1, I think, and for IPv6 in 12.4.

CBAC is also quite easy to configure and kind of crosses-over into IDS/IPS territory by doing some stateful protocol inspection.

I can post an example config that uses CBAC for IPv4 and IPv6 if you want.

antillie

Quote from: UltraZero on February 23, 2011, 04:05:33 AM
Seeing  you are using basically the same setup, is you bandwidth consistent??  I'm seeing differences during the day as to bandwidth.  bought a 12 meg connection and I see lows around 5 and highs around 22..

No issues re tunnel, but, I do have a few routing issues of my own.  I seem to not be able to route from the sub interfaces below my top level router.  I have to manually go in and establish static routes in order for the data to get out.  Kinda sucks.  I thought that what routing protocols did..

My bandwidth is pretty consistent but that sort of thing is very ISP dependent. Unlike DSL which uses a dedicated circuit, bandwidth on a DOCSIS system is shared between hosts on either the same cable node or the same headend depending on how your ISP's DOCSIS network is structured. So when you see reduced speeds its probably because too many other people in your neighborhood are watching Netflix or whatever.

IOS routers can use RIPv6, EIGRP, OSPFv3, and BGP to dynamically exchange IPv6 routing information. IPv6 support for different routing protocols was added in different IOS releases so if you need a specific one you might want to check the IOS feature navigator on Cisco's web site. However the PIX/ASA cannot run a dynamic routing protocol in IPv6, they can only use static routes.

According to this post you should be able to run an IPv6 capable 12.4 image with the firewall feature set on your 3640 if your router has enough RAM and you can get your hands on the firmware image itself. Also, while you certainly can use an IOS router to filter IPv6 traffic even a PIX will outperform all but the newest and fastest routers when doing stateful firewall work.

Higher layer protocols like TCP, UDP, SSH, and HTTP are the same in IPv6 as they were in IPv4 so generally you will be filtering the same things for the same reasons. The only thing that is really different is ICMP, which should not be filtered at all in IPv6 in my opinion.

Quote from: cholzhauer on February 23, 2011, 05:04:48 AM
Is 8.4 out?

Yep.

cholzhauer

Yeah, I just went and downloaded 8.4.  The release notes don't mention any new features...have you come across any?

antillie

#10
They added support for EtherChannel on the 5510 and up and failover support for dynamic routing protocols in IPv4. There is a list of highlights here. Nothing really worth getting excited about if your not using failover and a routing protocol together.

I haven't installed 8.4 yet as it doesn't look like it adds any new IPv6 toys over 8.3.

jimb

Are they eventually going to EOL the PIX line in favor of the ASAs?

UltraZero

Cisco EOL the product I think back in 2008.  I just read the IOS not being sold any more.  (Sucks because I just)
pulled my unit out of the box and fired it up.  Cough Cough.  Looks like she needs an upgrade.
I guess I might consider selling it since I can't upgrade the unit.  Does anyone know if the upgrade of the IOS is based on feature sets or is it based on the License...

Meaning, can I upgrade the IOS legally to get the next versions, but, not get the Non licensed features that I don't have?  I want to keep this thing lagit..

cholzhauer

Quote from: jimb on February 23, 2011, 03:40:22 PM
Are they eventually going to EOL the PIX line in favor of the ASAs?

Yeah, they're long gone.

note that PIX nor ASA run IOS

UltraZero